tiff: fix CVE-2023-2908,CVE-2023-3316,CVE-2023-3618

Backport fixes for: * CVE-2023-2908 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f * CVE-2023-3316 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536 * CVE-2023-3618 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37 && https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 (From OE-Core rev: d37cf315135c6778774a1bee458e61480f808aa5) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-08-28 11:47:17 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-09-08 16:09:41 -1000
commit: b19575391d7f5909001a310450db22fc54500e47 (patch)
tree: 18dfb85fd93918f438e1daecae9455b422e92227
parent: e42cc7d900fd2f1b6a12184cb3e4c81d5bda5206 (diff)
download: poky-b19575391d7f5909001a310450db22fc54500e47.tar.gz
5 files changed, 177 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch
new file mode 100644
index 0000000000..cf94fd23d8
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch
@@ -0,0 +1,33 @@
+From 8c0859a80444c90b8dfb862a9f16de74e16f0a9e Mon Sep 17 00:00:00 2001
+From: xiaoxiaoafeifei <lliangliang2007@163.com>
+Date: Fri, 21 Apr 2023 13:01:34 +0000
+Subject: [PATCH] countInkNamesString(): fix `UndefinedBehaviorSanitizer`:
+ applying zero offset to null pointer
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f]
+CVE: CVE-2023-2908
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 349dfe4..1402c8e 100644
+--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
+@@ -145,10 +145,10 @@ static uint16_t
+ countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
+ {
+        uint16_t i = 0;
+-       const char *ep = s + slen;
+-       const char *cp = s;
+ 
+        if (slen > 0) {
+               const char *ep = s + slen;
+               const char *cp = s;
+                do {
+                        for (; cp < ep && *cp != '\0'; cp++) {}
+                        if (cp >= ep)
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch
new file mode 100644
index 0000000000..1aa4ba45ac
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch
@@ -0,0 +1,59 @@
+From d63de61b1ec3385f6383ef9a1f453e4b8b11d536 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 3 Feb 2023 17:38:55 +0100
+Subject: [PATCH] TIFFClose() avoid NULL pointer dereferencing. fix#515
+Closes #515
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536]
+CVE: CVE-2023-3316
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libtiff/tif_close.c | 11 +++++++----
+ tools/tiffcrop.c    |  5 ++++-
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
+index 674518a..0fe7af4 100644
+--- a/libtiff/tif_close.c
+++ b/libtiff/tif_close.c
+@@ -118,13 +118,16 @@ TIFFCleanup(TIFF* tif)
+  */
+ 
+ void
+-TIFFClose(TIFF* tif)
+TIFFClose(TIFF *tif)
+ {
+-       TIFFCloseProc closeproc = tif->tif_closeproc;
+-       thandle_t fd = tif->tif_clientdata;
+    if (tif != NULL)
+    {
+        TIFFCloseProc closeproc = tif->tif_closeproc;
+        thandle_t fd = tif->tif_clientdata;
+ 
+        TIFFCleanup(tif);
+-       (void) (*closeproc)(fd);
+        (void)(*closeproc)(fd);
+    }
+ }
+ 
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ce77c74..cd49660 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -2548,7 +2548,10 @@ main(int argc, char* argv[])
+       }
+     }
+ 
+-  TIFFClose(out);
+    if (out != NULL)
+    {
+        TIFFClose(out);
+    }
+ 
+   return (0);
+   } /* end main */
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch
new file mode 100644
index 0000000000..8f55d2b496
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch
@@ -0,0 +1,34 @@
+From 881a070194783561fd209b7c789a4e75566f7f37 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Tue, 7 Mar 2023 15:02:08 +0800
+Subject: [PATCH] Fix memory leak in tiffcrop.c
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
+CVE: CVE-2023-3618
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index cd49660..0d02f56 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -7839,8 +7839,13 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+ 
+   read_buff = *read_buff_ptr;
+ 
+  /* Memory is freed before crop_buff_ptr is overwritten */
+    if (*crop_buff_ptr != NULL)
+    {
+       _TIFFfree(*crop_buff_ptr);
+    }
+
+   /* process full image, no crop buffer needed */
+-  crop_buff = read_buff;
+   *crop_buff_ptr = read_buff;
+   crop->combined_width = image->width;
+   crop->combined_length = image->length;
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch
new file mode 100644
index 0000000000..4179145722
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch
@@ -0,0 +1,47 @@
+From b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 5 May 2023 19:43:46 +0200
+Subject: [PATCH] Consider error return of writeSelections(). Fixes #553
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8]
+CVE: CVE-2023-3618
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 0d02f56..8cbeb68 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -2459,9 +2459,15 @@ main(int argc, char* argv[])
+         {  /* Whole image or sections not based on output page size */
+         if (crop.selections > 0)
+           {
+-         writeSelections(in, &out, &crop, &image, &dump, seg_buffs,
+-                          mp, argv[argc - 1], &next_page, total_pages);
+-          }
+             if (writeSelections(in, &out, &crop, &image, &dump,
+                                 seg_buffs, mp, argv[argc - 1],
+                                 &next_page, total_pages))
+              {
+                TIFFError("main",
+                          "Unable to write new image selections");
+                exit(EXIT_FAILURE);
+              }
+         }
+        else  /* One file all images and sections */
+           {
+          if (update_output_file (&out, mp, crop.exp_mode, argv[argc - 1],
+@@ -7842,7 +7848,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   /* Memory is freed before crop_buff_ptr is overwritten */
+     if (*crop_buff_ptr != NULL)
+     {
+-       _TIFFfree(*crop_buff_ptr);
+       _TIFFfree(*crop_buff_ptr);
+     }
+ 
+   /* process full image, no crop buffer needed */
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 4796dfde24..8e69621afb 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -38,6 +38,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2023-25433.patch \
           file://CVE-2023-25434-CVE-2023-25435.patch \
           file://CVE-2023-26965.patch \
+           file://CVE-2023-2908.patch \
+           file://CVE-2023-3316.patch \
+           file://CVE-2023-3618-1.patch \
+           file://CVE-2023-3618-2.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-08-28 11:47:17 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-09-08 16:09:41 -1000
commit	b19575391d7f5909001a310450db22fc54500e47 (patch)
tree	18dfb85fd93918f438e1daecae9455b422e92227
parent	e42cc7d900fd2f1b6a12184cb3e4c81d5bda5206 (diff)
download	poky-b19575391d7f5909001a310450db22fc54500e47.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch new file mode 100644 index 0000000000..cf94fd23d8 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-2908.patch
@@ -0,0 +1,33 @@
		1	From 8c0859a80444c90b8dfb862a9f16de74e16f0a9e Mon Sep 17 00:00:00 2001
		2	From: xiaoxiaoafeifei <lliangliang2007@163.com>
		3	Date: Fri, 21 Apr 2023 13:01:34 +0000
		4	Subject: [PATCH] countInkNamesString(): fix `UndefinedBehaviorSanitizer`:
		5	applying zero offset to null pointer
		6
		7	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f]
		8	CVE: CVE-2023-2908
		9	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		10	---
		11	libtiff/tif_dir.c \| 4 ++--
		12	1 file changed, 2 insertions(+), 2 deletions(-)
		13
		14	diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
		15	index 349dfe4..1402c8e 100644
		16	--- a/libtiff/tif_dir.c
		17	+++ b/libtiff/tif_dir.c
		18	@@ -145,10 +145,10 @@ static uint16_t
		19	countInkNamesString(TIFF tif, uint32_t slen, const char s)
		20	{
		21	uint16_t i = 0;
		22	- const char *ep = s + slen;
		23	- const char *cp = s;
		24
		25	if (slen > 0) {
		26	+ const char *ep = s + slen;
		27	+ const char *cp = s;
		28	do {
		29	for (; cp < ep && *cp != '\0'; cp++) {}
		30	if (cp >= ep)
		31	--
		32	2.25.1
		33


