[kirkstone,03/30] tiff: fix multiple CVEs

Message ID	1a4e54d5b7b4d26b9fcdc2be1b115600ca71c9ea.1690739937.git.steve@sakoman.com
State	Accepted, archived
Commit	f2782b4cac461909cf432db13516e443fee8c3de
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.171, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/30] tiff: fix multiple CVEs Date: Sun, 30 Jul 2023 08:00:26 -1000 Message-Id: <1a4e54d5b7b4d26b9fcdc2be1b115600ca71c9ea.1690739937.git.steve@sakoman.com> In-Reply-To: <cover.1690739937.git.steve@sakoman.com> References: <cover.1690739937.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/30] libjpeg-turbo: patch CVE-2023-2804 \| expand [kirkstone,01/30] libjpeg-turbo: patch CVE-2023-2804 [kirkstone,02/30] python3: ignore CVE-2023-36632 [kirkstone,03/30] tiff: fix multiple CVEs [kirkstone,04/30] go: fix CVE-2023-29406 net/http insufficient sanitization of Host header [kirkstone,05/30] tiff: fix multiple CVEs [kirkstone,06/30] libtiff: fix CVE-2023-26965 heap-based use after free [kirkstone,07/30] openssh: fix CVE-2023-38408 [kirkstone,08/30] dmidecode: fix CVE-2023-30630 [kirkstone,09/30] python3: upgrade 3.10.9 -> 3.10.12 [kirkstone,10/30] diffutils: update 3.9 -> 3.10 [kirkstone,11/30] libassuan: upgrade 2.5.5 -> 2.5.6 [kirkstone,12/30] libksba: upgrade 1.6.3 -> 1.6.4 [kirkstone,13/30] lttng-ust: upgrade 2.13.5 -> 2.13.6 [kirkstone,14/30] gcc : upgrade to v11.4 [kirkstone,15/30] libxcrypt: fix build with perl-5.38 and use master branch [kirkstone,16/30] kernel: add missing path to search for debug files [kirkstone,17/30] recipetool: Fix inherit in created -native* recipes [kirkstone,18/30] systemd-systemctl: fix errors in instance name expansion [kirkstone,19/30] uboot-extlinux-config.bbclass: fix old override syntax in comment [kirkstone,20/30] mdadm: fix util-linux ptest dependency [kirkstone,21/30] mdadm: fix 07revert-inplace ptest [kirkstone,22/30] mdadm: fix segfaults when running ptests [kirkstone,23/30] mdadm: skip running known broken ptests [kirkstone,24/30] python3: fix missing comma in get_module_deps3.py [kirkstone,25/30] meson.bbclass: Point to llvm-config from native sysroot [kirkstone,26/30] oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case [kirkstone,27/30] oeqa/selftest/devtool: add unit test for "devtool add -b" [kirkstone,28/30] openssl: add PERLEXTERNAL path to test its existence [kirkstone,29/30] openssl: use a glob on the PERLEXTERNAL to track updates on the path [kirkstone,30/30] util-linux: add alternative links for ipcs,ipcrm

