tiff: fix CVE-2025-9900

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.[EOL][EOL]By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-9900 Upstream patch: https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99 (From OE-Core rev: f4e5cdeccee02d3ea78db91d5dfdcfd017c40ee0) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yogita Urade <yogita.urade@windriver.com> 2025-09-30 13:49:25 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-10-03 09:51:17 -0700
commit: 15dd68bda1a70ce8b95e442f794951bfe3a54b3a (patch)
tree: 9091c4ae9f8ae40a8dd60cd7afc50e008e421f91
parent: 9c9c70625270baeb44b75d4f12b266758eb9cd38 (diff)
download: poky-15dd68bda1a70ce8b95e442f794951bfe3a54b3a.tar.gz
2 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch
new file mode 100644
index 0000000000..9199cc6090
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch
@@ -0,0 +1,57 @@
+From 3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 11 Jun 2025 19:45:19 +0000
+Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
+ rows at TIFFReadRGBAImageOriented()
+CVE: CVE-2025-9900
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99]
+Changes-
+- Use old API TIFFWarningExt instead of TIFFWarningExtR.
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ libtiff/tif_getimage.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a9cd48f..4c807ad 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h)
+                "No \"put\" routine setupl; probably can not handle image format");
+                return (0);
+     }
+    /* Verify raster width and height against image width and height. */
+    if (h > img->height)
+    {
+        /* Adapt parameters to read only available lines and put image at
+         * the bottom of the raster. */
+        raster += (size_t)(h - img->height) * w;
+        h = img->height;
+    }
+    if (w > img->width)
+    {
+        TIFFWarningExt(img->tif, TIFFFileName(img->tif),
+                        "Raster width of %d shall not be larger than image "
+                        "width of %d -> raster width adapted for reading",
+                        w, img->width);
+        w = img->width;
+    }
+     return (*img->get)(img, raster, w, h);
+ }
+@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
+        if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
+                img.req_orientation = (uint16_t)orientation;
+-               /* XXX verify rwidth and rheight against width and height */
+-               ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
+-                       rwidth, img.height);
+        ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
+                TIFFRGBAImageEnd(&img);
+        } else {
+                TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 6db4d80cdf..0b4bef4c41 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -62,6 +62,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2024-13978.patch \
           file://CVE-2025-8534.patch \
           file://CVE-2025-8851.patch \
+           file://CVE-2025-9900.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
author	Yogita Urade <yogita.urade@windriver.com>	2025-09-30 13:49:25 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-10-03 09:51:17 -0700
commit	15dd68bda1a70ce8b95e442f794951bfe3a54b3a (patch)
tree	9091c4ae9f8ae40a8dd60cd7afc50e008e421f91
parent	9c9c70625270baeb44b75d4f12b266758eb9cd38 (diff)
download	poky-15dd68bda1a70ce8b95e442f794951bfe3a54b3a.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch new file mode 100644 index 0000000000..9199cc6090 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch
@@ -0,0 +1,57 @@
		1	From 3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Mon Sep 17 00:00:00 2001
		2	From: Su Laus <sulau@freenet.de>
		3	Date: Wed, 11 Jun 2025 19:45:19 +0000
		4	Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
		5	rows at TIFFReadRGBAImageOriented()
		6
		7	CVE: CVE-2025-9900
		8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99]
		9
		10	Changes-
		11	- Use old API TIFFWarningExt instead of TIFFWarningExtR.
		12
		13	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		14	---
		15	libtiff/tif_getimage.c \| 20 +++++++++++++++++---
		16	1 file changed, 17 insertions(+), 3 deletions(-)
		17
		18	diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
		19	index a9cd48f..4c807ad 100644
		20	--- a/libtiff/tif_getimage.c
		21	+++ b/libtiff/tif_getimage.c
		22	@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h)
		23	"No \"put\" routine setupl; probably can not handle image format");
		24	return (0);
		25	}
		26	+ /* Verify raster width and height against image width and height. */
		27	+ if (h > img->height)
		28	+ {
		29	+ /* Adapt parameters to read only available lines and put image at
		30	+ * the bottom of the raster. */
		31	+ raster += (size_t)(h - img->height) * w;
		32	+ h = img->height;
		33	+ }
		34	+ if (w > img->width)
		35	+ {
		36	+ TIFFWarningExt(img->tif, TIFFFileName(img->tif),
		37	+ "Raster width of %d shall not be larger than image "
		38	+ "width of %d -> raster width adapted for reading",
		39	+ w, img->width);
		40	+ w = img->width;
		41	+ }
		42	return (*img->get)(img, raster, w, h);
		43	}
		44
		45	@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
		46
		47	if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
		48	img.req_orientation = (uint16_t)orientation;
		49	- /* XXX verify rwidth and rheight against width and height */
		50	- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
		51	- rwidth, img.height);
		52	+ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
		53	TIFFRGBAImageEnd(&img);
		54	} else {
		55	TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
		56	--
		57	2.40.0


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 6db4d80cdf..0b4bef4c41 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -62,6 +62,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
62	file://CVE-2024-13978.patch \	62	file://CVE-2024-13978.patch \
63	file://CVE-2025-8534.patch \	63	file://CVE-2025-8534.patch \
64	file://CVE-2025-8851.patch \	64	file://CVE-2025-8851.patch \
		65	file://CVE-2025-9900.patch \
65	"	66	"
66		67
67	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	68	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"