tiff: fix multiple CVEs

import patch from debian to fix CVE-2022-48281 http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.2.0-1+deb11u4.debian.tar.xz import patch from fedora to fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 https://src.fedoraproject.org/rpms/libtiff/c/91856895aadf3cce6353f40c2feef9bf0b486440 (From OE-Core rev: f2782b4cac461909cf432db13516e443fee8c3de) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit d9ce9b37236f5c16ffba4572ad720aeb50edeee9) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chee Yang Lee <chee.yang.lee@intel.com> 2023-03-02 13:26:06 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-03-20 17:20:44 +0000
commit: 857a8bdd9c98c71a4932ca7886f2c688c8668ccb (patch)
tree: 407517c674f4ab6ddf60d553281ac047d81b2cdd
parent: b7da7c8996257d3b249688744fb394f49168749c (diff)
download: poky-857a8bdd9c98c71a4932ca7886f2c688c8668ccb.tar.gz
3 files changed, 156 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-48281.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-48281.patch
new file mode 100644
index 0000000000..4f8dc35251
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-48281.patch
@@ -0,0 +1,26 @@
+From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Sat, 21 Jan 2023 15:58:10 +0000
+Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488.
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.2.0-1+deb11u4.debian.tar.xz]
+CVE: CVE-2022-48281
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/tiffcrop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+Index: tiff-4.2.0/tools/tiffcrop.c
+===================================================================
+--- tiff-4.2.0.orig/tools/tiffcrop.c
+++ tiff-4.2.0/tools/tiffcrop.c
+@@ -7516,7 +7516,7 @@ processCropSelections(struct image_data
+       crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+     else
+       {
+-      prev_cropsize = seg_buffs[0].size;
+      prev_cropsize = seg_buffs[1].size;
+       if (prev_cropsize < cropsize)
+         {
+         next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0800_0801_0802_0803_0804.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0800_0801_0802_0803_0804.patch
new file mode 100644
index 0000000000..8372bc35f2
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0800_0801_0802_0803_0804.patch
@@ -0,0 +1,128 @@
+From 82a7fbb1fa7228499ffeb3a57a1d106a9626d57c Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Sun, 5 Feb 2023 15:53:15 +0000
+Subject: [PATCH] tiffcrop: added check for assumption on composite images
+ (fixes #496)
+tiffcrop: For composite images with more than one region, the combined_length or combined_width always needs to be equal, respectively. Otherwise, even the first section/region copy action might cause buffer overrun. This is now checked before the first copy action.
+Closes #496, #497, #498, #500, #501.
+Upstream-Status: Backport [import from fedora https://src.fedoraproject.org/rpms/libtiff/c/91856895aadf3cce6353f40c2feef9bf0b486440 ]
+CVE: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 66 insertions(+), 2 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 84e26ac6..480b927c 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -5329,18 +5329,39 @@
+ 
+       crop->regionlist[i].buffsize = buffsize;
+       crop->bufftotal += buffsize;
+            /* For composite images with more than one region, the
+             * combined_length or combined_width always needs to be equal,
+             * respectively.
+             * Otherwise, even the first section/region copy
+             * action might cause buffer overrun. */
+       if (crop->img_mode == COMPOSITE_IMAGES)
+         {
+         switch (crop->edge_ref)
+           {
+           case EDGE_LEFT:
+           case EDGE_RIGHT:
+                        if (i > 0 && zlength != crop->combined_length)
+                        {
+                            TIFFError(
+                                "computeInputPixelOffsets",
+                                "Only equal length regions can be combined for "
+                                "-E left or right");
+                            return (-1);
+                        }
+                crop->combined_length = zlength;
+                crop->combined_width += zwidth;
+                break;
+           case EDGE_BOTTOM:
+           case EDGE_TOP:  /* width from left, length from top */
+           default:
+                        if (i > 0 && zwidth != crop->combined_width)
+                        {
+                            TIFFError("computeInputPixelOffsets",
+                                      "Only equal width regions can be "
+                                      "combined for -E "
+                                      "top or bottom");
+                            return (-1);
+                        }
+                crop->combined_width = zwidth;
+                crop->combined_length += zlength;
+               break;
+@@ -6546,6 +6567,46 @@
+   crop->combined_width = 0;
+   crop->combined_length = 0;
+ 
+    /* If there is more than one region, check beforehand whether all the width
+     * and length values of the regions are the same, respectively. */
+    switch (crop->edge_ref)
+    {
+        default:
+        case EDGE_TOP:
+        case EDGE_BOTTOM:
