Re: [OE-core] [kirkstone][PATCH 2/3] tiff: fix CVE-2023-52356 CVE-2023-6277
Please fix your Upstream-Status formatting CVE-2023-52356.patch and all 4 CVE-2023-6277-[1-4].patch trigger: Please correct according to https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Patch_Header_Recommendations:_Upstream-Status : Upstream-Status: Backport ERROR: tiff-4.3.0-r0 do_patch: Malformed Upstream-Status in patch as it is in kirkstone-nut On Thu, Mar 28, 2024 at 8:50 AM Lee Chee Yang wrote: > > From: Lee Chee Yang > > import patch from ubuntu to fix CVE-2023-52356 CVE-2023-6277 > import from > http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz > > Signed-off-by: Lee Chee Yang > --- > .../libtiff/tiff/CVE-2023-52356.patch | 55 ++ > .../libtiff/tiff/CVE-2023-6277-1.patch| 179 ++ > .../libtiff/tiff/CVE-2023-6277-2.patch| 152 +++ > .../libtiff/tiff/CVE-2023-6277-3.patch| 47 + > .../libtiff/tiff/CVE-2023-6277-4.patch| 94 + > meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 5 + > 6 files changed, 532 insertions(+) > create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch > create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch > create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch > create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch > create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch > > diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch > b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch > new file mode 100644 > index 00..6c3c5adc52 > --- /dev/null > +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch > @@ -0,0 +1,55 @@ > +CVE: CVE-2023-52356 > +Upstream-Status: Backport > +[ upstream : > https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a > +ubuntu : > http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz > ] > +Signed-off-by: Lee Chee Yang > + > +[Ubuntu note: Backport of the following patch from upstream, with a few > changes > +to match the current version of the file in the present Ubuntu release: > + . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist > yet); > +-- Rodrigo Figueiredo Zaiden] > + > +Backport of: > + > +From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 > +From: Even Rouault > +Date: Tue, 31 Oct 2023 15:58:41 +0100 > +Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of > + col/row (fixes #622) > + > +--- > + libtiff/tif_getimage.c | 15 +++ > + 1 file changed, 15 insertions(+) > + > + > +--- tiff-4.3.0.orig/libtiff/tif_getimage.c > tiff-4.3.0/libtiff/tif_getimage.c > +@@ -2942,6 +2942,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t > + } > + > + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, > stop_on_error, emsg)) { > ++if (row >= img.height) > ++{ > ++TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), > ++ "Invalid row passed to TIFFReadRGBAStrip()."); > ++TIFFRGBAImageEnd(&img); > ++return (0); > ++} > + > + img.row_offset = row; > + img.col_offset = 0; > +@@ -3018,6 +3025,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t > + return( 0 ); > + } > + > ++if (col >= img.width || row >= img.height) > ++{ > ++TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), > ++ "Invalid row/col passed to TIFFReadRGBATile()."); > ++TIFFRGBAImageEnd(&img); > ++return (0); > ++} > ++ > + /* > + * The TIFFRGBAImageGet() function doesn't allow us to get off the > + * edge of the image, even to fill an otherwise valid tile. So we > diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch > b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch > new file mode 100644 > index 00..6882529cfb > --- /dev/null > +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch > @@ -0,0 +1,179 @@ > +CVE: CVE-2023-6277 > +Upstream-Status: Backport > +[ upstream : > https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a > +ubuntu : > http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz > ] > +Signed-off-by: Lee Chee Yang > + > +[Ubuntu note: Backport of the following patch from upstream, with a few > changes > +to match the current version of the file in the present Ubuntu release: > + . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist > yet); > + . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter > did not exist yet); > +-- Rodrigo Figueiredo Zaiden] > + > +Backport of: > + > +From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001 > +From: Su Laus > +Date: Tue, 31
[OE-core] [kirkstone][PATCH 2/3] tiff: fix CVE-2023-52356 CVE-2023-6277
From: Lee Chee Yang import patch from ubuntu to fix CVE-2023-52356 CVE-2023-6277 import from http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz Signed-off-by: Lee Chee Yang --- .../libtiff/tiff/CVE-2023-52356.patch | 55 ++ .../libtiff/tiff/CVE-2023-6277-1.patch| 179 ++ .../libtiff/tiff/CVE-2023-6277-2.patch| 152 +++ .../libtiff/tiff/CVE-2023-6277-3.patch| 47 + .../libtiff/tiff/CVE-2023-6277-4.patch| 94 + meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 5 + 6 files changed, 532 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch new file mode 100644 index 00..6c3c5adc52 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch @@ -0,0 +1,55 @@ +CVE: CVE-2023-52356 +Upstream-Status: Backport +[ upstream : https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a +ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ] +Signed-off-by: Lee Chee Yang + +[Ubuntu note: Backport of the following patch from upstream, with a few changes +to match the current version of the file in the present Ubuntu release: + . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet); +-- Rodrigo Figueiredo Zaiden] + +Backport of: + +From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 31 Oct 2023 15:58:41 +0100 +Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of + col/row (fixes #622) + +--- + libtiff/tif_getimage.c | 15 +++ + 1 file changed, 15 insertions(+) + + +--- tiff-4.3.0.orig/libtiff/tif_getimage.c tiff-4.3.0/libtiff/tif_getimage.c +@@ -2942,6 +2942,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t + } + + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) { ++if (row >= img.height) ++{ ++TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), ++ "Invalid row passed to TIFFReadRGBAStrip()."); ++TIFFRGBAImageEnd(&img); ++return (0); ++} + + img.row_offset = row; + img.col_offset = 0; +@@ -3018,6 +3025,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t + return( 0 ); + } + ++if (col >= img.width || row >= img.height) ++{ ++TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), ++ "Invalid row/col passed to TIFFReadRGBATile()."); ++TIFFRGBAImageEnd(&img); ++return (0); ++} ++ + /* + * The TIFFRGBAImageGet() function doesn't allow us to get off the + * edge of the image, even to fill an otherwise valid tile. So we diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch new file mode 100644 index 00..6882529cfb --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch @@ -0,0 +1,179 @@ +CVE: CVE-2023-6277 +Upstream-Status: Backport +[ upstream : https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a +ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ] +Signed-off-by: Lee Chee Yang + +[Ubuntu note: Backport of the following patch from upstream, with a few changes +to match the current version of the file in the present Ubuntu release: + . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); + . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); +-- Rodrigo Figueiredo Zaiden] + +Backport of: + +From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Tue, 31 Oct 2023 15:43:29 + +Subject: [PATCH] Prevent some out-of-memory attacks + +Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size. + +At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks. + +See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857 +--- + libtiff/tif_dirread.c | 92 ++- + 1 file changed, 90 insertions(+