mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-19 06:32:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

libtiff: Add fix for tiffcrop CVE-2023-1916

Browse Source 
Add fix for tiffcrop tool CVE-2023-1916 [1].

A flaw was found in tiffcrop, a program distributed by the libtiff
package. A specially crafted tiff file can lead to an out-of-bounds
read in the extractImageSection function in tools/tiffcrop.c, resulting
in a denial of service and limited information disclosure. This issue
affects libtiff versions 4.x.

The tool is no longer part of newer libtiff distributions, hence the
fix is rejected by upstream in [2]. The backport is still applicable
to older versions of libtiff, pick the CVE fix from ubuntu 20.04 [3].

[1] https://nvd.nist.gov/vuln/detail/CVE-2023-1916
[2] https://gitlab.com/libtiff/libtiff/-/merge_requests/535
[3] https://packages.ubuntu.com/source/focal-updates/tiff

(From OE-Core rev: 4d3e7f9a157e56a4a8ffb4d16fd6401a22851307)

Signed-off-by: Marek Vasut <marex@denx.de>

Upstream-Status: Backport from 848434a81c && https://gitlab.com/libtiff/libtiff/-/merge_requests/535
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Hitendra Prajapati
2023-10-16 14:09:59 +05:30
committed by Steve Sakoman
parent f550a63161
commit 24e9fed15a
2 changed files with 100 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch Normal file
View File

@@ -0,0 +1,99 @@
From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001
From: zhailiangliang <zhailiangliang@loongson.cn>
Date: Thu, 16 Mar 2023 16:16:54 +0800
Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection
CVE: CVE-2023-1916
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535]
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
tools/tiffcrop.c | 44 ++++++++++++++++++++++++++++++++++++++++----
1 file changed, 40 insertions(+), 4 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 05ba4d2..8a08536 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5700,6 +5700,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
crop->combined_width += (uint32_t)zwidth;
else
crop->combined_width = (uint32_t)zwidth;
+
+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+ if (((crop->rotation == 90) || (crop->rotation == 270))
+ && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+ {
+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+ return -1;
+ }
+
break;
case EDGE_BOTTOM: /* width from left, zones from bottom to top */
zwidth = offsets.crop_width;
@@ -5735,6 +5744,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
else
crop->combined_length = (uint32_t)zlength;
crop->combined_width = (uint32_t)zwidth;
+
+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+ if (((crop->rotation == 90) || (crop->rotation == 270))
+ && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+ {
+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+ return -1;
+ }
+
break;
case EDGE_RIGHT: /* zones from right to left, length from top */
zlength = offsets.crop_length;
@@ -5772,6 +5790,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
crop->combined_width += (uint32_t)zwidth;
else
crop->combined_width = (uint32_t)zwidth;
+
+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+ if (((crop->rotation == 90) || (crop->rotation == 270))
+ && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+ {
+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+ return -1;
+ }
+
break;
case EDGE_TOP: /* width from left, zones from top to bottom */
default:
@@ -5818,7 +5845,16 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
else
crop->combined_length = (uint32_t)zlength;
crop->combined_width = (uint32_t)zwidth;
- break;
+
+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+ if (((crop->rotation == 90) || (crop->rotation == 270))
+ && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+ {
+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+ return -1;
+ }
+
+ break;
} /* end switch statement */
buffsize = (uint32_t)
@@ -7016,9 +7052,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
* regardless of the way the data are organized in the input file.
* Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
*/
- img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
- trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
#ifdef DEVELMODE
TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
--
2.25.1

1
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
View File

@@ -44,6 +44,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-3618-2.patch \
file://CVE-2023-26966.patch \
file://CVE-2022-40090.patch \
file://CVE-2023-1916.patch \
"
SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"