From 639a818fd0681225e935722b500bd078ed4a816f Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Thu, 25 Sep 2025 16:05:14 +0200 Subject: tiff: patch CVE-2025-8961 Pick commit mentioned in [1]. [1] https://security-tracker.debian.org/tracker/CVE-2025-8961 (From OE-Core rev: c171a41e58e2f151dada61ee2a53c15ceaaa85c0) Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../libtiff/tiff/CVE-2025-8961.patch | 73 ++++++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.7.0.bb | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch new file mode 100644 index 0000000000..90207da42b --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch @@ -0,0 +1,73 @@ +From 0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Fri, 5 Sep 2025 21:42:35 +0000 +Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue + #721 + +CVE: CVE-2025-8961 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5] +Signed-off-by: Peter Marko +--- + tools/tiffcrop.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index ae414efc..be250cc9 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -1072,6 +1072,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -1086,6 +1087,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -1098,6 +1100,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -1110,6 +1113,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -1124,12 +1128,14 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; + default: + TIFFError("readContigTilesIntoBuffer", + "Unsupported bit depth %" PRIu16, bps); ++ _TIFFfree(tilebuf); + return 1; + } + } +@@ -2901,7 +2907,7 @@ int main(int argc, char *argv[]) + } + + /* If we did not use the read buffer as the crop buffer */ +- if (read_buff) ++ if (read_buff && read_buff != crop_buff) + _TIFFfree(read_buff); + + if (crop_buff) diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb index 405edabe6f..91e7bfbe17 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb @@ -18,6 +18,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2025-8177_2.patch \ file://CVE-2025-8534.patch \ file://CVE-2025-9165.patch \ + file://CVE-2025-8961.patch \ " SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976" -- cgit v1.2.3-54-g00ecf