tiff: Fix CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799

import patch from ubuntu to fix multiple CVEs http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.4.0-4ubuntu3.3.debian.tar.xz (From OE-Core rev: 7634c800819f23f0cb1676bf46efca19e9176df1) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chee Yang Lee <chee.yang.lee@intel.com> 2023-03-18 19:58:58 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-03-25 23:00:14 +0000
commit: 94178579022eb9b42556ee64af0f8c78102b85c1 (patch)
tree: e518761ab3fa30d0f8561c7d8cae7cfd3bd85f71
parent: 280fcacbb54c5cd7a450e86346a65c5bc75a5fba (diff)
download: poky-94178579022eb9b42556ee64af0f8c78102b85c1.tar.gz
2 files changed, 155 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch
new file mode 100644
index 0000000000..926df680b3
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch
@@ -0,0 +1,154 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 21 Feb 2023 14:26:43 +0100
+Subject: CVE-2023-0795
+This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798,
+CVE-2023-0799.
+Bug-Debian: https://bugs.debian.org/1031632
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68
+CVE: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
+Upstream-Status: Backport [import from ubuntu debian/patches/CVE-2023-0795.patch http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.4.0-4ubuntu3.3.debian.tar.xz ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 30 insertions(+), 21 deletions(-)
+--- tiff-4.4.0.orig/tools/tiffcrop.c
+++ tiff-4.4.0/tools/tiffcrop.c
+@@ -269,7 +269,6 @@ struct  region {
+   uint32_t width;     /* width in pixels */
+   uint32_t length;    /* length in pixels */
+   uint32_t buffsize;  /* size of buffer needed to hold the cropped region */
+-  unsigned char *buffptr; /* address of start of the region */
+ };
+ 
+ /* Cropping parameters from command line and image data 
+@@ -524,7 +523,7 @@ static int rotateContigSamples24bits(uin
+ static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
+                                      uint32_t, uint32_t, uint8_t *, uint8_t *);
+ static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
+-                       unsigned char **);
+                       unsigned char **, int);
+ static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
+                        unsigned char *);
+ static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
+@@ -5219,7 +5218,6 @@ initCropMasks (struct crop_mask *cps)
+      cps->regionlist[i].width = 0;
+      cps->regionlist[i].length = 0;
+      cps->regionlist[i].buffsize = 0;
+-     cps->regionlist[i].buffptr = NULL;
+      cps->zonelist[i].position = 0;
+      cps->zonelist[i].total = 0;
+      }
+@@ -6551,8 +6549,13 @@ static int  correct_orientation(struct i
+                  (uint16_t) (image->adjustments & ROTATE_ANY));
+       return (-1);
+       }
+- 
+-    if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
+
+      /* Dummy variable in order not to switch two times the
+       * image->width,->length within rotateImage(),
+       * but switch xres, yres there. */
+      uint32_t width = image->width;
+      uint32_t length = image->length;
+      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
+       {
+       TIFFError ("correct_orientation", "Unable to rotate image");
+       return (-1);
+@@ -6661,7 +6664,6 @@ extractCompositeRegions(struct image_dat
+     /* These should not be needed for composite images */
+     crop->regionlist[i].width = crop_width;
+     crop->regionlist[i].length = crop_length;
+-    crop->regionlist[i].buffptr = crop_buff;
+ 
+     src_rowsize = ((img_width * bps * spp) + 7) / 8;
+     dst_rowsize = (((crop_width * bps * count) + 7) / 8);
+@@ -6900,7 +6902,6 @@ extractSeparateRegion(struct image_data
+ 
+   crop->regionlist[region].width = crop_width;
+   crop->regionlist[region].length = crop_length;
+-  crop->regionlist[region].buffptr = crop_buff;
+ 
+   src = read_buff;
+   dst = crop_buff;
+@@ -7778,7 +7779,7 @@ processCropSelections(struct image_data
+     if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+       {
+       if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                      &crop->combined_length, &crop_buff))
+                      &crop->combined_length, &crop_buff, FALSE))
+         {
+         TIFFError("processCropSelections", 
+                   "Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
+@@ -7888,7 +7889,7 @@ processCropSelections(struct image_data
+            * ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !!
