From: Vijay Anusuri <vanus...@mvista.com> Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
Reference: https://security-tracker.debian.org/tracker/CVE-2023-41175 Signed-off-by: Vijay Anusuri <vanus...@mvista.com> --- .../libtiff/files/CVE-2023-41175.patch | 67 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch new file mode 100644 index 0000000000..3f44a42012 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch @@ -0,0 +1,67 @@ +From 4cc97e3dfa6559f4d17af0d0687bcae07ca4b73d Mon Sep 17 00:00:00 2001 +From: Arie Haenel <arie.hae...@jct.ac.il> +Date: Wed, 19 Jul 2023 19:40:01 +0000 +Subject: raw2tiff: fix integer overflow and bypass of the check (fixes #592) + +Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz +Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee] +CVE: CVE-2023-41175 +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> +--- + tools/raw2tiff.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c +index ab36ff4e..a905da52 100644 +--- a/tools/raw2tiff.c ++++ b/tools/raw2tiff.c +@@ -35,6 +35,7 @@ + #include <sys/types.h> + #include <math.h> + #include <ctype.h> ++#include <limits.h> + + #ifdef HAVE_UNISTD_H + # include <unistd.h> +@@ -101,6 +102,7 @@ main(int argc, char* argv[]) + int fd; + char *outfilename = NULL; + TIFF *out; ++ uint32 temp_limit_check = 0; + + uint32 row, col, band; + int c; +@@ -212,6 +214,30 @@ main(int argc, char* argv[]) + if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0) + return 1; + ++ if ((width == 0) || (length == 0) ){ ++ fprintf(stderr, "Too large nbands value specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ ++ temp_limit_check = nbands * depth; ++ ++ if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) { ++ fprintf(stderr, "Too large length size specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ temp_limit_check = temp_limit_check * length; ++ ++ if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) { ++ fprintf(stderr, "Too large width size specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ temp_limit_check = temp_limit_check * width; ++ ++ if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) { ++ fprintf(stderr, "Too large header size specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ + if (outfilename == NULL) + outfilename = argv[optind+1]; + out = TIFFOpen(outfilename, "w"); +-- +2.30.2 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 31e7db19aa..2697a28463 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb @@ -46,6 +46,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-3576.patch \ file://CVE-2023-3618.patch \ file://CVE-2023-40745.patch \ + file://CVE-2023-41175.patch \ " SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#190402): https://lists.openembedded.org/g/openembedded-core/message/190402 Mute This Topic: https://lists.openembedded.org/mt/102503619/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
