On Wed, Sep 7, 2022 at 7:04 PM Virendra Thakur via lists.openembedded.org <[email protected]> wrote: > > From: Virendra Thakur <[email protected]> > > Add Patch to fix CVE-2022-2867, CVE-2022-2868 > CVE-2022-2869
This fails on the autobuilder: ERROR: tiff-4.1.0-r0 do_patch: Applying patch 'CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch' on target directory '/home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/tiff-4.1.0' Command Error: 'quilt --quiltrc /home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Applying patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch patching file tools/tiffcrop.c Hunk #1 FAILED at 5153. Hunk #2 succeeded at 4782 with fuzz 2 (offset -423 lines). Hunk #4 FAILED at 5332. Hunk #5 succeeded at 5449 with fuzz 2. Hunk #6 succeeded at 5588 with fuzz 2. 2 out of 6 hunks FAILED -- rejects in file tools/tiffcrop.c Patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch does not apply (enforce with -f) Perhaps your mailer is corrupting the patch? This has been an issue lately with other patches from kpit! Steve > > Signed-off-by: Virendra Thakur <[email protected]> > --- > ...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 ++++++++++++++++++ > meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 + > 2 files changed, 160 insertions(+) > create mode 100644 > meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch > > diff --git > a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch > > b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch > new file mode 100644 > index 0000000000..131ff94119 > --- /dev/null > +++ > b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch > @@ -0,0 +1,159 @@ > +From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001 > +From: Su Laus <[email protected]> > +Date: Wed, 9 Feb 2022 21:31:29 +0000 > +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by > correcting > + uint32_t underflow. > + > +CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 > +Upstream-Status: Backport > [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c] > +Signed-off-by: Virendra Thakur <[email protected]> > +--- > +Index: tiff-4.1.0/tools/tiffcrop.c > +=================================================================== > +--- tiff-4.1.0.orig/tools/tiffcrop.c > ++++ tiff-4.1.0/tools/tiffcrop.c > +@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas > + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); > + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); > + } > +- if (x1 < 1) > +- crop->regionlist[i].x1 = 0; > +- else > +- crop->regionlist[i].x1 = (uint32) (x1 - 1); > ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 > ++ * b) Corners are expected to be submitted as top-left to > bottom-right. > ++ * Therefore, check that and reorder input. > ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) > ++ */ > ++ uint32_t aux; > ++ if (x1 > x2) { > ++ aux = x1; > ++ x1 = x2; > ++ x2 = aux; > ++ } > ++ if (y1 > y2) { > ++ aux = y1; > ++ y1 = y2; > ++ y2 = aux; > ++ } > ++ if (x1 > image->width - 1) > ++ crop->regionlist[i].x1 = image->width - 1; > ++ else if (x1 > 0) > ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1); > + > + if (x2 > image->width - 1) > + crop->regionlist[i].x2 = image->width - 1; > +- else > +- crop->regionlist[i].x2 = (uint32) (x2 - 1); > +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; > +- > +- if (y1 < 1) > +- crop->regionlist[i].y1 = 0; > +- else > +- crop->regionlist[i].y1 = (uint32) (y1 - 1); > ++ else if (x2 > 0) > ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); > ++ > ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; > ++ > ++ if (y1 > image->length - 1) > ++ crop->regionlist[i].y1 = image->length - 1; > ++ else if (y1 > 0) > ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1); > + > + if (y2 > image->length - 1) > + crop->regionlist[i].y2 = image->length - 1; > +- else > +- crop->regionlist[i].y2 = (uint32) (y2 - 1); > +- > +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; > ++ else if (y2 > 0) > ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1); > + > ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; > + if (zwidth > max_width) > + max_width = zwidth; > + if (zlength > max_length) > +@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas > + } > + } > + return (0); > +- } > ++ } /* crop_mode == CROP_REGIONS */ > + > + /* Convert crop margins into offsets into image > + * Margins are expressed as pixel rows and columns, not bytes > +@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas > + bmargin = (uint32) 0; > + return (-1); > + } > +- } > ++ } /* crop_mode == CROP_MARGINS */ > + else > + { /* no margins requested */ > + tmargin = (uint32) 0; > +@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas > + off->endx = endx; > + off->endy = endy; > + > +- crop_width = endx - startx + 1; > +- crop_length = endy - starty + 1; > +- > +- if (crop_width <= 0) > ++ if (endx + 1 <= startx) > + { > + TIFFError("computeInputPixelOffsets", > + "Invalid left/right margins and /or image crop width > requested"); > + return (-1); > + } > ++ crop_width = endx - startx + 1; > + if (crop_width > image->width) > + crop_width = image->width; > + > +- if (crop_length <= 0) > ++ if (endy + 1 <= starty) > + { > + TIFFError("computeInputPixelOffsets", > + "Invalid top/bottom margins and /or image crop length > requested"); > + return (-1); > + } > ++ crop_length = endy - starty + 1; > + if (crop_length > image->length) > + crop_length = image->length; > + > +@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image, > + else > + crop->selections = crop->zones; > + > +- for (i = 0; i < crop->zones; i++) > ++ /* Initialize regions iterator i */ > ++ i = 0; > ++ for (int j = 0; j < crop->zones; j++) > + { > +- seg = crop->zonelist[i].position; > +- total = crop->zonelist[i].total; > ++ seg = crop->zonelist[j].position; > ++ total = crop->zonelist[j].total; > ++ > ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that > input */ > ++ if (seg == 0 || total == 0 || seg > total) { > ++ continue; > ++ } > + > + switch (crop->edge_ref) > + { > +@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image, > + i + 1, (uint32)zwidth, (uint32)zlength, > + crop->regionlist[i].x1, crop->regionlist[i].x2, > + crop->regionlist[i].y1, crop->regionlist[i].y2); > ++ /* increment regions iterator */ > ++ i++; > + } > +- > ++ /* set number of generated regions out of given zones */ > ++ crop->selections = i; > + return (0); > + } /* end getCropOffsets */ > + > +-- > +GitLab > diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb > b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb > index c061d2aaac..93a35230d6 100644 > --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb > +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb > @@ -26,6 +26,7 @@ SRC_URI = > "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ > file://CVE-2022-0924.patch \ > file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \ > file://CVE-2022-34526.patch \ > + file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \ > " > SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" > SRC_URI[sha256sum] = > "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" > -- > 2.17.1 > > This message contains information that may be privileged or confidential and > is the property of the KPIT Technologies Ltd. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, you > are not authorized to read, print, retain copy, disseminate, distribute, or > use this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#170469): https://lists.openembedded.org/g/openembedded-core/message/170469 Mute This Topic: https://lists.openembedded.org/mt/93542683/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
