diff options
| author | Vijay Anusuri <vanusuri@mvista.com> | 2025-10-07 13:06:03 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-10-14 07:20:35 -0700 |
| commit | 4a1254610c532ed8f35f234151b4d0479d7e6a2a (patch) | |
| tree | c969f49904a8ebdc15f8d16c4506e6352c5cd692 | |
| parent | 4ef41425c679eff0492d70d1ff8dfda52b582df1 (diff) | |
| download | poky-4a1254610c532ed8f35f234151b4d0479d7e6a2a.tar.gz | |
tiff: Fix CVE-2025-8961
Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5
(From OE-Core rev: 8d956d80f0eae39f9de68c0cd5a361c69b47cda4)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch | 74 | ||||
| -rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 |
2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch new file mode 100644 index 0000000000..05b11a866e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch | |||
| @@ -0,0 +1,74 @@ | |||
| 1 | From 0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Lee Howard <faxguy@howardsilvan.com> | ||
| 3 | Date: Fri, 5 Sep 2025 21:42:35 +0000 | ||
| 4 | Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue | ||
| 5 | #721 | ||
| 6 | |||
| 7 | Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5] | ||
| 8 | CVE: CVE-2025-8961 | ||
| 9 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 10 | --- | ||
| 11 | tools/tiffcrop.c | 8 +++++++- | ||
| 12 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
| 13 | |||
| 14 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c | ||
| 15 | index e16bc2d..c7d2553 100644 | ||
| 16 | --- a/tools/tiffcrop.c | ||
| 17 | +++ b/tools/tiffcrop.c | ||
| 18 | @@ -929,6 +929,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, | ||
| 19 | TIFFError("readContigTilesIntoBuffer", | ||
| 20 | "Unable to extract row %"PRIu32" from tile %"PRIu32, | ||
| 21 | row, TIFFCurrentTile(in)); | ||
| 22 | + _TIFFfree(tilebuf); | ||
| 23 | return 1; | ||
| 24 | } | ||
| 25 | break; | ||
| 26 | @@ -943,6 +944,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, | ||
| 27 | TIFFError("readContigTilesIntoBuffer", | ||
| 28 | "Unable to extract row %"PRIu32" from tile %"PRIu32, | ||
| 29 | row, TIFFCurrentTile(in)); | ||
| 30 | + _TIFFfree(tilebuf); | ||
| 31 | return 1; | ||
| 32 | } | ||
| 33 | break; | ||
| 34 | @@ -957,6 +959,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, | ||
| 35 | TIFFError("readContigTilesIntoBuffer", | ||
| 36 | "Unable to extract row %"PRIu32" from tile %"PRIu32, | ||
| 37 | row, TIFFCurrentTile(in)); | ||
| 38 | + _TIFFfree(tilebuf); | ||
| 39 | return 1; | ||
| 40 | } | ||
| 41 | break; | ||
| 42 | @@ -969,6 +972,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, | ||
| 43 | TIFFError("readContigTilesIntoBuffer", | ||
| 44 | "Unable to extract row %"PRIu32" from tile %"PRIu32, | ||
| 45 | row, TIFFCurrentTile(in)); | ||
| 46 | + _TIFFfree(tilebuf); | ||
| 47 | return 1; | ||
| 48 | } | ||
| 49 | break; | ||
| 50 | @@ -983,10 +987,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, | ||
| 51 | TIFFError("readContigTilesIntoBuffer", | ||
| 52 | "Unable to extract row %"PRIu32" from tile %"PRIu32, | ||
| 53 | row, TIFFCurrentTile(in)); | ||
| 54 | + _TIFFfree(tilebuf); | ||
| 55 | return 1; | ||
| 56 | } | ||
| 57 | break; | ||
| 58 | default: TIFFError("readContigTilesIntoBuffer", "Unsupported bit depth %"PRIu16, bps); | ||
| 59 | + _TIFFfree(tilebuf); | ||
| 60 | return 1; | ||
| 61 | } | ||
| 62 | } | ||
| 63 | @@ -2535,7 +2541,7 @@ main(int argc, char* argv[]) | ||
| 64 | } | ||
| 65 | |||
| 66 | /* If we did not use the read buffer as the crop buffer */ | ||
| 67 | - if (read_buff) | ||
| 68 | + if (read_buff && read_buff != crop_buff) | ||
| 69 | _TIFFfree(read_buff); | ||
| 70 | |||
| 71 | if (crop_buff) | ||
| 72 | -- | ||
| 73 | 2.25.1 | ||
| 74 | |||
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 0b4bef4c41..2ee6cdef73 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | |||
| @@ -63,6 +63,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ | |||
| 63 | file://CVE-2025-8534.patch \ | 63 | file://CVE-2025-8534.patch \ |
| 64 | file://CVE-2025-8851.patch \ | 64 | file://CVE-2025-8851.patch \ |
| 65 | file://CVE-2025-9900.patch \ | 65 | file://CVE-2025-9900.patch \ |
| 66 | file://CVE-2025-8961.patch \ | ||
| 66 | " | 67 | " |
| 67 | 68 | ||
| 68 | SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" | 69 | SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" |
