4 files changed, 123 insertions, 0 deletions

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0001.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0001.patch
new file mode 100644
index 0000000000..83dc695528
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0001.patch
@@ -0,0 +1,61 @@
+From 3994cf3b3bc6b54c32f240ca5a412cffa11633fa Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Mon, 19 May 2025 10:53:30 -0700
+Subject: [PATCH] Don't skip the first line of the input image.  Addresses
+ issue #703
+
+CVE: CVE-2025-8176
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3994cf3b3bc6b54c32f240ca5a412cffa11633fa]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiffdither.c | 4 ++--
+ tools/tiffmedian.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiffdither.c b/tools/tiffdither.c
+index 062fd60..d352554 100644
+--- a/tools/tiffdither.c
++++ b/tools/tiffdither.c
+@@ -95,7 +95,7 @@ fsdither(TIFF* in, TIFF* out)
+        nextptr = nextline;
+        for (j = 0; j < imagewidth; ++j)
+                *nextptr++ = *inptr++;
+-       for (i = 1; i < imagelength; ++i) {
++       for (i = 0; i < imagelength; ++i) {
+                tmpptr = thisline;
+                thisline = nextline;
+                nextline = tmpptr;
+@@ -138,7 +138,7 @@ fsdither(TIFF* in, TIFF* out)
+                                        nextptr[0] += v / 16;
+                        }
+                }
+-               if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
++               if (TIFFWriteScanline(out, outline, i, 0) < 0)
+                        goto skip_on_error;
+        }
+        goto exit_label;
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 93a1741..93e57cf 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -844,7 +844,7 @@ quant_fsdither(TIFF* in, TIFF* out)
+        outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out));
+
+        GetInputLine(in, 0, goto bad);          /* get first line */
+-       for (i = 1; i <= imagelength; ++i) {
++       for (i = 0; i <= imagelength; ++i) {
+                SWAP(short *, thisline, nextline);
+                lastline = (i >= imax);
+                if (i <= imax)
+@@ -915,7 +915,7 @@ quant_fsdither(TIFF* in, TIFF* out)
+                                nextptr += 3;
+                        }
+                }
+-               if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
++               if (TIFFWriteScanline(out, outline, i, 0) < 0)
+                        break;
+        }
+ bad:
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0002.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0002.patch
new file mode 100644
index 0000000000..c28969e1d8
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0002.patch
@@ -0,0 +1,31 @@
+From ce46f002eca4148497363f80fab33f9396bcbeda Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:25:16 -0700
+Subject: [PATCH] Fix tiffmedian bug #707
+
+CVE: CVE-2025-8176
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ce46f002eca4148497363f80fab33f9396bcbeda]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiffmedian.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 93e57cf..a0b4b5d 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -385,7 +385,10 @@ get_histogram(TIFF* in, Colorbox* box)
+        }
+        for (i = 0; i < imagelength; i++) {
+                if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+-                       break;
++                {
++                    fprintf(stderr, "Error reading scanline\n");
++                    exit(EXIT_FAILURE);
++                }
+                inptr = inputline;
+                for (j = imagewidth; j-- > 0;) {
+                        red = (*inptr++) & 0xff >> COLOR_SHIFT;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0003.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0003.patch
new file mode 100644
index 0000000000..b5ee36c5b8
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0003.patch
@@ -0,0 +1,28 @@
+From ecc4ddbf1f0fed7957d1e20361e37f01907898e0 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:38:09 -0700
+Subject: [PATCH] conflict resolution
+
+CVE: CVE-2025-8176
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ecc4ddbf1f0fed7957d1e20361e37f01907898e0]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiffmedian.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index a0b4b5d..ca1c51f 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -847,7 +847,7 @@ quant_fsdither(TIFF* in, TIFF* out)
+        outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out));
+
+        GetInputLine(in, 0, goto bad);          /* get first line */
+-       for (i = 0; i <= imagelength; ++i) {
++       for (i = 0; i < imagelength; ++i) {
+                SWAP(short *, thisline, nextline);
+                lastline = (i >= imax);
+                if (i <= imax)
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 5ec7b20e61..6ff31bd0bb 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -55,6 +55,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2023-6277-4.patch \
            file://CVE-2024-7006.patch \
            file://CVE-2023-3164.patch \
+           file://CVE-2025-8176-0001.patch \
+           file://CVE-2025-8176-0002.patch \
+           file://CVE-2025-8176-0003.patch \
            "
 
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"