From 5e9e6627ac74295b311786d4acec1520b46b3105 Mon Sep 17 00:00:00 2001
From: Vijay Anusuri <vanusuri@mvista.com>
Date: Tue, 31 Oct 2023 09:57:34 +0530
Subject: tiff: CVE patch correction for CVE-2023-3576

- The commit [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
fixes CVE-2023-3576
- Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch
- Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576
             https://security-tracker.debian.org/tracker/CVE-2023-3618

(From OE-Core rev: 56088368bdd22a939b813c7aefd5ba475c6d4021)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libtiff/files/CVE-2023-3576.patch              | 35 ++++++++++++++++
 .../libtiff/files/CVE-2023-3618-1.patch            | 34 ----------------
 .../libtiff/files/CVE-2023-3618-2.patch            | 47 ----------------------
 .../libtiff/files/CVE-2023-3618.patch              | 47 ++++++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb      |  4 +-
 5 files changed, 84 insertions(+), 83 deletions(-)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch

(limited to 'meta')

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch
new file mode 100644
index 0000000000..67837fe142
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch
@@ -0,0 +1,35 @@
+From 881a070194783561fd209b7c789a4e75566f7f37 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Tue, 7 Mar 2023 15:02:08 +0800
+Subject: [PATCH] Fix memory leak in tiffcrop.c
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
+CVE: CVE-2023-3576
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tools/tiffcrop.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f14bb0c..7121c7c 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -7746,8 +7746,13 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+ 
+   read_buff = *read_buff_ptr;
+ 
++  /* Memory is freed before crop_buff_ptr is overwritten */
++    if (*crop_buff_ptr != NULL)
++    {
++	_TIFFfree(*crop_buff_ptr);
++    }
++
+   /* process full image, no crop buffer needed */
+-  crop_buff = read_buff;
+   *crop_buff_ptr = read_buff;
+   crop->combined_width = image->width;
+   crop->combined_length = image->length;
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch
deleted file mode 100644
index 35ed852519..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 881a070194783561fd209b7c789a4e75566f7f37 Mon Sep 17 00:00:00 2001
-From: zhailiangliang <zhailiangliang@loongson.cn>
-Date: Tue, 7 Mar 2023 15:02:08 +0800
-Subject: [PATCH] Fix memory leak in tiffcrop.c
-
-Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
-CVE: CVE-2023-3618
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- tools/tiffcrop.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index f14bb0c..7121c7c 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -7746,8 +7746,13 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
- 
-   read_buff = *read_buff_ptr;
- 
-+  /* Memory is freed before crop_buff_ptr is overwritten */
-+    if (*crop_buff_ptr != NULL)
-+    {
-+	_TIFFfree(*crop_buff_ptr);
-+    }
-+
-   /* process full image, no crop buffer needed */
--  crop_buff = read_buff;
-   *crop_buff_ptr = read_buff;
-   crop->combined_width = image->width;
-   crop->combined_length = image->length;
--- 
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch
deleted file mode 100644
index fd67305c0b..0000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 Mon Sep 17 00:00:00 2001
-From: Su_Laus <sulau@freenet.de>
-Date: Fri, 5 May 2023 19:43:46 +0200
-Subject: [PATCH] Consider error return of writeSelections(). Fixes #553
-
-Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8]
-CVE: CVE-2023-3618
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- tools/tiffcrop.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 7121c7c..93b7f96 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -2437,9 +2437,15 @@ main(int argc, char* argv[])
-         {  /* Whole image or sections not based on output page size */
-         if (crop.selections > 0)
-           {
--	  writeSelections(in, &out, &crop, &image, &dump, seg_buffs,
--                          mp, argv[argc - 1], &next_page, total_pages);
--          }
-+             if (writeSelections(in, &out, &crop, &image, &dump,
-+                                 seg_buffs, mp, argv[argc - 1],
-+                                 &next_page, total_pages))
-+              {
-+                TIFFError("main",
-+                          "Unable to write new image selections");
-+                exit(EXIT_FAILURE);
-+              }
-+	  }
- 	else  /* One file all images and sections */
-           {
- 	  if (update_output_file (&out, mp, crop.exp_mode, argv[argc - 1],
-@@ -7749,7 +7755,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
-   /* Memory is freed before crop_buff_ptr is overwritten */
-     if (*crop_buff_ptr != NULL)
-     {
--	_TIFFfree(*crop_buff_ptr);
-+       _TIFFfree(*crop_buff_ptr);
-     }
- 
-   /* process full image, no crop buffer needed */
--- 
-2.25.1
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch
new file mode 100644
index 0000000000..fd67305c0b
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch
@@ -0,0 +1,47 @@
+From b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 5 May 2023 19:43:46 +0200
+Subject: [PATCH] Consider error return of writeSelections(). Fixes #553
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8]
+CVE: CVE-2023-3618
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 7121c7c..93b7f96 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -2437,9 +2437,15 @@ main(int argc, char* argv[])
+         {  /* Whole image or sections not based on output page size */
+         if (crop.selections > 0)
+           {
+-	  writeSelections(in, &out, &crop, &image, &dump, seg_buffs,
+-                          mp, argv[argc - 1], &next_page, total_pages);
+-          }
++             if (writeSelections(in, &out, &crop, &image, &dump,
++                                 seg_buffs, mp, argv[argc - 1],
++                                 &next_page, total_pages))
++              {
++                TIFFError("main",
++                          "Unable to write new image selections");
++                exit(EXIT_FAILURE);
++              }
++	  }
+ 	else  /* One file all images and sections */
+           {
+ 	  if (update_output_file (&out, mp, crop.exp_mode, argv[argc - 1],
+@@ -7749,7 +7755,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   /* Memory is freed before crop_buff_ptr is overwritten */
+     if (*crop_buff_ptr != NULL)
+     {
+-	_TIFFfree(*crop_buff_ptr);
++       _TIFFfree(*crop_buff_ptr);
+     }
+ 
+   /* process full image, no crop buffer needed */
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 6df4244697..d27381b4cd 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -43,8 +43,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2023-26966.patch \
            file://CVE-2023-2908.patch \
            file://CVE-2023-3316.patch \
-           file://CVE-2023-3618-1.patch \
-           file://CVE-2023-3618-2.patch \
+           file://CVE-2023-3576.patch \
+           file://CVE-2023-3618.patch \
           "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
-- 
cgit v1.2.3-54-g00ecf