tiff: Backport fix for CVE-2023-41175

Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee] Reference: https://security-tracker.debian.org/tracker/CVE-2023-41175 (From OE-Core rev: dcdcd9dcab750927701deb78b798c8fedeec67e0) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-11-10 11:39:45 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-11-28 05:00:32 -1000
commit: e447b4139fced579feb92006f447d0e5ef11364f (patch)
tree: ed7b108529b62abb1fc48f52c1baeef008606449 /meta
parent: f60fb520553cec2e8278d41988f4262813e30a30 (diff)
download: poky-e447b4139fced579feb92006f447d0e5ef11364f.tar.gz
2 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-41175.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-41175.patch
new file mode 100644
index 0000000000..06645bed68
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-41175.patch
@@ -0,0 +1,69 @@
+From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001
+From: Arie Haenel <arie.haenel@jct.ac.il>
+Date: Wed, 19 Jul 2023 19:40:01 +0000
+Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes #592)
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
+CVE: CVE-2023-41175
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tools/raw2tiff.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
+index dfee715..253c023 100644
+--- a/tools/raw2tiff.c
+++ b/tools/raw2tiff.c
+@@ -36,6 +36,7 @@
+ #include <sys/types.h>
+ #include <math.h>
+ #include <ctype.h>
+#include <limits.h>
+ 
+ #ifdef HAVE_UNISTD_H
+ # include <unistd.h>
+@@ -101,6 +102,7 @@ main(int argc, char* argv[])
+        int     fd;
+        char    *outfilename = NULL;
+        TIFF    *out;
+       uint32_t temp_limit_check = 0;     /* temp for integer overflow checking*/
+ 
+        uint32_t row, col, band;
+        int     c;
+@@ -212,6 +214,33 @@ main(int argc, char* argv[])
+        if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
+                return EXIT_FAILURE;
+ 
+       /* check for integer overflow in */
+       /* hdr_size + (*width) * (*length) * nbands * depth */
+
+       if ((width == 0) || (length == 0) ){
+           fprintf(stderr, "Too large nbands value specified.\n");
+           return (EXIT_FAILURE);
+       }
+
+       temp_limit_check = nbands * depth;
+
+       if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) )  {
+           fprintf(stderr, "Too large length size specified.\n");
+           return (EXIT_FAILURE);
+       }
+       temp_limit_check = temp_limit_check * length;
+
+       if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) )  {
+           fprintf(stderr, "Too large width size specified.\n");
+           return (EXIT_FAILURE);
+       }
+       temp_limit_check = temp_limit_check * width;
+
+       if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) )  {
+           fprintf(stderr, "Too large header size specified.\n");
+           return (EXIT_FAILURE);
+       }
+
+        if (outfilename == NULL)
+                outfilename = argv[optind+1];
+        out = TIFFOpen(outfilename, "w");
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index e925b7d652..11e3818c69 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -46,6 +46,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2022-40090.patch \
           file://CVE-2023-1916.patch \
           file://CVE-2023-40745.patch \
+           file://CVE-2023-41175.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
author	Vijay Anusuri <vanusuri@mvista.com>	2023-11-10 11:39:45 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-11-28 05:00:32 -1000
commit	e447b4139fced579feb92006f447d0e5ef11364f (patch)
tree	ed7b108529b62abb1fc48f52c1baeef008606449 /meta
parent	f60fb520553cec2e8278d41988f4262813e30a30 (diff)
download	poky-e447b4139fced579feb92006f447d0e5ef11364f.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-41175.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-41175.patch new file mode 100644 index 0000000000..06645bed68 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-41175.patch
@@ -0,0 +1,69 @@
		1	From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001
		2	From: Arie Haenel <arie.haenel@jct.ac.il>
		3	Date: Wed, 19 Jul 2023 19:40:01 +0000
		4	Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes #592)
		5
		6	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
		7	CVE: CVE-2023-41175
		8	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		9	---
		10	tools/raw2tiff.c \| 29 +++++++++++++++++++++++++++++
		11	1 file changed, 29 insertions(+)
		12
		13	diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
		14	index dfee715..253c023 100644
		15	--- a/tools/raw2tiff.c
		16	+++ b/tools/raw2tiff.c
		17	@@ -36,6 +36,7 @@
		18	#include <sys/types.h>
		19	#include <math.h>
		20	#include <ctype.h>
		21	+#include <limits.h>
		22
		23	#ifdef HAVE_UNISTD_H
		24	# include <unistd.h>
		25	@@ -101,6 +102,7 @@ main(int argc, char* argv[])
		26	int fd;
		27	char *outfilename = NULL;
		28	TIFF *out;
		29	+ uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/
		30
		31	uint32_t row, col, band;
		32	int c;
		33	@@ -212,6 +214,33 @@ main(int argc, char* argv[])
		34	if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
		35	return EXIT_FAILURE;
		36
		37	+ /* check for integer overflow in */
		38	+ /* hdr_size + (width) (length) nbands * depth */
		39	+
		40	+ if ((width == 0) \|\| (length == 0) ){
		41	+ fprintf(stderr, "Too large nbands value specified.\n");
		42	+ return (EXIT_FAILURE);
		43	+ }
		44	+
		45	+ temp_limit_check = nbands * depth;
		46	+
		47	+ if ( !temp_limit_check \|\| length > ( UINT_MAX / temp_limit_check ) ) {
		48	+ fprintf(stderr, "Too large length size specified.\n");
		49	+ return (EXIT_FAILURE);
		50	+ }
		51	+ temp_limit_check = temp_limit_check * length;
		52	+
		53	+ if ( !temp_limit_check \|\| width > ( UINT_MAX / temp_limit_check ) ) {
		54	+ fprintf(stderr, "Too large width size specified.\n");
		55	+ return (EXIT_FAILURE);
		56	+ }
		57	+ temp_limit_check = temp_limit_check * width;
		58	+
		59	+ if ( !temp_limit_check \|\| hdr_size > ( UINT_MAX - temp_limit_check ) ) {
		60	+ fprintf(stderr, "Too large header size specified.\n");
		61	+ return (EXIT_FAILURE);
		62	+ }
		63	+
		64	if (outfilename == NULL)
		65	outfilename = argv[optind+1];
		66	out = TIFFOpen(outfilename, "w");
		67	--
		68	2.25.1
		69


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index e925b7d652..11e3818c69 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -46,6 +46,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
46	file://CVE-2022-40090.patch \	46	file://CVE-2022-40090.patch \
47	file://CVE-2023-1916.patch \	47	file://CVE-2023-1916.patch \
48	file://CVE-2023-40745.patch \	48	file://CVE-2023-40745.patch \
		49	file://CVE-2023-41175.patch \
49	"	50	"
50		51
51	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	52	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"