+            */
+        if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, 
+-                       &crop->regionlist[i].length, &crop_buff))
+                       &crop->regionlist[i].length, &crop_buff, FALSE))
+           {
+           TIFFError("processCropSelections", 
+                     "Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
+@@ -8020,7 +8021,7 @@ createCroppedImage(struct image_data *im
+   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+     {
+     if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                    &crop->combined_length, crop_buff_ptr))
+                    &crop->combined_length, crop_buff_ptr, TRUE))
+       {
+       TIFFError("createCroppedImage", 
+                 "Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
+@@ -8683,7 +8684,7 @@ rotateContigSamples32bits(uint16_t rotat
+ /* Rotate an image by a multiple of 90 degrees clockwise */
+ static int
+ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
+-            uint32_t *img_length, unsigned char **ibuff_ptr)
+            uint32_t *img_length, unsigned char **ibuff_ptr, int rot_image_params)
+   {
+   int      shift_width;
+   uint32_t   bytes_per_pixel, bytes_per_sample;
+@@ -8874,11 +8875,15 @@ rotateImage(uint16_t rotation, struct im
+ 
+               *img_width = length;
+               *img_length = width;
+-              image->width = length;
+-              image->length = width;
+-              res_temp = image->xres;
+-              image->xres = image->yres;
+-              image->yres = res_temp;
+            /* Only toggle image parameters if whole input image is rotated. */
+            if (rot_image_params)
+            {
+                image->width = length;
+                image->length = width;
+                res_temp = image->xres;
+                image->xres = image->yres;
+                image->yres = res_temp;
+            }
+              break;
+ 
+     case 270: if ((bps % 8) == 0) /* byte aligned data */
+@@ -8951,11 +8956,15 @@ rotateImage(uint16_t rotation, struct im
+ 
+               *img_width = length;
+               *img_length = width;
+-              image->width = length;
+-              image->length = width;
+-              res_temp = image->xres;
+-              image->xres = image->yres;
+-              image->yres = res_temp;
+            /* Only toggle image parameters if whole input image is rotated. */
+            if (rot_image_params)
+            {
+                image->width = length;
+                image->length = width;
+                res_temp = image->xres;
+                image->xres = image->yres;
+                image->yres = res_temp;
+            }
+               break;
+     default:
+               break;
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
index 3b42dbe4a5..9df3c5a015 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \
           file://CVE-2022-48281.patch \
           file://CVE-2023-0800_0801_0802_0803_0804.patch \
+           file://CVE-2023-0795_0796_0797_0798_0799.patch \
           "
 SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"
author	Chee Yang Lee <chee.yang.lee@intel.com>	2023-03-18 19:58:58 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-03-25 23:00:14 +0000
commit	94178579022eb9b42556ee64af0f8c78102b85c1 (patch)
tree	e518761ab3fa30d0f8561c7d8cae7cfd3bd85f71
parent	280fcacbb54c5cd7a450e86346a65c5bc75a5fba (diff)
download	poky-94178579022eb9b42556ee64af0f8c78102b85c1.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch new file mode 100644 index 0000000000..926df680b3 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch
@@ -0,0 +1,154 @@
		1	From: Markus Koschany <apo@debian.org>
		2	Date: Tue, 21 Feb 2023 14:26:43 +0100
		3	Subject: CVE-2023-0795
		4
		5	This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798,
		6	CVE-2023-0799.
		7
		8	Bug-Debian: https://bugs.debian.org/1031632
		9	Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68
		10
		11	CVE: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
		12	Upstream-Status: Backport [import from ubuntu debian/patches/CVE-2023-0795.patch http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.4.0-4ubuntu3.3.debian.tar.xz ]
		13	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		14	---
		15	tools/tiffcrop.c \| 51 ++++++++++++++++++++++++++++++---------------------
		16	1 file changed, 30 insertions(+), 21 deletions(-)
		17
		18	--- tiff-4.4.0.orig/tools/tiffcrop.c
		19	+++ tiff-4.4.0/tools/tiffcrop.c
		20	@@ -269,7 +269,6 @@ struct region {
		21	uint32_t width; /* width in pixels */
		22	uint32_t length; /* length in pixels */
		23	uint32_t buffsize; /* size of buffer needed to hold the cropped region */
		24	- unsigned char buffptr; / address of start of the region */
		25	};
		26
		27	/* Cropping parameters from command line and image data
		28	@@ -524,7 +523,7 @@ static int rotateContigSamples24bits(uin
		29	static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
		30	uint32_t, uint32_t, uint8_t , uint8_t );
		31	static int rotateImage(uint16_t, struct image_data , uint32_t , uint32_t *,
		32	- unsigned char **);
		33	+ unsigned char **, int);
		34	static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
