tiff: backport fix for CVE-2022-2953

(From OE-Core rev: aa018b5bec49c06e64a493a413f42558a17947cf) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@arm.com> 2022-09-05 12:28:13 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-09-08 14:59:39 +0100
commit: c8d04cde0fe606c597f526078845b940ea247fca (patch)
tree: 4f03eed9f4ab59cda4a49da811ebb4f0b77f046e
parent: 1e73562ea7472604094cd084ae8f208a38dab545 (diff)
download: poky-c8d04cde0fe606c597f526078845b940ea247fca.tar.gz
2 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2953.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2953.patch
new file mode 100644
index 0000000000..98020ff92f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2953.patch
@@ -0,0 +1,86 @@
+CVE: CVE-2022-2053
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Mon, 15 Aug 2022 22:11:03 +0200
+Subject: [PATCH] =?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
+ =?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20ti?=
+ =?UTF-8?q?ffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutually?=
+ =?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),=20-?=
+ =?UTF-8?q?Z=20and=20-z.?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+This is now checked and ends tiffcrop if those arguments are not mutually exclusive.
+This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
+---
+ tools/tiffcrop.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 90286a5e..c3b758ec 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -173,12 +173,12 @@ static   char tiffcrop_rev_date[] = "02-09-2022";
+ #define ROTATECW_270 32
+ #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
+ 
+-#define CROP_NONE     0
+-#define CROP_MARGINS  1
+-#define CROP_WIDTH    2
+-#define CROP_LENGTH   4
+-#define CROP_ZONES    8
+-#define CROP_REGIONS 16
+#define CROP_NONE     0     /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
+#define CROP_MARGINS  1     /* "-m" */
+#define CROP_WIDTH    2     /* "-X" */
+#define CROP_LENGTH   4     /* "-Y" */
+#define CROP_ZONES    8     /* "-Z" */
+#define CROP_REGIONS 16     /* "-z" */
+ #define CROP_ROTATE  32
+ #define CROP_MIRROR  64
+ #define CROP_INVERT 128
+@@ -316,7 +316,7 @@ struct crop_mask {
+ #define PAGE_MODE_RESOLUTION   1
+ #define PAGE_MODE_PAPERSIZE    2
+ #define PAGE_MODE_MARGINS      4
+-#define PAGE_MODE_ROWSCOLS     8
+#define PAGE_MODE_ROWSCOLS     8    /* for -S option */
+ 
+ #define INVERT_DATA_ONLY      10
+ #define INVERT_DATA_AND_TAG   11
+@@ -781,7 +781,7 @@ static const char usage_info[] =
+ "             The four debug/dump options are independent, though it makes little sense to\n"
+ "             specify a dump file without specifying a detail level.\n"
+ "\n"
+-"Note:        The (-X|-Y), -Z and -z options are mutually exclusive.\n"
+"Note:        The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
+ "             In no case should the options be applied to a given selection successively.\n"
+ "\n"
+ ;
+@@ -2131,13 +2131,14 @@ void  process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
+                /*NOTREACHED*/
+       }
+     }
+-    /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/
+-    char XY, Z, R;
+    /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
+    char XY, Z, R, S;
+     XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
+     Z = (crop_data->crop_mode & CROP_ZONES);
+     R = (crop_data->crop_mode & CROP_REGIONS);
+-    if ((XY && Z) || (XY && R) || (Z && R)) {
+-        TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit");
+    S = (page->mode & PAGE_MODE_ROWSCOLS);
+    if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
+        TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
+         exit(EXIT_FAILURE);
+     }
+   }  /* end process_command_opts */
+-- 
+2.34.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
index e30df0b3e9..caf6f60479 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
           file://CVE-2022-34526.patch \
+           file://CVE-2022-2953.patch \
           "
 SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"
author	Ross Burton <ross.burton@arm.com>	2022-09-05 12:28:13 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-09-08 14:59:39 +0100
commit	c8d04cde0fe606c597f526078845b940ea247fca (patch)
tree	4f03eed9f4ab59cda4a49da811ebb4f0b77f046e
parent	1e73562ea7472604094cd084ae8f208a38dab545 (diff)
download	poky-c8d04cde0fe606c597f526078845b940ea247fca.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2953.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2953.patch new file mode 100644 index 0000000000..98020ff92f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2953.patch
