A flaw was found in Libtiff. This vulnerability is a "write-what-where"
condition, triggered when the library processes a specially crafted TIFF
image file.[EOL][EOL]By providing an abnormally large image height value
in the file's metadata, an attacker can trick the library into writing
attacker-controlled color data to an arbitrary memory location. This
memory corruption can be exploited to cause a denial of service (application
crash) or to achieve arbitrary code execution with the permissions of the user.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9900
Upstream patch:
3e0dcf0ec6
(From OE-Core rev: f4e5cdeccee02d3ea78db91d5dfdcfd017c40ee0)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was determined in LibTIFF up to 4.5.1. Affected
by this issue is the function readSeparateStripsetoBuffer of the
file tools/tiffcrop.c of the component tiffcrop. The manipulation
leads to stack-based buffer overflow. Local access is required to
approach this attack. The patch is identified as
8a7a48d7a645992ca83062b3a1873c951661e2b3. It is recommended to
apply a patch to fix this issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-8851
Upstream patch:
8a7a48d7a6
(From OE-Core rev: 1ced84bbd4ab15f0f16176e367744b496a0ea97c)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability classified as problematic was found in libtiff
4.6.0. This vulnerability affects the function PS_Lvl2page of
the file tools/tiff2ps.c of the component tiff2ps. The
manipulation leads to null pointer dereference. It is possible
to launch the attack on the local host. The complexity of an
attack is rather high. The exploitation appears to be difficult.
The exploit has been disclosed to the public and may be used.
The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b.
It is recommended to apply a patch to fix this issue. One of the
maintainers explains, that "[t]his error only occurs if
DEFER_STRILE_LOAD (defer-strile-load:BOOL=ON) or TIFFOpen( .. "rD")
option is used."
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-8534
Upstream patch:
6ba36f159f
(From OE-Core rev: c897368cd363d3e50372ab1fc95bc31f1a883dc4)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was found in LibTIFF up to 4.7.0. It has been declared
as problematic. Affected by this vulnerability is the function
t2p_read_tiff_init of the file tools/tiff2pdf.c of the component fax2ps.
The manipulation leads to null pointer dereference. The attack needs to
be approached locally. The complexity of an attack is rather high. The
exploitation appears to be difficult. The patch is named
2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply a
patch to fix this issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-13978
Upstream patch:
2ebfffb0e8
(From OE-Core rev: f6ff692be6b08290845b6c6c27eaf5d676476464)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was found in LibTIFF up to 4.7.0. It has been
rated as critical. This issue affects the function setrow of the
file tools/thumbnail.c. The manipulation leads to buffer overflow.
An attack has to be approached locally. The patch is named
e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to
apply a patch to fix this issue. This vulnerability only affects
products that are no longer supported by the maintainer.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-8177
Upstream patch:
e8de4dc1f9
(From OE-Core rev: fbf3238630c104c9e17d6e902986358cea5986ff)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was found in LibTIFF up to 4.7.0. It has
been declared as critical. This vulnerability affects the
function get_histogram of the file tools/tiffmedian.c. The
manipulation leads to use after free. The attack needs to
be approached locally. The exploit has been disclosed to
the public and may be used. The patch is identified as
fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended
to apply a patch to fix this issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-8176
Upstream patches:
3994cf3b3bce46f002ececc4ddbf1f
(From OE-Core rev: 5dbc4ccce8676b016de8c1393c2f0d0f74eb9337)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport fix from upstream.
There was style refactoring done in the code meanwhile, so the patch mas
assembled manually by applying each change on 4.3.0 sources.
(From OE-Core rev: fda622289ef26fac38e7dc41e6f0c9d7c866f06e)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This further tweaks fix for CVE-2022-1622/CVE-2022-1623 by adding it to
one additional goto label.
Previous fix:
b4e79bfa0c
Additional fix:
9be22b639e
(From OE-Core rev: c7632c5a3853290292fa695a0a7b15eb06159036)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The contents of the LICENSE.md file included in the current source
code package match those of libtiff license, which seems to have been
the case since 1999 commit
0ef31e1f62
where it was added with filename COPYRIGHT and was then changed to
LICENSE.md in 2022 commit
fa1d6d787f
(From OE-Core rev: 71d8e8b03349ab18dca558055c2b3a3687785ddf)
(From OE-Core rev: 226286f0971f3dbb5fb49e70ad37ef0ba0335a62)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
tiff-native otherwise falsely detects webp if its installed on build
host. This ensures deterministic behavior regardless of host.
(From OE-Core rev: dafd8cf38d6414ca3102695b5a55a8fd2718e584)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 718c44f282310b2ca85877fed706460ccc1eebea)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* so that they can be easily and cleanly applied with "git am"
* manually fix CVE-2022-2953.patch commit message not to use UTF-8
quotes and replace it with human readable text from original commit:
8fe3735942
(From OE-Core rev: 535c814259ec63916debb17a326fa328c4f6237b)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
While this does not happen with the tiff 4.3.0 release, it does happen with
the series of patches we have, so backport the two simple changes that
restrict the tiffcrop options to avoid the vulnerability.
CVE-2022-2953.patch was taken from upstream, and a small typo was fixed
for the CVE number. The other patch is included in tiff 4.4.0 but not
4.3.0, so add it as well.
(From OE-Core rev: cd94ed01214251027d1076b67cf65c3058f51dad)
Signed-off-by: Randy MacLeod <randy.macleod@windriver.com>
Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: https://gitlab.com/libtiff/libtiff
MR: 120544
Type: Security Fix
Disposition: Backport from 275735d035
ChangeID: 2f9df449974f5436c1690f3ace5d74b1ab4670c9
Description:
CVE-2022-34526 libtiff: A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit.
(From OE-Core rev: 4ad7470bc772e33e579947c894ed74a513fbcb39)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We never depended upon libjbig so this was never present. Add the
PACKAGECONFIG to make this explict.
CVE-2022-1210 is an issue in libjbig so we don't have a problem there,
mark as such.
(From OE-Core rev: 95f1c5d0bb7bc7cae2715d0c9b569fa369a64575)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 34e6a19f2430ee2fd0fec4bec1891e898a0d9766)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These issues only affect libtiff post-4.3.0 but before 4.4.0, caused by
3079627e and fixed by b4e79bfa.
(From OE-Core rev: 4eb0b7468383a1d0314b3bfd43ea37c95de464d9)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As far as I can tell, the patches being applied also fix CVE-2022-1056 so
mark as such.
(From OE-Core rev: 256d212fd1eb9b6d4b87c2c84b1ea2a3afdeb843)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some fix upstream addresses the issue, it isn't clear which change this was. Our
current version doesn't have issues with the test image though so we can exclude.
(From OE-Core rev: 3874da694ae1d9de06dd003bd80705205e2b033b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Doxygen in meta-oe has recently been extended for nativesdk. Doxygen is
often used together with mscgen which in turn depends indirectly on
tiff (via gd library).
(From OE-Core rev: 929cf038ec0f49e86d9ab0ec7e012320598ceb81)
Signed-off-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
