On 2022-10-19 15:32, Qiu, Zheng wrote:
kirkstone now has tiff version 4.3.0.
As described in https://nvd.nist.gov/vuln/detail/CVE-2022-2953, this issue is
reported here: https://gitlab.com/libtiff/libtiff/-/issues/414
Tested with libtiff source code on version 4.3.0 by using " /libtiff$ git checkout
v3.3.0", and follow the step listed in the bug report, cannot reproduce the bug.
Use " /libtiff$ git checkout b51bb157", is able to reproduce the problem
following step listed above. That confirms the issue occurred after v3.3.0, and the
commit that brings the bug is not on kirkstone, which means the issue/fix is not
applicable for kirkstone.
Hold on...
We also checked, because I'm paranoid, by doing:
$ cd .../poky-contrib.git
$ git checkout stable/kirkstone-nut
$ git pull
$ cd ...
$ . ../poky-contrib.git/tiff-patches
$ bitbake -c patch tiff
$ mkdir cp-tiff-patch-by-bb-kirkstone-nut
$ cp -a tmp/work/core2-64-poky-linux/tiff/4.3.0-r0
cp-tiff-patch-by-bb-kirkstone-nut/
$ cd cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0
$ ./autogen.sh
$ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g
-fsanitize=address -fno-omit-frame-pointer" ./configure
--prefix=$PWD/build_asan --disable-shared
$ make -j; make install; make clean
$ wget
https://gitlab.com/libtiff/libtiff/uploads/54e5139c4d9d6b740f537c691aad2b03/poc
$ ./build_asan/bin/tiffcrop -Z 1:4,3:3 -R 90 -H 300 -S 2:2 -i poc /tmp/foo
and a very similar issue still occurs.
See log below. We'll investigate more and send a patch as needed.
We will enable the address sanitizer and check if the issue
is reproducible in qemux86-64.
../Randy
...
loadImage: Image lacks Photometric interpretation tag.
TIFFFillStrip: Read error on strip 0; got 672 bytes, expected 1142418.
=================================================================
==269609==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7fd1864ff695 at pc 0x55de6ca63f9a bp 0x7ffe727049a0 sp 0x7ffe72704990
READ of size 1 at 0x7fd1864ff695 thread T0
#0 0x55de6ca63f99 in extractImageSection
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6897
#1 0x55de6ca6515a in writeImageSections
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:7085
#2 0x55de6ca4abe9 in main
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:2453
#3 0x7fd189b39d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#4 0x7fd189b39e3f in __libc_start_main_impl ../csu/libc-start.c:392
#5 0x55de6ca413a4 in _start
(/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/build_asan/bin/tiffcrop+0x2a3a4)
0x7fd1864ff695 is located 0 bytes to the right of 1142421-byte region
[0x7fd1863e8800,0x7fd1864ff695)
allocated by thread T0 here:
#0 0x7fd18a0a1867 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55de6cadcd83 in _TIFFmalloc
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/libtiff/tif_unix.c:314
#2 0x55de6ca41543 in limitMalloc
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:627
#3 0x55de6ca61299 in loadImage
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6212
#4 0x55de6ca4a4a1 in main
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:2376
#5 0x7fd189b39d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6897
in extractImageSection
Shadow bytes around the buggy address:
0x0ffab0c97e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffab0c97e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffab0c97ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffab0c97eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffab0c97ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffab0c97ed0: 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==269609==ABORTING
Zheng Qiu
Linux Developer
_______________
Wind River
M/ (437) 341-1849
-----Original Message-----
From: [email protected] <openembedded-
[email protected]> On Behalf Of Teoh, Jay Shen
Sent: Thursday, September 29, 2022 4:33 AM
To: [email protected]
Subject: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953
[Please note: This e-mail is from an EXTERNAL e-mail address]
From: Teoh Jay Shen <[email protected]>
Link for the patch : https://gitlab.com/libtiff/libtiff/-
/commit/48d6ece8389b01129e7d357f0985c8f938ce3da3
Signed-off-by: Teoh Jay Shen <[email protected]>
---
.../libtiff/tiff/CVE-2022-2953.patch | 86 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.4.0.bb | 1 +
2 files changed, 87 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-
2953.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
new file mode 100644
index 0000000000..2122b46566
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
@@ -0,0 +1,86 @@
+CVE: CVE-2022-2953
+Upstream-Status: Backport
+Signed-off-by: Teoh Jay Shen <[email protected]>
+
+From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00
2001
+From: Su_Laus <[email protected]>
+Date: Mon, 15 Aug 2022 22:11:03 +0200
+Subject: [PATCH]
+=?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
+
+=?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20
+ti?=
+=?UTF-8?q?ffcrop=20option=20=E2=80=9E-
S=E2=80=9C=20is=20also=20mutually
+?=
+=?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-
Y),=2
+0-?=
+ =?UTF-8?q?Z=20and=20-z.?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is now checked and ends tiffcrop if those arguments are not mutually
exclusive.