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0795_0796_0797_0798_0799.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0795_0796_0797_0798_0799.patch new file mode 100644 index 0000000000..498d5ec8ab --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0795_0796_0797_0798_0799.patch @@ -0,0 +1,162 @@ +From 7808740e100ba30ffb791044f3b14dec3e85ed6f Mon Sep 17 00:00:00 2001 +From: Markus Koschany <apo@debian.org> +Date: Tue, 21 Feb 2023 14:26:43 +0100 +Subject: [PATCH] CVE-2023-0795 + +This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798, +CVE-2023-0799. + +Bug-Debian: https://bugs.debian.org/1031632 +Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 + +Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ] +CVE: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++-------------------- + 1 file changed, 30 insertions(+), 21 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index adf0f84..deba170 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -269,7 +269,6 @@ struct region { + uint32_t width; /* width in pixels */ + uint32_t length; /* length in pixels */ + uint32_t buffsize; /* size of buffer needed to hold the cropped region */ +- unsigned char *buffptr; /* address of start of the region */ + }; + + /* Cropping parameters from command line and image data +@@ -524,7 +523,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t, + static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, + uint32_t, uint32_t, uint8_t *, uint8_t *); + static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, +- unsigned char **); ++ unsigned char **, int); + static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, + unsigned char *); + static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +@@ -5219,7 +5218,6 @@ initCropMasks (struct crop_mask *cps) + cps->regionlist[i].width = 0; + cps->regionlist[i].length = 0; + cps->regionlist[i].buffsize = 0; +- cps->regionlist[i].buffptr = NULL; + cps->zonelist[i].position = 0; + cps->zonelist[i].total = 0; + } +@@ -6511,8 +6509,13 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b + (uint16_t) (image->adjustments & ROTATE_ANY)); + return (-1); + } +- +- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr)) ++ ++ /* Dummy variable in order not to switch two times the ++ * image->width,->length within rotateImage(), ++ * but switch xres, yres there. */ ++ uint32_t width = image->width; ++ uint32_t length = image->length; ++ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE)) + { + TIFFError ("correct_orientation", "Unable to rotate image"); + return (-1); +@@ -6580,7 +6583,6 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + /* These should not be needed for composite images */ + crop->regionlist[i].width = crop_width; + crop->regionlist[i].length = crop_length; +- crop->regionlist[i].buffptr = crop_buff; + + src_rowsize = ((img_width * bps * spp) + 7) / 8; + dst_rowsize = (((crop_width * bps * count) + 7) / 8); +@@ -6817,7 +6819,6 @@ extractSeparateRegion(struct image_data *image, struct crop_mask *crop, + + crop->regionlist[region].width = crop_width; + crop->regionlist[region].length = crop_length; +- crop->regionlist[region].buffptr = crop_buff; + + src = read_buff; + dst = crop_buff; +@@ -7695,7 +7696,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, &crop_buff)) ++ &crop->combined_length, &crop_buff, FALSE)) + { + TIFFError("processCropSelections", + "Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation); +@@ -7805,7 +7806,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + * ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !! + */ + if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, +- &crop->regionlist[i].length, &crop_buff)) ++ &crop->regionlist[i].length, &crop_buff, FALSE)) + { + TIFFError("processCropSelections", + "Failed to rotate crop region by %"PRIu16" degrees", crop->rotation); +@@ -7937,7 +7938,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, crop_buff_ptr)) ++ &crop->combined_length, crop_buff_ptr, TRUE)) + { + TIFFError("createCroppedImage", + "Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation); +@@ -8600,7 +8601,7 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_ + /* Rotate an image by a multiple of 90 degrees clockwise */ + static int + rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, +- uint32_t *img_length, unsigned char **ibuff_ptr) ++ uint32_t *img_length, unsigned char **ibuff_ptr, int rot_image_params) + { + int shift_width; + uint32_t bytes_per_pixel, bytes_per_sample; +@@ -8791,11 +8792,15 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + + *img_width = length; + *img_length = width; +- image->width = length; +- image->length = width; +- res_temp = image->xres; +- image->xres = image->yres; +- image->yres = res_temp; ++ /* Only toggle image parameters if whole input image is rotated. */ ++ if (rot_image_params) ++ { ++ image->width = length; ++ image->length = width; ++ res_temp = image->xres; ++ image->xres = image->yres; ++ image->yres = res_temp; ++ } + break; + + case 270: if ((bps % 8) == 0) /* byte aligned data */ +@@ -8868,11 +8873,15 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + + *img_width = length; + *img_length = width; +- image->width = length; +- image->length = width; +- res_temp = image->xres; +- image->xres = image->yres; +- image->yres = res_temp; ++ /* Only toggle image parameters if whole input image is rotated. */ ++ if (rot_image_params) ++ { ++ image->width = length; ++ image->length = width; ++ res_temp = image->xres; ++ image->xres = image->yres; ++ image->yres = res_temp; ++ } + break; + default: + break; +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 4bd485a10a..2be25756bc 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -34,6 +34,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \ file://CVE-2022-48281.patch \ file://CVE-2023-0800_0801_0802_0803_0804.patch \ + file://CVE-2023-0795_0796_0797_0798_0799.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"

[kirkstone,03/30] tiff: fix multiple CVEs

Commit Message

Patch