tiff: fix CVE-2025-9900

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.[EOL][EOL]By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-9900 Upstream patch: 3e0dcf0ec6 (From OE-Core rev: f4e5cdeccee02d3ea78db91d5dfdcfd017c40ee0) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-04-27 21:32:13 +02:00 · 2025-09-30 13:49:25 +05:30
parent 9c9c706252
commit 15dd68bda1
2 changed files with 58 additions and 0 deletions
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch
@@ -0,0 +1,57 @@
+From 3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 11 Jun 2025 19:45:19 +0000
+Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
+ rows at TIFFReadRGBAImageOriented()
+
+CVE: CVE-2025-9900
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99]
+
+Changes-
+- Use old API TIFFWarningExt instead of TIFFWarningExtR.
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ libtiff/tif_getimage.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a9cd48f..4c807ad 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h)
+		"No \"put\" routine setupl; probably can not handle image format");
+		return (0);
+     }
+    /* Verify raster width and height against image width and height. */
+    if (h > img->height)
+    {
+        /* Adapt parameters to read only available lines and put image at
+         * the bottom of the raster. */
+        raster += (size_t)(h - img->height) * w;
+        h = img->height;
+    }
+    if (w > img->width)
+    {
+        TIFFWarningExt(img->tif, TIFFFileName(img->tif),
+                        "Raster width of %d shall not be larger than image "
+                        "width of %d -> raster width adapted for reading",
+                        w, img->width);
+        w = img->width;
+    }
+     return (*img->get)(img, raster, w, h);
+ }
+
+@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
+
+	if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
+		img.req_orientation = (uint16_t)orientation;
+-		/* XXX verify rwidth and rheight against width and height */
+-		ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
+-			rwidth, img.height);
+        ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
+		TIFFRGBAImageEnd(&img);
+	} else {
+		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
+--
+2.40.0
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -62,6 +62,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2024-13978.patch \
           file://CVE-2025-8534.patch \
           file://CVE-2025-8851.patch \
+           file://CVE-2025-9900.patch \
           "

 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"