On Wed Mar 18, 2026 at 2:58 PM CET, Peter Marko wrote: > > >> -----Original Message----- >> From: [email protected] <openembedded- >> [email protected]> On Behalf Of Yoann Congal via >> lists.openembedded.org >> Sent: Wednesday, March 18, 2026 14:42 >> To: [email protected]; [email protected] >> Subject: Re: [OE-core][scarthgap][PATCH 3/3] tiff: ignore CVE-2025-61143, >> CVE- >> 2025-61144 and CVE-2025-61145 >> >> On Sat Mar 7, 2026 at 7:45 AM CET, Ankur Tyagi via lists.openembedded.org >> wrote: >> > From: Ankur Tyagi <[email protected]> >> > >> > These CVEs are for tools which were removed in v4.6.0[1] >> > >> > [1]https://gitlab.com/libtiff/libtiff/- >> /commit/eab89a627f0a65e9a1a47c4b30b4802c80b1ac45 >> > >> > Details: >> > https://nvd.nist.gov/vuln/detail/CVE-2025-61143 >> >> This CVE: "libtiff up to v4.7.1 was discovered to contain a NULL pointer >> dereference via the component libtiff/tif_open.c." >> >> Despite tools being removed in the commit you mentionned >> libtiff/tif_open.c was not touched and the patch linked by NVD apply to >> files outside of "archive/" were the removed tools are... >> >> Are you sure we can ignore this CVE? >> >> FYI, Peter patched it on kirkstone: >> [OE-core][kirkstone 07/17] tiff: patch CVE-2025-61143 - Yoann Congal >> https://lore.kernel.org/openembedded- >> core/944f481d214bebeaf51769d77fe16cd93cbff351.1773652940.git.yoann.congal >> @smile.fr/ >> >> Regards, > > If I remember correctly, the archived files are not included in release > tarball. > We're not fetching the git repository in our recipe.
Indeed, we don't have tools/tiffcrop.c nor tools/tiffdither.c (the files patched by the NVD linked merge request) in our sources. So the added CVE_STATUS looks correct. Thanks Peter. I will take this with a note for clarification. > > Peter > >> >> > https://nvd.nist.gov/vuln/detail/CVE-2025-61144 >> > https://nvd.nist.gov/vuln/detail/CVE-2025-61145 >> > >> > Signed-off-by: Ankur Tyagi <[email protected]> >> > --- >> > meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 2 +- >> > 1 file changed, 1 insertion(+), 1 deletion(-) >> > >> > diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes- >> multimedia/libtiff/tiff_4.6.0.bb >> > index 777783d7cc..07540692fc 100644 >> > --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb >> > +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb >> > @@ -29,7 +29,7 @@ CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested >> with check from https://secur >> > CVE_STATUS[CVE-2023-3164] = "cpe-incorrect: Issue only affects the >> > tiffcrop >> tool not compiled by default since 4.6.0" >> > >> > CVE_STATUS_GROUPS += "CVE_STATUS_REMOVED_TOOLS" >> > -CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE- >> 2025-8177 CVE-2025-8534 CVE-2025-8851 CVE-2025-8961" >> > +CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE- >> 2025-8177 CVE-2025-8534 CVE-2025-8851 CVE-2025-8961 CVE-2025-61143 CVE- >> 2025-61144 CVE-2025-61145" >> > CVE_STATUS_REMOVED_TOOLS[status] = "cpe-incorrect: tools affected by >> these CVEs are not present in this release" >> > >> > inherit autotools multilib_header >> >> >> -- >> Yoann Congal >> Smile ECS -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233406): https://lists.openembedded.org/g/openembedded-core/message/233406 Mute This Topic: https://lists.openembedded.org/mt/118185149/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