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch new file mode 100644 index 0000000000..1aa4ba45ac --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3316.patch
@@ -0,0 +1,59 @@
		1	From d63de61b1ec3385f6383ef9a1f453e4b8b11d536 Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Fri, 3 Feb 2023 17:38:55 +0100
		4	Subject: [PATCH] TIFFClose() avoid NULL pointer dereferencing. fix#515
		5
		6	Closes #515
		7
		8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536]
		9	CVE: CVE-2023-3316
		10	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		11	---
		12	libtiff/tif_close.c \| 11 +++++++----
		13	tools/tiffcrop.c \| 5 ++++-
		14	2 files changed, 11 insertions(+), 5 deletions(-)
		15
		16	diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
		17	index 674518a..0fe7af4 100644
		18	--- a/libtiff/tif_close.c
		19	+++ b/libtiff/tif_close.c
		20	@@ -118,13 +118,16 @@ TIFFCleanup(TIFF* tif)
		21	*/
		22
		23	void
		24	-TIFFClose(TIFF* tif)
		25	+TIFFClose(TIFF *tif)
		26	{
		27	- TIFFCloseProc closeproc = tif->tif_closeproc;
		28	- thandle_t fd = tif->tif_clientdata;
		29	+ if (tif != NULL)
		30	+ {
		31	+ TIFFCloseProc closeproc = tif->tif_closeproc;
		32	+ thandle_t fd = tif->tif_clientdata;
		33
		34	TIFFCleanup(tif);
		35	- (void) (*closeproc)(fd);
		36	+ (void)(*closeproc)(fd);
		37	+ }
		38	}
		39
		40	/* vim: set ts=8 sts=8 sw=8 noet: */
		41	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		42	index ce77c74..cd49660 100644
		43	--- a/tools/tiffcrop.c
		44	+++ b/tools/tiffcrop.c
		45	@@ -2548,7 +2548,10 @@ main(int argc, char* argv[])
		46	}
		47	}
		48
		49	- TIFFClose(out);
		50	+ if (out != NULL)
		51	+ {
		52	+ TIFFClose(out);
		53	+ }
		54
		55	return (0);
		56	} /* end main */
		57	--
		58	2.25.1
		59


