tiff: Security fix for CVE-2024-13978, CVE-2025-8176, CVE-2025-8177

Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/7be20ccaab97455f192de0ac561ceda7cd9e12d1, https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4, https://gitlab.com/libtiff/libtiff/-/commit/3994cf3b3bc6b54c32f240ca5a412cffa11633fa, https://gitlab.com/libtiff/libtiff/-/commit/ce46f002eca4148497363f80fab33f9396bcbeda, https://gitlab.com/libtiff/libtiff/-/commit/ecc4ddbf1f0fed7957d1e20361e37f01907898e0, https://gitlab.com/libtiff/libtiff/-/commit/75d8eca6f106c01aadf76b8500a7d062b12f2d82, https://gitlab.com/libtiff/libtiff/-/commit/e8c9d6c616b19438695fd829e58ae4fde5bfbc22] CVE's Fixed: CVE-2024-13978 libtiff: LibTIFF Null Pointer Dereference CVE-2025-8176 libtiff: LibTIFF Use-After-Free Vulnerability CVE-2025-8177 libtiff: LibTIFF Buffer Overflow (From OE-Core rev: 16d8a873c57b174e4d6581b58d890f2157aa2f2c) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Siddharth Doshi <sdoshi@mvista.com> 2025-08-22 20:44:50 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-08-25 17:47:21 +0100
commit: d566c7bb8d27e073d7977d21e34b763c7af3fcb1 (patch)
tree: 0a889a905a121b28927a67d3934d41adebe92703 /meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
parent: 8f2adecb3acd924b385778b43e0a967c3e3f5946 (diff)
download: poky-d566c7bb8d27e073d7977d21e34b763c7af3fcb1.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
index 5a6939d584..26e3811ff8 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
@@ -8,7 +8,15 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
 CVE_PRODUCT = "libtiff"
-SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz"
+SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
+           file://CVE-2024-13978_1.patch \
+           file://CVE-2024-13978_2.patch \
+           file://CVE-2025-8176_1.patch \
+           file://CVE-2025-8176_2.patch \
+           file://CVE-2025-8176_3.patch \
+           file://CVE-2025-8177_1.patch \
+           file://CVE-2025-8177_2.patch \
+           "
 SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"
author	Siddharth Doshi <sdoshi@mvista.com>	2025-08-22 20:44:50 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-08-25 17:47:21 +0100
commit	d566c7bb8d27e073d7977d21e34b763c7af3fcb1 (patch)
tree	0a889a905a121b28927a67d3934d41adebe92703 /meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
parent	8f2adecb3acd924b385778b43e0a967c3e3f5946 (diff)
download	poky-d566c7bb8d27e073d7977d21e34b763c7af3fcb1.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb index 5a6939d584..26e3811ff8 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
@@ -8,7 +8,15 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
8		8
9	CVE_PRODUCT = "libtiff"	9	CVE_PRODUCT = "libtiff"
10		10
11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz"	11	SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
		12	file://CVE-2024-13978_1.patch \
		13	file://CVE-2024-13978_2.patch \
		14	file://CVE-2025-8176_1.patch \
		15	file://CVE-2025-8176_2.patch \
		16	file://CVE-2025-8176_3.patch \
		17	file://CVE-2025-8177_1.patch \
		18	file://CVE-2025-8177_2.patch \
		19	"
12		20
13	SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"	21	SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"
14		22