Hi Steve, I am attaching here with tiff patchset . please let me know if its fine.
________________________________ From: Steve Sakoman <[email protected]> Sent: Friday, September 9, 2022 12:14 AM To: Virendra Kumar Thakur <[email protected]> Cc: [email protected] <[email protected]>; Virendra Kumar Thakur <[email protected]> Subject: Re: [OE-Core][dunfell][PATCH] tiff: Fix for CVE-2022-2867/8/9 Caution: This email originated from outside of the KPIT. Do not click links or open attachments unless you recognize the sender and know the content is safe. On Wed, Sep 7, 2022 at 7:04 PM Virendra Thakur via lists.openembedded.org <[email protected]> wrote: > > From: Virendra Thakur <[email protected]> > > Add Patch to fix CVE-2022-2867, CVE-2022-2868 > CVE-2022-2869 This fails on the autobuilder: ERROR: tiff-4.1.0-r0 do_patch: Applying patch 'CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch' on target directory '/home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/tiff-4.1.0' Command Error: 'quilt --quiltrc /home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Applying patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch patching file tools/tiffcrop.c Hunk #1 FAILED at 5153. Hunk #2 succeeded at 4782 with fuzz 2 (offset -423 lines). Hunk #4 FAILED at 5332. Hunk #5 succeeded at 5449 with fuzz 2. Hunk #6 succeeded at 5588 with fuzz 2. 2 out of 6 hunks FAILED -- rejects in file tools/tiffcrop.c Patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch does not apply (enforce with -f) Perhaps your mailer is corrupting the patch? This has been an issue lately with other patches from kpit! Steve > > Signed-off-by: Virendra Thakur <[email protected]> > --- > ...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 ++++++++++++++++++ > meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 + > 2 files changed, 160 insertions(+) > create mode 100644 > meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch > > diff --git > a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch > > b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch > new file mode 100644 > index 0000000000..131ff94119 > --- /dev/null > +++ > b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch > @@ -0,0 +1,159 @@ > +From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001 > +From: Su Laus <[email protected]> > +Date: Wed, 9 Feb 2022 21:31:29 +0000 > +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by > correcting > + uint32_t underflow. > + > +CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 > +Upstream-Status: Backport > [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Flibtiff%2Flibtiff%2F-%2Fcommit%2F07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c&data=05%7C01%7Cvirendra.thakur%40kpit.com%7C06f4664a51014a38772c08da91ca2d06%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637982594827918330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KeN8brH6XLpD8sQUvDQHUfeG7Ld%2BnFtGl%2Bgr5WCiJX4%3D&reserved=0] > +Signed-off-by: Virendra Thakur <[email protected]> > +--- > +Index: tiff-4.1.0/tools/tiffcrop.c > +=================================================================== > +--- tiff-4.1.0.orig/tools/tiffcrop.c > ++++ tiff-4.1.0/tools/tiffcrop.c > +@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas > + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); > + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); > + } > +- if (x1 < 1) > +- crop->regionlist[i].x1 = 0; > +- else > +- crop->regionlist[i].x1 = (uint32) (x1 - 1); > ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 > ++ * b) Corners are expected to be submitted as top-left to > bottom-right. > ++ * Therefore, check that and reorder input. > ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) > ++ */ > ++ uint32_t aux; > ++ if (x1 > x2) { > ++ aux = x1; > ++ x1 = x2; > ++ x2 = aux; > ++ } > ++ if (y1 > y2) { > ++ aux = y1; > ++ y1 = y2; > ++ y2 = aux; > ++ } > ++ if (x1 > image->width - 1) > ++ crop->regionlist[i].x1 = image->width - 1; > ++ else if (x1 > 0) > ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1); > + > + if (x2 > image->width - 1) > + crop->regionlist[i].x2 = image->width - 1; > +- else > +- crop->regionlist[i].x2 = (uint32) (x2 - 1); > +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; > +- > +- if (y1 < 1) > +- crop->regionlist[i].y1 = 0; > +- else > +- crop->regionlist[i].y1 = (uint32) (y1 - 1); > ++ else if (x2 > 0) > ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); > ++ > ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; > ++ > ++ if (y1 > image->length - 1) > ++ crop->regionlist[i].y1 = image->length - 1; > ++ else if (y1 > 0) > ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1); > + > + if (y2 > image->length - 1) > + crop->regionlist[i].y2 = image->length - 1; > +- else > +- crop->regionlist[i].y2 = (uint32) (y2 - 1); > +- > +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; > ++ else if (y2 > 0) > ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1); > + > ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; > + if (zwidth > max_width) > + max_width = zwidth; > + if (zlength > max_length) > +@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas > + } > + } > + return (0); > +- } > ++ } /* crop_mode == CROP_REGIONS */ > + > + /* Convert crop margins into offsets into image > + * Margins are expressed as pixel rows and columns, not bytes > +@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas > + bmargin = (uint32) 0; > + return (-1); > + } > +- } > ++ } /* crop_mode == CROP_MARGINS */ > + else > + { /* no margins requested */ > + tmargin = (uint32) 0; > +@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas > + off->endx = endx; > + off->endy = endy; > + > +- crop_width = endx - startx + 1; > +- crop_length = endy - starty + 1; > +- > +- if (crop_width <= 0) > ++ if (endx + 1 <= startx) > + { > + TIFFError("computeInputPixelOffsets", > + "Invalid left/right margins and /or image crop width > requested"); > + return (-1); > + } > ++ crop_width = endx - startx + 1; > + if (crop_width > image->width) > + crop_width = image->width; > + > +- if (crop_length <= 0) > ++ if (endy + 1 <= starty) > + { > + TIFFError("computeInputPixelOffsets", > + "Invalid top/bottom margins and /or image crop length > requested"); > + return (-1); > + } > ++ crop_length = endy - starty + 1; > + if (crop_length > image->length) > + crop_length = image->length; > + > +@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image, > + else > + crop->selections = crop->zones; > + > +- for (i = 0; i < crop->zones; i++) > ++ /* Initialize regions iterator i */ > ++ i = 0; > ++ for (int j = 0; j < crop->zones; j++) > + { > +- seg = crop->zonelist[i].position; > +- total = crop->zonelist[i].total; > ++ seg = crop->zonelist[j].position; > ++ total = crop->zonelist[j].total; > ++ > ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that > input */ > ++ if (seg == 0 || total == 0 || seg > total) { > ++ continue; > ++ } > + > + switch (crop->edge_ref) > + { > +@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image, > + i + 1, (uint32)zwidth, (uint32)zlength, > + crop->regionlist[i].x1, crop->regionlist[i].x2, > + crop->regionlist[i].y1, crop->regionlist[i].y2); > ++ /* increment regions iterator */ > ++ i++; > + } > +- > ++ /* set number of generated regions out of given zones */ > ++ crop->selections = i; > + return (0); > + } /* end getCropOffsets */ > + > +-- > +GitLab > diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb > b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb > index c061d2aaac..93a35230d6 100644 > --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb > +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb > @@ -26,6 +26,7 @@ SRC_URI = > "https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdownload.osgeo.org%2Flibtiff%2Ftiff-%24&data=05%7C01%7Cvirendra.thakur%40kpit.com%7C06f4664a51014a38772c08da91ca2d06%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637982594827918330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Cfstd%2BIU%2FQTf5%2F3xbc03woC9PK4yLt9vzYyvgG5%2FVdg%3D&reserved=0{PV}.tar.gz > \ > file://CVE-2022-0924.patch \ > file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \ > file://CVE-2022-34526.patch \ > + file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \ > " > SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" > SRC_URI[sha256sum] = > "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" > -- > 2.17.1 > > This message contains information that may be privileged or confidential and > is the property of the KPIT Technologies Ltd. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, you > are not authorized to read, print, retain copy, disseminate, distribute, or > use this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
From b9285aa99e1d5b948b738a79516bcee9fb2faca7 Mon Sep 17 00:00:00 2001 From: Virendra Thakur <[email protected]> Date: Mon, 5 Sep 2022 15:11:11 +0530 Subject: [PATCH] tiff: Fix for CVE-2022-2867/8/9 Add Patch to fix CVE-2022-2867, CVE-2022-2868 CVE-2022-2869 Change-Id: I01279c4896d36535c14776c5dcb213869df101ca Signed-off-by: Virendra Thakur <[email protected]> --- ...