@@ -0,0 +1,86 @@
		1	CVE: CVE-2022-2053
		2	Upstream-Status: Backport
		3	Signed-off-by: Ross Burton <ross.burton@arm.com>
		4
		5	From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00 2001
		6	From: Su_Laus <sulau@freenet.de>
		7	Date: Mon, 15 Aug 2022 22:11:03 +0200
		8	Subject: [PATCH] =?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
		9	=?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20ti?=
		10	=?UTF-8?q?ffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutually?=
		11	=?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X\|-Y),=20-?=
		12	=?UTF-8?q?Z=20and=20-z.?=
		13	MIME-Version: 1.0
		14	Content-Type: text/plain; charset=UTF-8
		15	Content-Transfer-Encoding: 8bit
		16
		17	This is now checked and ends tiffcrop if those arguments are not mutually exclusive.
		18
		19	This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
		20	---
		21	tools/tiffcrop.c \| 31 ++++++++++++++++---------------
		22	1 file changed, 16 insertions(+), 15 deletions(-)
		23
		24	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		25	index 90286a5e..c3b758ec 100644
		26	--- a/tools/tiffcrop.c
		27	+++ b/tools/tiffcrop.c
		28	@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
		29	#define ROTATECW_270 32
		30	#define ROTATE_ANY (ROTATECW_90 \| ROTATECW_180 \| ROTATECW_270)
		31
		32	-#define CROP_NONE 0
		33	-#define CROP_MARGINS 1
		34	-#define CROP_WIDTH 2
		35	-#define CROP_LENGTH 4
		36	-#define CROP_ZONES 8
		37	-#define CROP_REGIONS 16
		38	+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
		39	+#define CROP_MARGINS 1 /* "-m" */
		40	+#define CROP_WIDTH 2 /* "-X" */
		41	+#define CROP_LENGTH 4 /* "-Y" */
		42	+#define CROP_ZONES 8 /* "-Z" */
		43	+#define CROP_REGIONS 16 /* "-z" */
		44	#define CROP_ROTATE 32
		45	#define CROP_MIRROR 64
		46	#define CROP_INVERT 128
		47	@@ -316,7 +316,7 @@ struct crop_mask {
		48	#define PAGE_MODE_RESOLUTION 1
		49	#define PAGE_MODE_PAPERSIZE 2
		50	#define PAGE_MODE_MARGINS 4
		51	-#define PAGE_MODE_ROWSCOLS 8
		52	+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
		53
		54	#define INVERT_DATA_ONLY 10
		55	#define INVERT_DATA_AND_TAG 11
		56	@@ -781,7 +781,7 @@ static const char usage_info[] =
		57	" The four debug/dump options are independent, though it makes little sense to\n"
		58	" specify a dump file without specifying a detail level.\n"
		59	"\n"
		60	-"Note: The (-X\|-Y), -Z and -z options are mutually exclusive.\n"
		61	+"Note: The (-X\|-Y), -Z, -z and -S options are mutually exclusive.\n"
		62	" In no case should the options be applied to a given selection successively.\n"
		63	"\n"
		64	;
		65	@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char argv[], char mp, char *mode, uint32
		66	/NOTREACHED/
		67	}
		68	}
		69	- /-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --/
		70	- char XY, Z, R;
		71	+ /-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --/
		72	+ char XY, Z, R, S;
		73	XY = ((crop_data->crop_mode & CROP_WIDTH) \|\| (crop_data->crop_mode & CROP_LENGTH));
		74	Z = (crop_data->crop_mode & CROP_ZONES);
		75	R = (crop_data->crop_mode & CROP_REGIONS);
		76	- if ((XY && Z) \|\| (XY && R) \|\| (Z && R)) {
		77	- TIFFError("tiffcrop input error", "The crop options(-X\|-Y), -Z and -z are mutually exclusive.->Exit");
		78	+ S = (page->mode & PAGE_MODE_ROWSCOLS);
		79	+ if ((XY && Z) \|\| (XY && R) \|\| (XY && S) \|\| (Z && R) \|\| (Z && S) \|\| (R && S)) {
		80	+ TIFFError("tiffcrop input error", "The crop options(-X\|-Y), -Z, -z and -S are mutually exclusive.->Exit");
		81	exit(EXIT_FAILURE);
		82	}
		83	} /* end process_command_opts */
		84	--
		85	2.34.1
		86


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb index e30df0b3e9..caf6f60479 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \	11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
12	file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \	12	file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
13	file://CVE-2022-34526.patch \	13	file://CVE-2022-34526.patch \
		14	file://CVE-2022-2953.patch \
14	"	15	"
15		16
16	SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"	17	SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"