+            for (i = 1; i < crop->selections; i++)
+            {
+                uint32_t crop_width0 =
+                    crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
+                uint32_t crop_width1 =
+                    crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+                if (crop_width0 != crop_width1)
+                {
+                    TIFFError("extractCompositeRegions",
+                              "Only equal width regions can be combined for -E "
+                              "top or bottom");
+                    return (1);
+                }
+            }
+            break;
+        case EDGE_LEFT:
+        case EDGE_RIGHT:
+            for (i = 1; i < crop->selections; i++)
+            {
+                uint32_t crop_length0 =
+                    crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
+                uint32_t crop_length1 =
+                    crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+                if (crop_length0 != crop_length1)
+                {
+                    TIFFError("extractCompositeRegions",
+                              "Only equal length regions can be combined for "
+                              "-E left or right");
+                    return (1);
+                }
+            }
+    }
+
+   for (i = 0; i < crop->selections; i++)
+     {
+     /* rows, columns, width, length are expressed in pixels */
+@@ -6570,7 +6631,8 @@
+       default:
+       case EDGE_TOP:
+       case EDGE_BOTTOM:
+-          if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
+                if ((crop->selections > i + 1) &&
+                    (crop_width != crop->regionlist[i + 1].width))
+              {
+             TIFFError ("extractCompositeRegions", 
+                           "Only equal width regions can be combined for -E top or bottom");
+@@ -6651,7 +6713,8 @@
+           break;
+       case EDGE_LEFT:  /* splice the pieces of each row together, side by side */
+       case EDGE_RIGHT:
+-          if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
+                if ((crop->selections > i + 1) &&
+                    (crop_length != crop->regionlist[i + 1].length))
+              {
+             TIFFError ("extractCompositeRegions", 
+                           "Only equal length regions can be combined for -E left or right");
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index ef4fa97585..4bd485a10a 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -32,6 +32,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://0001-tiffcrop-S-option-Make-decision-simpler.patch \
           file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch \
           file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \
+           file://CVE-2022-48281.patch \
+           file://CVE-2023-0800_0801_0802_0803_0804.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
author	Chee Yang Lee <chee.yang.lee@intel.com>	2023-03-02 13:26:06 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-03-20 17:20:44 +0000
commit	857a8bdd9c98c71a4932ca7886f2c688c8668ccb (patch)
tree	407517c674f4ab6ddf60d553281ac047d81b2cdd
parent	b7da7c8996257d3b249688744fb394f49168749c (diff)
download	poky-857a8bdd9c98c71a4932ca7886f2c688c8668ccb.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-48281.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-48281.patch new file mode 100644 index 0000000000..4f8dc35251 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-48281.patch
@@ -0,0 +1,26 @@
		1	From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001
		2	From: Su Laus <sulau@freenet.de>
		3	Date: Sat, 21 Jan 2023 15:58:10 +0000
		4	Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488.
		5
		6
		7	Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.2.0-1+deb11u4.debian.tar.xz]
		8	CVE: CVE-2022-48281
		9	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		10	---
		11	tools/tiffcrop.c \| 2 +-
		12	1 file changed, 1 insertion(+), 1 deletion(-)
		13
		14	Index: tiff-4.2.0/tools/tiffcrop.c
		15	===================================================================
		16	--- tiff-4.2.0.orig/tools/tiffcrop.c
		17	+++ tiff-4.2.0/tools/tiffcrop.c
		18	@@ -7516,7 +7516,7 @@ processCropSelections(struct image_data
		19	crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
		20	else
		21	{
		22	- prev_cropsize = seg_buffs[0].size;
		23	+ prev_cropsize = seg_buffs[1].size;
		24	if (prev_cropsize < cropsize)
		25	{
		26	next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0800_0801_0802_0803_0804.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0800_0801_0802_0803_0804.patch new file mode 100644 index 0000000000..8372bc35f2 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0800_0801_0802_0803_0804.patch
@@ -0,0 +1,128 @@
		1	From 82a7fbb1fa7228499ffeb3a57a1d106a9626d57c Mon Sep 17 00:00:00 2001
		2	From: Su Laus <sulau@freenet.de>
		3	Date: Sun, 5 Feb 2023 15:53:15 +0000
		4	Subject: [PATCH] tiffcrop: added check for assumption on composite images
		5	(fixes #496)
		6
		7	tiffcrop: For composite images with more than one region, the combined_length or combined_width always needs to be equal, respectively. Otherwise, even the first section/region copy action might cause buffer overrun. This is now checked before the first copy action.
