2 files changed, 74 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch
new file mode 100644
index 0000000000..90207da42b
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch
@@ -0,0 +1,73 @@
+From 0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Fri, 5 Sep 2025 21:42:35 +0000
+Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue
+ #721
+CVE: CVE-2025-8961
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tools/tiffcrop.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ae414efc..be250cc9 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -1072,6 +1072,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                           "Unable to extract row %" PRIu32
+                                           " from tile %" PRIu32,
+                                           row, TIFFCurrentTile(in));
+                                _TIFFfree(tilebuf);
+                                 return 1;
+                             }
+                             break;
+@@ -1086,6 +1087,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                               "Unable to extract row %" PRIu32
+                                               " from tile %" PRIu32,
+                                               row, TIFFCurrentTile(in));
+                                    _TIFFfree(tilebuf);
+                                     return 1;
+                                 }
+                                 break;
+@@ -1098,6 +1100,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                           "Unable to extract row %" PRIu32
+                                           " from tile %" PRIu32,
+                                           row, TIFFCurrentTile(in));
+                                _TIFFfree(tilebuf);
+                                 return 1;
+                             }
+                             break;
+@@ -1110,6 +1113,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                           "Unable to extract row %" PRIu32
+                                           " from tile %" PRIu32,
+                                           row, TIFFCurrentTile(in));
+                                _TIFFfree(tilebuf);
+                                 return 1;
+                             }
+                             break;
+@@ -1124,12 +1128,14 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                           "Unable to extract row %" PRIu32
+                                           " from tile %" PRIu32,
+                                           row, TIFFCurrentTile(in));
+                                _TIFFfree(tilebuf);
+                                 return 1;
+                             }
+                             break;
+                         default:
+                             TIFFError("readContigTilesIntoBuffer",
+                                       "Unsupported bit depth %" PRIu16, bps);
+                            _TIFFfree(tilebuf);
+                             return 1;
+                     }
+                 }
+@@ -2901,7 +2907,7 @@ int main(int argc, char *argv[])
+     }
+ 
+     /* If we did not use the read buffer as the crop buffer */
+-    if (read_buff)
+    if (read_buff && read_buff != crop_buff)
+         _TIFFfree(read_buff);
+ 
+     if (crop_buff)
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
index 405edabe6f..91e7bfbe17 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
@@ -18,6 +18,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2025-8177_2.patch \
           file://CVE-2025-8534.patch \
           file://CVE-2025-9165.patch \
+           file://CVE-2025-8961.patch \
           "
 SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch new file mode 100644 index 0000000000..90207da42b --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch
@@ -0,0 +1,73 @@
		1	From 0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5 Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Fri, 5 Sep 2025 21:42:35 +0000
		4	Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue
		5	#721
		6
		7	CVE: CVE-2025-8961
		8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5]
		9	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		10	---
		11	tools/tiffcrop.c \| 8 +++++++-
		12	1 file changed, 7 insertions(+), 1 deletion(-)
		13
		14	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		15	index ae414efc..be250cc9 100644
		16	--- a/tools/tiffcrop.c
		17	+++ b/tools/tiffcrop.c
		18	@@ -1072,6 +1072,7 @@ static int readContigTilesIntoBuffer(TIFF in, uint8_t buf,
		19	"Unable to extract row %" PRIu32
		20	" from tile %" PRIu32,
		21	row, TIFFCurrentTile(in));
		22	+ _TIFFfree(tilebuf);
		23	return 1;
		24	}
		25	break;
		26	@@ -1086,6 +1087,7 @@ static int readContigTilesIntoBuffer(TIFF in, uint8_t buf,
		27	"Unable to extract row %" PRIu32
		28	" from tile %" PRIu32,
		29	row, TIFFCurrentTile(in));
		30	+ _TIFFfree(tilebuf);
		31	return 1;
		32	}
		33	break;
		34	@@ -1098,6 +1100,7 @@ static int readContigTilesIntoBuffer(TIFF in, uint8_t buf,
		35	"Unable to extract row %" PRIu32
		36	" from tile %" PRIu32,
		37	row, TIFFCurrentTile(in));
		38	+ _TIFFfree(tilebuf);
		39	return 1;
		40	}
		41	break;
		42	@@ -1110,6 +1113,7 @@ static int readContigTilesIntoBuffer(TIFF in, uint8_t buf,
		43	"Unable to extract row %" PRIu32
		44	" from tile %" PRIu32,
		45	row, TIFFCurrentTile(in));
		46	+ _TIFFfree(tilebuf);
		47	return 1;
		48	}
		49	break;
		50	@@ -1124,12 +1128,14 @@ static int readContigTilesIntoBuffer(TIFF in, uint8_t buf,
		51	"Unable to extract row %" PRIu32
		52	" from tile %" PRIu32,
		53	row, TIFFCurrentTile(in));
		54	+ _TIFFfree(tilebuf);
		55	return 1;
		56	}
		57	break;
		58	default:
		59	TIFFError("readContigTilesIntoBuffer",
		60	"Unsupported bit depth %" PRIu16, bps);
		61	+ _TIFFfree(tilebuf);
		62	return 1;
		63	}
		64	}
		65	@@ -2901,7 +2907,7 @@ int main(int argc, char *argv[])
		66	}
		67
		68	/* If we did not use the read buffer as the crop buffer */
		69	- if (read_buff)
		70	+ if (read_buff && read_buff != crop_buff)
		71	_TIFFfree(read_buff);
		72
		73	if (crop_buff)


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb index 405edabe6f..91e7bfbe17 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
@@ -18,6 +18,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
18	file://CVE-2025-8177_2.patch \	18	file://CVE-2025-8177_2.patch \
19	file://CVE-2025-8534.patch \	19	file://CVE-2025-8534.patch \
20	file://CVE-2025-9165.patch \	20	file://CVE-2025-9165.patch \
		21	file://CVE-2025-8961.patch \
21	"	22	"
22		23
23	SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"	24	SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"