+
+This MR will fix the following tiffcrop issues: #349, #414, #422, #423,
+#424
+---
+ tools/tiffcrop.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index
+90286a5e..c3b758ec 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
+ #define ROTATECW_270 32
+ #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
+
+-#define CROP_NONE 0
+-#define CROP_MARGINS 1
+-#define CROP_WIDTH 2
+-#define CROP_LENGTH 4
+-#define CROP_ZONES 8
+-#define CROP_REGIONS 16
++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page-
rows/->cols != 0 */
++#define CROP_MARGINS 1 /* "-m" */
++#define CROP_WIDTH 2 /* "-X" */
++#define CROP_LENGTH 4 /* "-Y" */
++#define CROP_ZONES 8 /* "-Z" */
++#define CROP_REGIONS 16 /* "-z" */
+ #define CROP_ROTATE 32
+ #define CROP_MIRROR 64
+ #define CROP_INVERT 128
+@@ -316,7 +316,7 @@ struct crop_mask {
+ #define PAGE_MODE_RESOLUTION 1
+ #define PAGE_MODE_PAPERSIZE 2
+ #define PAGE_MODE_MARGINS 4
+-#define PAGE_MODE_ROWSCOLS 8
++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
+
+ #define INVERT_DATA_ONLY 10
+ #define INVERT_DATA_AND_TAG 11
+@@ -781,7 +781,7 @@ static const char usage_info[] =
+ " The four debug/dump options are independent, though it makes
little sense to\n"
+ " specify a dump file without specifying a detail level.\n"
+ "\n"
+-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
+ " In no case should the options be applied to a given selection
successively.\n"
+ "\n"
+ ;
+@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char
*argv[], char *mp, char *mode, uint32
+ /*NOTREACHED*/
+ }
+ }
+- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are
mutually exclusive) --*/
+- char XY, Z, R;
++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are
mutually exclusive) --*/
++ char XY, Z, R, S;
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data-
crop_mode & CROP_LENGTH));
+ Z = (crop_data->crop_mode & CROP_ZONES);
+ R = (crop_data->crop_mode & CROP_REGIONS);
+- if ((XY && Z) || (XY && R) || (Z && R)) {
+- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z
are
mutually exclusive.->Exit");
++ S = (page->mode & PAGE_MODE_ROWSCOLS);
++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R &&
S))
{
++ TIFFError("tiffcrop input error", "The crop options(-X|-Y),
++ -Z, -z and -S are mutually exclusive.->Exit");
+ exit(EXIT_FAILURE);
+ }
+ } /* end process_command_opts */
+--
+2.34.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-
multimedia/libtiff/tiff_4.4.0.bb
index e30df0b3e9..caf6f60479 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
file://CVE-2022-34526.patch \
+ file://CVE-2022-2953.patch \
"
SRC_URI[sha256sum] =
"917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed
"
--
2.37.3
--
# Randy MacLeod
# Wind River Linux
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#171983):
https://lists.openembedded.org/g/openembedded-core/message/171983
Mute This Topic: https://lists.openembedded.org/mt/93990330/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
