[dunfell,03/17] tiff: Security fix for CVE-2023-40745

Message ID	d282b85cf69ecfbce12224428c713cd0dc639ced.1700018112.git.steve@sakoman.com
State	Accepted, archived
Commit	d282b85cf69ecfbce12224428c713cd0dc639ced
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.214.175, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 03/17] tiff: Security fix for CVE-2023-40745 Date: Tue, 14 Nov 2023 17:17:20 -1000 Message-Id: <d282b85cf69ecfbce12224428c713cd0dc639ced.1700018112.git.steve@sakoman.com> In-Reply-To: <cover.1700018112.git.steve@sakoman.com> References: <cover.1700018112.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,01/17] kexec-tools: Ignore Fedora/RedHat specific CVE-2021-20269 \| expand [dunfell,01/17] kexec-tools: Ignore Fedora/RedHat specific CVE-2021-20269 [dunfell,02/17] tiff: CVE patch correction for CVE-2023-3576 [dunfell,03/17] tiff: Security fix for CVE-2023-40745 [dunfell,04/17] tiff: backport Debian patch to fix CVE-2023-41175 [dunfell,05/17] glibc: ignore CVE-2023-4527 [dunfell,06/17] libwebp: Fix CVE-2023-4863 [dunfell,07/17] zlib: Backport fix for CVE-2023-45853 [dunfell,08/17] Revert "qemu: Backport fix for CVE-2023-0330" [dunfell,09/17] xserver-xorg: Fix for CVE-2023-5367 and CVE-2023-5380 [dunfell,10/17] cve-check: sort the package list in the JSON report [dunfell,11/17] cve-check: slightly more verbose warning when adding the same package twice [dunfell,12/17] cve-check: don't warn if a patch is remote [dunfell,13/17] assimp: Explicitly use nobranch=1 in SRC_URI [dunfell,14/17] resolvconf: Fix fetch error [dunfell,15/17] lz4: use CFLAGS from bitbake [dunfell,16/17] lz4: Update sstate/equiv versions to clean cache [dunfell,17/17] selftest: skip virgl test on all fedora

Message ID

d282b85cf69ecfbce12224428c713cd0dc639ced.1700018112.git.steve@sakoman.com

State

Accepted, archived

Commit

d282b85cf69ecfbce12224428c713cd0dc639ced

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 03/17] tiff: Security fix for CVE-2023-40745
Date: Tue, 14 Nov 2023 17:17:20 -1000
Message-Id: 
 <d282b85cf69ecfbce12224428c713cd0dc639ced.1700018112.git.steve@sakoman.com>
In-Reply-To: <cover.1700018112.git.steve@sakoman.com>
References: <cover.1700018112.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,01/17] kexec-tools: Ignore Fedora/RedHat specific CVE-2021-20269 | expand

Commit Message

Steve Sakoman Nov. 15, 2023, 3:17 a.m. UTC

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libtiff/files/CVE-2023-40745.patch        | 34 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch
new file mode 100644
index 0000000000..6eb286039f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch
@@ -0,0 +1,34 @@ 
+From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001
+From: Arie Haenel <arie.haenel@jct.ac.il>
+Date: Wed, 19 Jul 2023 19:34:25 +0000
+Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images
+ (fixes #591)
+
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5]
+CVE: CVE-2023-40745
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 83b3910..007bd05 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1437,6 +1437,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ 		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+ 		return 0;
+ 	}
++
++	if ( (imagew - tilew * spp) > INT_MAX ){
++        TIFFError(TIFFFileName(in),
++                  "Error, image raster scan line size is too large");
++        return 0;
++	}
++
+ 	iskew = imagew - tilew*spp;
+ 	tilebuf = _TIFFmalloc(tilesize);
+ 	if (tilebuf == 0)
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index d27381b4cd..31e7db19aa 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -45,6 +45,7 @@  SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2023-3316.patch \
            file://CVE-2023-3576.patch \
            file://CVE-2023-3618.patch \
+           file://CVE-2023-40745.patch \
           "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"

[dunfell,03/17] tiff: Security fix for CVE-2023-40745

Commit Message

Patch