		8
		9	Closes #496, #497, #498, #500, #501.
		10
		11	Upstream-Status: Backport [import from fedora https://src.fedoraproject.org/rpms/libtiff/c/91856895aadf3cce6353f40c2feef9bf0b486440 ]
		12	CVE: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
		13	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		14	---
		15	tools/tiffcrop.c \| 68 ++++++++++++++++++++++++++++++++++++++++++++++--
		16	1 file changed, 66 insertions(+), 2 deletions(-)
		17
		18	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		19	index 84e26ac6..480b927c 100644
		20	--- a/tools/tiffcrop.c
		21	+++ b/tools/tiffcrop.c
		22	@@ -5329,18 +5329,39 @@
		23
		24	crop->regionlist[i].buffsize = buffsize;
		25	crop->bufftotal += buffsize;
		26	+ /* For composite images with more than one region, the
		27	+ * combined_length or combined_width always needs to be equal,
		28	+ * respectively.
		29	+ * Otherwise, even the first section/region copy
		30	+ * action might cause buffer overrun. */
		31	if (crop->img_mode == COMPOSITE_IMAGES)
		32	{
		33	switch (crop->edge_ref)
		34	{
		35	case EDGE_LEFT:
		36	case EDGE_RIGHT:
		37	+ if (i > 0 && zlength != crop->combined_length)
		38	+ {
		39	+ TIFFError(
		40	+ "computeInputPixelOffsets",
		41	+ "Only equal length regions can be combined for "
		42	+ "-E left or right");
		43	+ return (-1);
		44	+ }
		45	crop->combined_length = zlength;
		46	crop->combined_width += zwidth;
		47	break;
		48	case EDGE_BOTTOM:
		49	case EDGE_TOP: /* width from left, length from top */
		50	default:
		51	+ if (i > 0 && zwidth != crop->combined_width)
		52	+ {
		53	+ TIFFError("computeInputPixelOffsets",
		54	+ "Only equal width regions can be "
		55	+ "combined for -E "
		56	+ "top or bottom");
		57	+ return (-1);
		58	+ }
		59	crop->combined_width = zwidth;
		60	crop->combined_length += zlength;
		61	break;
		62	@@ -6546,6 +6567,46 @@
		63	crop->combined_width = 0;
		64	crop->combined_length = 0;
		65
		66	+ /* If there is more than one region, check beforehand whether all the width
		67	+ * and length values of the regions are the same, respectively. */
		68	+ switch (crop->edge_ref)
		69	+ {
		70	+ default:
		71	+ case EDGE_TOP:
		72	+ case EDGE_BOTTOM:
		73	+ for (i = 1; i < crop->selections; i++)
		74	+ {
		75	+ uint32_t crop_width0 =
		76	+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
		77	+ uint32_t crop_width1 =
		78	+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
		79	+ if (crop_width0 != crop_width1)
		80	+ {
		81	+ TIFFError("extractCompositeRegions",
		82	+ "Only equal width regions can be combined for -E "
		83	+ "top or bottom");
		84	+ return (1);
		85	+ }
		86	+ }
		87	+ break;
		88	+ case EDGE_LEFT:
		89	+ case EDGE_RIGHT:
		90	+ for (i = 1; i < crop->selections; i++)
		91	+ {
		92	+ uint32_t crop_length0 =
		93	+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
		94	+ uint32_t crop_length1 =
		95	+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
		96	+ if (crop_length0 != crop_length1)
		97	+ {
		98	+ TIFFError("extractCompositeRegions",
		99	+ "Only equal length regions can be combined for "
		100	+ "-E left or right");
		101	+ return (1);
		102	+ }
		103	+ }
		104	+ }
		105	+
		106	for (i = 0; i < crop->selections; i++)
		107	{
		108	/* rows, columns, width, length are expressed in pixels */
		109	@@ -6570,7 +6631,8 @@
		110	default:
		111	case EDGE_TOP:
		112	case EDGE_BOTTOM:
		113	- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
		114	+ if ((crop->selections > i + 1) &&
		115	+ (crop_width != crop->regionlist[i + 1].width))
		116	{
		117	TIFFError ("extractCompositeRegions",
		118	"Only equal width regions can be combined for -E top or bottom");
		119	@@ -6651,7 +6713,8 @@
		120	break;
		121	case EDGE_LEFT: /* splice the pieces of each row together, side by side */
		122	case EDGE_RIGHT:
		123	- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
		124	+ if ((crop->selections > i + 1) &&
		125	+ (crop_length != crop->regionlist[i + 1].length))
		126	{
		127	TIFFError ("extractCompositeRegions",
		128	"Only equal length regions can be combined for -E left or right");


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index ef4fa97585..4bd485a10a 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -32,6 +32,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
32	file://0001-tiffcrop-S-option-Make-decision-simpler.patch \	32	file://0001-tiffcrop-S-option-Make-decision-simpler.patch \
33	file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch \	33	file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch \
34	file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \	34	file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \
		35	file://CVE-2022-48281.patch \
		36	file://CVE-2023-0800_0801_0802_0803_0804.patch \
35	"	37	"
36		38
37	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	39	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"