		35	unsigned char *);
		36	static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
		37	@@ -5219,7 +5218,6 @@ initCropMasks (struct crop_mask *cps)
		38	cps->regionlist[i].width = 0;
		39	cps->regionlist[i].length = 0;
		40	cps->regionlist[i].buffsize = 0;
		41	- cps->regionlist[i].buffptr = NULL;
		42	cps->zonelist[i].position = 0;
		43	cps->zonelist[i].total = 0;
		44	}
		45	@@ -6551,8 +6549,13 @@ static int correct_orientation(struct i
		46	(uint16_t) (image->adjustments & ROTATE_ANY));
		47	return (-1);
		48	}
		49	-
		50	- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
		51	+
		52	+ /* Dummy variable in order not to switch two times the
		53	+ * image->width,->length within rotateImage(),
		54	+ * but switch xres, yres there. */
		55	+ uint32_t width = image->width;
		56	+ uint32_t length = image->length;
		57	+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
		58	{
		59	TIFFError ("correct_orientation", "Unable to rotate image");
		60	return (-1);
		61	@@ -6661,7 +6664,6 @@ extractCompositeRegions(struct image_dat
		62	/* These should not be needed for composite images */
		63	crop->regionlist[i].width = crop_width;
		64	crop->regionlist[i].length = crop_length;
		65	- crop->regionlist[i].buffptr = crop_buff;
		66
		67	src_rowsize = ((img_width * bps * spp) + 7) / 8;
		68	dst_rowsize = (((crop_width * bps * count) + 7) / 8);
		69	@@ -6900,7 +6902,6 @@ extractSeparateRegion(struct image_data
		70
		71	crop->regionlist[region].width = crop_width;
		72	crop->regionlist[region].length = crop_length;
		73	- crop->regionlist[region].buffptr = crop_buff;
		74
		75	src = read_buff;
		76	dst = crop_buff;
		77	@@ -7778,7 +7779,7 @@ processCropSelections(struct image_data
		78	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
		79	{
		80	if (rotateImage(crop->rotation, image, &crop->combined_width,
		81	- &crop->combined_length, &crop_buff))
		82	+ &crop->combined_length, &crop_buff, FALSE))
		83	{
		84	TIFFError("processCropSelections",
		85	"Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
		86	@@ -7888,7 +7889,7 @@ processCropSelections(struct image_data
		87	* ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !!
		88	*/
		89	if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
		90	- &crop->regionlist[i].length, &crop_buff))
		91	+ &crop->regionlist[i].length, &crop_buff, FALSE))
		92	{
		93	TIFFError("processCropSelections",
		94	"Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
		95	@@ -8020,7 +8021,7 @@ createCroppedImage(struct image_data *im
		96	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
		97	{
		98	if (rotateImage(crop->rotation, image, &crop->combined_width,
		99	- &crop->combined_length, crop_buff_ptr))
		100	+ &crop->combined_length, crop_buff_ptr, TRUE))
		101	{
		102	TIFFError("createCroppedImage",
		103	"Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
		104	@@ -8683,7 +8684,7 @@ rotateContigSamples32bits(uint16_t rotat
		105	/* Rotate an image by a multiple of 90 degrees clockwise */
		106	static int
		107	rotateImage(uint16_t rotation, struct image_data image, uint32_t img_width,
		108	- uint32_t img_length, unsigned char *ibuff_ptr)
		109	+ uint32_t img_length, unsigned char *ibuff_ptr, int rot_image_params)
		110	{
		111	int shift_width;
		112	uint32_t bytes_per_pixel, bytes_per_sample;
		113	@@ -8874,11 +8875,15 @@ rotateImage(uint16_t rotation, struct im
		114
		115	*img_width = length;
		116	*img_length = width;
		117	- image->width = length;
		118	- image->length = width;
		119	- res_temp = image->xres;
		120	- image->xres = image->yres;
		121	- image->yres = res_temp;
		122	+ /* Only toggle image parameters if whole input image is rotated. */
		123	+ if (rot_image_params)
		124	+ {
		125	+ image->width = length;
		126	+ image->length = width;
		127	+ res_temp = image->xres;
		128	+ image->xres = image->yres;
		129	+ image->yres = res_temp;
		130	+ }
		131	break;
		132
		133	case 270: if ((bps % 8) == 0) /* byte aligned data */
		134	@@ -8951,11 +8956,15 @@ rotateImage(uint16_t rotation, struct im
		135
		136	*img_width = length;
		137	*img_length = width;
		138	- image->width = length;
		139	- image->length = width;
		140	- res_temp = image->xres;
		141	- image->xres = image->yres;
		142	- image->yres = res_temp;
		143	+ /* Only toggle image parameters if whole input image is rotated. */
		144	+ if (rot_image_params)
		145	+ {
		146	+ image->width = length;
		147	+ image->length = width;
		148	+ res_temp = image->xres;
		149	+ image->xres = image->yres;
		150	+ image->yres = res_temp;
		151	+ }
		152	break;
		153	default:
		154	break;


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb index 3b42dbe4a5..9df3c5a015 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
19	file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \	19	file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \
20	file://CVE-2022-48281.patch \	20	file://CVE-2022-48281.patch \
21	file://CVE-2023-0800_0801_0802_0803_0804.patch \	21	file://CVE-2023-0800_0801_0802_0803_0804.patch \
		22	file://CVE-2023-0795_0796_0797_0798_0799.patch \
22	"	23	"
23		24
24	SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"	25	SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"