From: Peter Marko <[email protected]> Pick patch per [1].
[1] https://security-tracker.debian.org/tracker/CVE-2026-4775 Signed-off-by: Peter Marko <[email protected]> --- .../libtiff/tiff/CVE-2026-4775.patch | 55 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.7.1.bb | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch new file mode 100644 index 0000000000..1f3c026b28 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch @@ -0,0 +1,55 @@ +From 782a11d6b5b61c6dc21e714950a4af5bf89f023c Mon Sep 17 00:00:00 2001 +From: Even Rouault <[email protected]> +Date: Sun, 22 Feb 2026 23:32:47 +0100 +Subject: [PATCH] TIFFReadRGBAImage(): prevent integer overflow and later heap + overflow on images with huge width in YCbCr tile decoding functions + +Fixes https://gitlab.com/libtiff/libtiff/-/issues/787 + +CVE: CVE-2026-4775 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c] +Signed-off-by: Peter Marko <[email protected]> +--- + libtiff/tif_getimage.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 4543ddda..fa82d091 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -2216,7 +2216,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile) + uint32_t *cp1 = cp + w + toskew; + uint32_t *cp2 = cp1 + w + toskew; + uint32_t *cp3 = cp2 + w + toskew; +- int32_t incr = 3 * w + 4 * toskew; ++ const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew; + + (void)y; + /* adjust fromskew */ +@@ -2356,7 +2356,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile) + DECLAREContigPutFunc(putcontig8bitYCbCr42tile) + { + uint32_t *cp1 = cp + w + toskew; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + + (void)y; + fromskew = (fromskew / 4) * (4 * 2 + 2); +@@ -2512,7 +2512,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + DECLAREContigPutFunc(putcontig8bitYCbCr22tile) + { + uint32_t *cp2; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + (void)y; + fromskew = (fromskew / 2) * (2 * 2 + 2); + cp2 = cp + w + toskew; +@@ -2615,7 +2615,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + DECLAREContigPutFunc(putcontig8bitYCbCr12tile) + { + uint32_t *cp2; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + (void)y; + fromskew = (fromskew / 1) * (1 * 2 + 2); + cp2 = cp + w + toskew; diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.1.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.1.bb index 0d4b3a4abd..750565e11c 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.7.1.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.7.1.bb @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=4ab490c3088a0acff254eb2f8c577547" CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ + file://CVE-2026-4775.patch \ " SRC_URI[sha256sum] = "f698d94f3103da8ca7438d84e0344e453fe0ba3b7486e04c5bf7a9a3fabe9b69"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#236453): https://lists.openembedded.org/g/openembedded-core/message/236453 Mute This Topic: https://lists.openembedded.org/mt/119149831/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
