libtiff: Add fix for tiffcrop CVE-2023-1916

Add fix for tiffcrop tool CVE-2023-1916 [1]. A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x. The tool is no longer part of newer libtiff distributions, hence the fix is rejected by upstream in [2]. The backport is still applicable to older versions of libtiff, pick the CVE fix from ubuntu 20.04 [3]. [1] https://nvd.nist.gov/vuln/detail/CVE-2023-1916 [2] https://gitlab.com/libtiff/libtiff/-/merge_requests/535 [3] https://packages.ubuntu.com/source/focal-updates/tiff (From OE-Core rev: 4d3e7f9a157e56a4a8ffb4d16fd6401a22851307) Signed-off-by: Marek Vasut <marex@denx.de> Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 && https://gitlab.com/libtiff/libtiff/-/merge_requests/535 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-10-16 14:09:59 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-10-21 05:21:36 -1000
commit: 24e9fed15ad702f1f3ab447e3e647cede9ebdea4 (patch)
tree: f7c4fa18526863b4355cbdfe86c275a45349a183
parent: f550a6316167d86ca401fa8e22baf316b5548ffd (diff)
download: poky-24e9fed15ad702f1f3ab447e3e647cede9ebdea4.tar.gz
2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch
new file mode 100644
index 0000000000..6722781a3a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch
@@ -0,0 +1,99 @@
+From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Thu, 16 Mar 2023 16:16:54 +0800
+Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection
+CVE: CVE-2023-1916
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535]
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 44 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 40 insertions(+), 4 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 05ba4d2..8a08536 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -5700,6 +5700,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+              crop->combined_width += (uint32_t)zwidth;
+            else
+              crop->combined_width = (uint32_t)zwidth;
+
+          /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+           if (((crop->rotation == 90) || (crop->rotation == 270))
+                && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+           {
+                TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+                return -1;
+           }
+
+            break;
+       case EDGE_BOTTOM: /* width from left, zones from bottom to top */
+            zwidth = offsets.crop_width;
+@@ -5735,6 +5744,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+            else
+              crop->combined_length = (uint32_t)zlength;
+            crop->combined_width = (uint32_t)zwidth;
+
+          /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+           if (((crop->rotation == 90) || (crop->rotation == 270))
+                && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+           {
+                TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+                return -1;
+           }
+
+            break;
+       case EDGE_RIGHT: /* zones from right to left, length from top */
+                  zlength = offsets.crop_length;
+@@ -5772,6 +5790,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+                          crop->combined_width += (uint32_t)zwidth;
+                  else
+                          crop->combined_width = (uint32_t)zwidth;
+
+               /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+                if (((crop->rotation == 90) || (crop->rotation == 270))
+                    && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+                {
+                    TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+                    return -1;
+                }
+
+                  break;
+       case EDGE_TOP: /* width from left, zones from top to bottom */
+       default:
+@@ -5818,7 +5845,16 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+            else
+              crop->combined_length = (uint32_t)zlength;
+            crop->combined_width = (uint32_t)zwidth;
+-           break;
+
+          /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+           if (((crop->rotation == 90) || (crop->rotation == 270))
+                && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+           {
+                TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+                return -1;
+           }
+
+          break;
+       } /* end switch statement */
+ 
+     buffsize = (uint32_t)
+@@ -7016,9 +7052,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+      * regardless of the way the data are organized in the input file.