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch new file mode 100644 index 0000000000..8f55d2b496 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch
@@ -0,0 +1,34 @@
		1	From 881a070194783561fd209b7c789a4e75566f7f37 Mon Sep 17 00:00:00 2001
		2	From: zhailiangliang <zhailiangliang@loongson.cn>
		3	Date: Tue, 7 Mar 2023 15:02:08 +0800
		4	Subject: [PATCH] Fix memory leak in tiffcrop.c
		5
		6	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
		7	CVE: CVE-2023-3618
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	tools/tiffcrop.c \| 7 ++++++-
		11	1 file changed, 6 insertions(+), 1 deletion(-)
		12
		13	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		14	index cd49660..0d02f56 100644
		15	--- a/tools/tiffcrop.c
		16	+++ b/tools/tiffcrop.c
		17	@@ -7839,8 +7839,13 @@ createCroppedImage(struct image_data image, struct crop_mask crop,
		18
		19	read_buff = *read_buff_ptr;
		20
		21	+ /* Memory is freed before crop_buff_ptr is overwritten */
		22	+ if (*crop_buff_ptr != NULL)
		23	+ {
		24	+ _TIFFfree(*crop_buff_ptr);
		25	+ }
		26	+
		27	/* process full image, no crop buffer needed */
		28	- crop_buff = read_buff;
		29	*crop_buff_ptr = read_buff;
		30	crop->combined_width = image->width;
		31	crop->combined_length = image->length;
		32	--
		33	2.25.1
		34


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch new file mode 100644 index 0000000000..4179145722 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch
@@ -0,0 +1,47 @@
		1	From b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Fri, 5 May 2023 19:43:46 +0200
		4	Subject: [PATCH] Consider error return of writeSelections(). Fixes #553
		5
		6	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8]
		7	CVE: CVE-2023-3618
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	tools/tiffcrop.c \| 14 ++++++++++----
		11	1 file changed, 10 insertions(+), 4 deletions(-)
		12
		13	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		14	index 0d02f56..8cbeb68 100644
		15	--- a/tools/tiffcrop.c
		16	+++ b/tools/tiffcrop.c
		17	@@ -2459,9 +2459,15 @@ main(int argc, char* argv[])
		18	{ /* Whole image or sections not based on output page size */
		19	if (crop.selections > 0)
		20	{
		21	- writeSelections(in, &out, &crop, &image, &dump, seg_buffs,
		22	- mp, argv[argc - 1], &next_page, total_pages);
		23	- }
		24	+ if (writeSelections(in, &out, &crop, &image, &dump,
		25	+ seg_buffs, mp, argv[argc - 1],
		26	+ &next_page, total_pages))
		27	+ {
		28	+ TIFFError("main",
		29	+ "Unable to write new image selections");
		30	+ exit(EXIT_FAILURE);
		31	+ }
		32	+ }
		33	else /* One file all images and sections */
		34	{
		35	if (update_output_file (&out, mp, crop.exp_mode, argv[argc - 1],
		36	@@ -7842,7 +7848,7 @@ createCroppedImage(struct image_data image, struct crop_mask crop,
		37	/* Memory is freed before crop_buff_ptr is overwritten */
		38	if (*crop_buff_ptr != NULL)
		39	{
		40	- _TIFFfree(*crop_buff_ptr);
		41	+ _TIFFfree(*crop_buff_ptr);
		42	}
		43
		44	/* process full image, no crop buffer needed */
		45	--
		46	2.25.1
		47


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 4796dfde24..8e69621afb 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -38,6 +38,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
38	file://CVE-2023-25433.patch \	38	file://CVE-2023-25433.patch \
39	file://CVE-2023-25434-CVE-2023-25435.patch \	39	file://CVE-2023-25434-CVE-2023-25435.patch \
40	file://CVE-2023-26965.patch \	40	file://CVE-2023-26965.patch \
		41	file://CVE-2023-2908.patch \
		42	file://CVE-2023-3316.patch \
		43	file://CVE-2023-3618-1.patch \
		44	file://CVE-2023-3618-2.patch \
41	"	45	"
42		46
43	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	47	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"