Re: [OE-core] [kirkstone][PATCH 2/3] tiff: fix CVE-2023-52356 CVE-2023-6277
Please fix your Upstream-Status formatting
CVE-2023-52356.patch and all 4 CVE-2023-6277-[1-4].patch trigger:
Please correct according to
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Patch_Header_Recommendations:_Upstream-Status
:
Upstream-Status: Backport
ERROR: tiff-4.3.0-r0 do_patch: Malformed Upstream-Status in patch
as it is in kirkstone-nut
On Thu, Mar 28, 2024 at 8:50 AM Lee Chee Yang wrote:
>
> From: Lee Chee Yang
>
> import patch from ubuntu to fix CVE-2023-52356 CVE-2023-6277
> import from
> http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz
>
> Signed-off-by: Lee Chee Yang
> ---
> .../libtiff/tiff/CVE-2023-52356.patch | 55 ++
> .../libtiff/tiff/CVE-2023-6277-1.patch| 179 ++
> .../libtiff/tiff/CVE-2023-6277-2.patch| 152 +++
> .../libtiff/tiff/CVE-2023-6277-3.patch| 47 +
> .../libtiff/tiff/CVE-2023-6277-4.patch| 94 +
> meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 5 +
> 6 files changed, 532 insertions(+)
> create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
> create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
> create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
> create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
> create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch
>
> diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
> b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
> new file mode 100644
> index 00..6c3c5adc52
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
> @@ -0,0 +1,55 @@
> +CVE: CVE-2023-52356
> +Upstream-Status: Backport
> +[ upstream :
> https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a
> +ubuntu :
> http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz
> ]
> +Signed-off-by: Lee Chee Yang
> +
> +[Ubuntu note: Backport of the following patch from upstream, with a few
> changes
> +to match the current version of the file in the present Ubuntu release:
> + . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist
> yet);
> +-- Rodrigo Figueiredo Zaiden]
> +
> +Backport of:
> +
> +From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
> +From: Even Rouault
> +Date: Tue, 31 Oct 2023 15:58:41 +0100
> +Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
> + col/row (fixes #622)
> +
> +---
> + libtiff/tif_getimage.c | 15 +++
> + 1 file changed, 15 insertions(+)
> +
> +
> +--- tiff-4.3.0.orig/libtiff/tif_getimage.c
> tiff-4.3.0/libtiff/tif_getimage.c
> +@@ -2942,6 +2942,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t
> + }
> +
> + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif,
> stop_on_error, emsg)) {
> ++if (row >= img.height)
> ++{
> ++TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
> ++ "Invalid row passed to TIFFReadRGBAStrip().");
> ++TIFFRGBAImageEnd(&img);
> ++return (0);
> ++}
> +
> + img.row_offset = row;
> + img.col_offset = 0;
> +@@ -3018,6 +3025,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t
> + return( 0 );
> + }
> +
> ++if (col >= img.width || row >= img.height)
> ++{
> ++TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
> ++ "Invalid row/col passed to TIFFReadRGBATile().");
> ++TIFFRGBAImageEnd(&img);
> ++return (0);
> ++}
> ++
> + /*
> + * The TIFFRGBAImageGet() function doesn't allow us to get off the
> + * edge of the image, even to fill an otherwise valid tile. So we
> diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
> b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
> new file mode 100644
> index 00..6882529cfb
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
> @@ -0,0 +1,179 @@
> +CVE: CVE-2023-6277
> +Upstream-Status: Backport
> +[ upstream :
> https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a
> +ubuntu :
> http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz
> ]
> +Signed-off-by: Lee Chee Yang
> +
> +[Ubuntu note: Backport of the following patch from upstream, with a few
> changes
> +to match the current version of the file in the present Ubuntu release:
> + . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist
> yet);
> + . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter
> did not exist yet);
> +-- Rodrigo Figueiredo Zaiden]
> +
> +Backport of:
> +
> +From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
> +From: Su Laus
> +Date: Tue, 31
[OE-core] [kirkstone][PATCH 2/3] tiff: fix CVE-2023-52356 CVE-2023-6277
From: Lee Chee Yang
import patch from ubuntu to fix CVE-2023-52356 CVE-2023-6277
import from
http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz
Signed-off-by: Lee Chee Yang
---
.../libtiff/tiff/CVE-2023-52356.patch | 55 ++
.../libtiff/tiff/CVE-2023-6277-1.patch| 179 ++
.../libtiff/tiff/CVE-2023-6277-2.patch| 152 +++
.../libtiff/tiff/CVE-2023-6277-3.patch| 47 +
.../libtiff/tiff/CVE-2023-6277-4.patch| 94 +
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 5 +
6 files changed, 532 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
new file mode 100644
index 00..6c3c5adc52
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
@@ -0,0 +1,55 @@
+CVE: CVE-2023-52356
+Upstream-Status: Backport
+[ upstream :
https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a
+ubuntu :
http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz
]
+Signed-off-by: Lee Chee Yang
+
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
+From: Even Rouault
+Date: Tue, 31 Oct 2023 15:58:41 +0100
+Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
+ col/row (fixes #622)
+
+---
+ libtiff/tif_getimage.c | 15 +++
+ 1 file changed, 15 insertions(+)
+
+
+--- tiff-4.3.0.orig/libtiff/tif_getimage.c
tiff-4.3.0/libtiff/tif_getimage.c
+@@ -2942,6 +2942,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t
+ }
+
+ if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif,
stop_on_error, emsg)) {
++if (row >= img.height)
++{
++TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++ "Invalid row passed to TIFFReadRGBAStrip().");
++TIFFRGBAImageEnd(&img);
++return (0);
++}
+
+ img.row_offset = row;
+ img.col_offset = 0;
+@@ -3018,6 +3025,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t
+ return( 0 );
+ }
+
++if (col >= img.width || row >= img.height)
++{
++TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++ "Invalid row/col passed to TIFFReadRGBATile().");
++TIFFRGBAImageEnd(&img);
++return (0);
++}
++
+ /*
+ * The TIFFRGBAImageGet() function doesn't allow us to get off the
+ * edge of the image, even to fill an otherwise valid tile. So we
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
new file mode 100644
index 00..6882529cfb
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
@@ -0,0 +1,179 @@
+CVE: CVE-2023-6277
+Upstream-Status: Backport
+[ upstream :
https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a
+ubuntu :
http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz
]
+Signed-off-by: Lee Chee Yang
+
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist
yet);
+ . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did
not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
+From: Su Laus
+Date: Tue, 31 Oct 2023 15:43:29 +
+Subject: [PATCH] Prevent some out-of-memory attacks
+
+Some small fuzzer files fake large amounts of data and provoke out-of-memory
situations. For non-compressed data content / tags, out-of-memory can be
prevented by comparing with the file size.
+
+At image reading, data size of some tags / data structures (StripByteCounts,
StripOffsets, StripArray, TIFF directory) is compared with file size to prevent
provoked out-of-memory attacks.
+
+See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
+---
+ libtiff/tif_dirread.c | 92 ++-
+ 1 file changed, 90 insertions(+