+      * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 
+      */
+-    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */
+-    full_bytes = (sect_width * spp * bps) / 8;            /* number of COMPLETE bytes per row in section */
+-    trailing_bits = (sect_width * spp * bps) % 8;         /* trailing bits within the last byte of destination buffer */
+    img_rowsize = (((img_width * spp * bps) + 7) / 8);  /* row size in full bytes of source image */
+    full_bytes = (sect_width * spp * bps) / 8;          /* number of COMPLETE bytes per row in section */
+    trailing_bits = (sect_width * spp * bps) % 8;       /* trailing bits within the last byte of destination buffer */
+ 
+ #ifdef DEVELMODE
+     TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 9e1e6fa099..8ef98fe5d0 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -44,6 +44,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2023-3618-2.patch \
           file://CVE-2023-26966.patch \
           file://CVE-2022-40090.patch \
+           file://CVE-2023-1916.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-10-16 14:09:59 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-10-21 05:21:36 -1000
commit	24e9fed15ad702f1f3ab447e3e647cede9ebdea4 (patch)
tree	f7c4fa18526863b4355cbdfe86c275a45349a183
parent	f550a6316167d86ca401fa8e22baf316b5548ffd (diff)
download	poky-24e9fed15ad702f1f3ab447e3e647cede9ebdea4.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch new file mode 100644 index 0000000000..6722781a3a --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch
@@ -0,0 +1,99 @@
		1	From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001
		2	From: zhailiangliang <zhailiangliang@loongson.cn>
		3	Date: Thu, 16 Mar 2023 16:16:54 +0800
		4	Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection
		5
		6	CVE: CVE-2023-1916
		7	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535]
		8	Signed-off-by: Marek Vasut <marex@denx.de>
		9	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		10	---
		11	tools/tiffcrop.c \| 44 ++++++++++++++++++++++++++++++++++++++++----
		12	1 file changed, 40 insertions(+), 4 deletions(-)
		13
		14	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		15	index 05ba4d2..8a08536 100644
		16	--- a/tools/tiffcrop.c
		17	+++ b/tools/tiffcrop.c
		18	@@ -5700,6 +5700,15 @@ getCropOffsets(struct image_data image, struct crop_mask crop, struct dump_opt
		19	crop->combined_width += (uint32_t)zwidth;
		20	else
		21	crop->combined_width = (uint32_t)zwidth;
		22	+
		23	+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
		24	+ if (((crop->rotation == 90) \|\| (crop->rotation == 270))
		25	+ && ((crop->combined_length > image->width) \|\| (crop->combined_width > image->length)))
		26	+ {
		27	+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
		28	+ return -1;
		29	+ }
		30	+
		31	break;
		32	case EDGE_BOTTOM: /* width from left, zones from bottom to top */
		33	zwidth = offsets.crop_width;
		34	@@ -5735,6 +5744,15 @@ getCropOffsets(struct image_data image, struct crop_mask crop, struct dump_opt
		35	else
		36	crop->combined_length = (uint32_t)zlength;
		37	crop->combined_width = (uint32_t)zwidth;
		38	+
		39	+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
		40	+ if (((crop->rotation == 90) \|\| (crop->rotation == 270))
		41	+ && ((crop->combined_length > image->width) \|\| (crop->combined_width > image->length)))
		42	+ {
		43	+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
		44	+ return -1;
		45	+ }
		46	+
		47	break;
		48	case EDGE_RIGHT: /* zones from right to left, length from top */
		49	zlength = offsets.crop_length;
		50	@@ -5772,6 +5790,15 @@ getCropOffsets(struct image_data image, struct crop_mask crop, struct dump_opt
		51	crop->combined_width += (uint32_t)zwidth;
		52	else
		53	crop->combined_width = (uint32_t)zwidth;
		54	+
		55	+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
		56	+ if (((crop->rotation == 90) \|\| (crop->rotation == 270))
		57	+ && ((crop->combined_length > image->width) \|\| (crop->combined_width > image->length)))
		58	+ {
		59	+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
		60	+ return -1;
		61	+ }
		62	+
		63	break;
		64	case EDGE_TOP: /* width from left, zones from top to bottom */
		65	default:
		66	@@ -5818,7 +5845,16 @@ getCropOffsets(struct image_data image, struct crop_mask crop, struct dump_opt
		67	else
		68	crop->combined_length = (uint32_t)zlength;
		69	crop->combined_width = (uint32_t)zwidth;
		70	- break;
		71	+
		72	+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
		73	+ if (((crop->rotation == 90) \|\| (crop->rotation == 270))
		74	+ && ((crop->combined_length > image->width) \|\| (crop->combined_width > image->length)))
		75	+ {
		76	+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
		77	+ return -1;
		78	+ }
		79	+
		80	+ break;
		81	} /* end switch statement */
		82
		83	buffsize = (uint32_t)
		84	@@ -7016,9 +7052,9 @@ extractImageSection(struct image_data image, struct pageseg section,
		85	* regardless of the way the data are organized in the input file.
		86	* Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
		87	*/
		88	- img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
		89	- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
		90	- trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
		91	+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
		92	+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
		93	+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
		94
		95	#ifdef DEVELMODE
		96	TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
		97	--
		98	2.25.1
		99


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 9e1e6fa099..8ef98fe5d0 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -44,6 +44,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
44	file://CVE-2023-3618-2.patch \	44	file://CVE-2023-3618-2.patch \
45	file://CVE-2023-26966.patch \	45	file://CVE-2023-26966.patch \
46	file://CVE-2022-40090.patch \	46	file://CVE-2022-40090.patch \
		47	file://CVE-2023-1916.patch \
47	"	48	"
48		49
49	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	50	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"