summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch74
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.3.0.bb1
2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch
new file mode 100644
index 0000000000..05b11a866e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch
@@ -0,0 +1,74 @@
1From 0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5 Mon Sep 17 00:00:00 2001
2From: Lee Howard <faxguy@howardsilvan.com>
3Date: Fri, 5 Sep 2025 21:42:35 +0000
4Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue
5 #721
6
7Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5]
8CVE: CVE-2025-8961
9Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
10---
11 tools/tiffcrop.c | 8 +++++++-
12 1 file changed, 7 insertions(+), 1 deletion(-)
13
14diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
15index e16bc2d..c7d2553 100644
16--- a/tools/tiffcrop.c
17+++ b/tools/tiffcrop.c
18@@ -929,6 +929,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
19 TIFFError("readContigTilesIntoBuffer",
20 "Unable to extract row %"PRIu32" from tile %"PRIu32,
21 row, TIFFCurrentTile(in));
22+ _TIFFfree(tilebuf);
23 return 1;
24 }
25 break;
26@@ -943,6 +944,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
27 TIFFError("readContigTilesIntoBuffer",
28 "Unable to extract row %"PRIu32" from tile %"PRIu32,
29 row, TIFFCurrentTile(in));
30+ _TIFFfree(tilebuf);
31 return 1;
32 }
33 break;
34@@ -957,6 +959,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
35 TIFFError("readContigTilesIntoBuffer",
36 "Unable to extract row %"PRIu32" from tile %"PRIu32,
37 row, TIFFCurrentTile(in));
38+ _TIFFfree(tilebuf);
39 return 1;
40 }
41 break;
42@@ -969,6 +972,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
43 TIFFError("readContigTilesIntoBuffer",
44 "Unable to extract row %"PRIu32" from tile %"PRIu32,
45 row, TIFFCurrentTile(in));
46+ _TIFFfree(tilebuf);
47 return 1;
48 }
49 break;
50@@ -983,10 +987,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
51 TIFFError("readContigTilesIntoBuffer",
52 "Unable to extract row %"PRIu32" from tile %"PRIu32,
53 row, TIFFCurrentTile(in));
54+ _TIFFfree(tilebuf);
55 return 1;
56 }
57 break;
58 default: TIFFError("readContigTilesIntoBuffer", "Unsupported bit depth %"PRIu16, bps);
59+ _TIFFfree(tilebuf);
60 return 1;
61 }
62 }
63@@ -2535,7 +2541,7 @@ main(int argc, char* argv[])
64 }
65
66 /* If we did not use the read buffer as the crop buffer */
67- if (read_buff)
68+ if (read_buff && read_buff != crop_buff)
69 _TIFFfree(read_buff);
70
71 if (crop_buff)
72--
732.25.1
74
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 0b4bef4c41..2ee6cdef73 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -63,6 +63,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
63 file://CVE-2025-8534.patch \ 63 file://CVE-2025-8534.patch \
64 file://CVE-2025-8851.patch \ 64 file://CVE-2025-8851.patch \
65 file://CVE-2025-9900.patch \ 65 file://CVE-2025-9900.patch \
66 file://CVE-2025-8961.patch \
66 " 67 "
67 68
68SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" 69SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"