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 ++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 + 2 files changed, 160 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch new file mode 100644 index 0000000000..131ff94119 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch @@ -0,0 +1,159 @@ +From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001 +From: Su Laus <[email protected]> +Date: Wed, 9 Feb 2022 21:31:29 +0000 +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting + uint32_t underflow. + +CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c] +Signed-off-by: Virendra Thakur <[email protected]> +--- +Index: tiff-4.1.0/tools/tiffcrop.c +=================================================================== +--- tiff-4.1.0.orig/tools/tiffcrop.c ++++ tiff-4.1.0/tools/tiffcrop.c +@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } +- if (x1 < 1) +- crop->regionlist[i].x1 = 0; +- else +- crop->regionlist[i].x1 = (uint32) (x1 - 1); ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 ++ * b) Corners are expected to be submitted as top-left to bottom-right. ++ * Therefore, check that and reorder input. ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) ++ */ ++ uint32_t aux; ++ if (x1 > x2) { ++ aux = x1; ++ x1 = x2; ++ x2 = aux; ++ } ++ if (y1 > y2) { ++ aux = y1; ++ y1 = y2; ++ y2 = aux; ++ } ++ if (x1 > image->width - 1) ++ crop->regionlist[i].x1 = image->width - 1; ++ else if (x1 > 0) ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1); + + if (x2 > image->width - 1) + crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = (uint32) (x2 - 1); +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; +- +- if (y1 < 1) +- crop->regionlist[i].y1 = 0; +- else +- crop->regionlist[i].y1 = (uint32) (y1 - 1); ++ else if (x2 > 0) ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); ++ ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ ++ if (y1 > image->length - 1) ++ crop->regionlist[i].y1 = image->length - 1; ++ else if (y1 > 0) ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1); + + if (y2 > image->length - 1) + crop->regionlist[i].y2 = image->length - 1; +- else +- crop->regionlist[i].y2 = (uint32) (y2 - 1); +- +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ else if (y2 > 0) ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1); + ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + if (zwidth > max_width) + max_width = zwidth; + if (zlength > max_length) +@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas + } + } + return (0); +- } ++ } /* crop_mode == CROP_REGIONS */ + + /* Convert crop margins into offsets into image + * Margins are expressed as pixel rows and columns, not bytes +@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas + bmargin = (uint32) 0; + return (-1); + } +- } ++ } /* crop_mode == CROP_MARGINS */ + else + { /* no margins requested */ + tmargin = (uint32) 0; +@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas + off->endx = endx; + off->endy = endy; + +- crop_width = endx - startx + 1; +- crop_length = endy - starty + 1; +- +- if (crop_width <= 0) ++ if (endx + 1 <= startx) + { + TIFFError("computeInputPixelOffsets", + "Invalid left/right margins and /or image crop width requested"); + return (-1); + } ++ crop_width = endx - startx + 1; + if (crop_width > image->width) + crop_width = image->width; + +- if (crop_length <= 0) ++ if (endy + 1 <= starty) + { + TIFFError("computeInputPixelOffsets", + "Invalid top/bottom margins and /or image crop length requested"); + return (-1); + } ++ crop_length = endy - starty + 1; + if (crop_length > image->length) + crop_length = image->length; + +@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image, + else + crop->selections = crop->zones; + +- for (i = 0; i < crop->zones; i++) ++ /* Initialize regions iterator i */ ++ i = 0; ++ for (int j = 0; j < crop->zones; j++) + { +- seg = crop->zonelist[i].position; +- total = crop->zonelist[i].total; ++ seg = crop->zonelist[j].position; ++ total = crop->zonelist[j].total; ++ ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ ++ if (seg == 0 || total == 0 || seg > total) { ++ continue; ++ } + + switch (crop->edge_ref) + { +@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image, + i + 1, (uint32)zwidth, (uint32)zlength, + crop->regionlist[i].x1, crop->regionlist[i].x2, + crop->regionlist[i].y1, crop->regionlist[i].y2); ++ /* increment regions iterator */ ++ i++; + } +- ++ /* set number of generated regions out of given zones */ ++ crop->selections = i; + return (0); + } /* end getCropOffsets */ + +-- +GitLab diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index c061d2aaac..93a35230d6 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb @@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2022-0924.patch \ file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \ file://CVE-2022-34526.patch \ + file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \ " SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" -- 2.17.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#170477): https://lists.openembedded.org/g/openembedded-core/message/170477 Mute This Topic: https://lists.openembedded.org/mt/93542683/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
