diff mbox series

tiff: fix CVE 2023-52356

Message ID 20240206163027.2727885-1-simone.p.weiss@posteo.com
State Superseded, archived
Headers show
Series tiff: fix CVE 2023-52356 | expand

Commit Message

Simone Weiß Feb. 6, 2024, 4:30 p.m. UTC 
From: Simone Weiß <simone.p.weiss@posteo.com>

fix CVE 2023-52356
A segment fault (SEGV) flaw was found in libtiff that could be triggered
by passing a crafted tiff file to the TIFFReadRGBATileExt() API.
This flaw allows a remote attacker to cause a heap-buffer overflow, leading
to a denial of service.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-52356
https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a

Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
---
 .../libtiff/tiff/CVE-2023-52356.patch         | 50 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.6.0.bb |  3 +-
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch

Comments

Yoann Congal Feb. 6, 2024, 4:47 p.m. UTC | #1 
Hi,

Le 06/02/2024 à 17:30, simone.p.weiss@posteo.com a écrit :
> From: Simone Weiß <simone.p.weiss@posteo.com>
> 
> fix CVE 2023-52356
> A segment fault (SEGV) flaw was found in libtiff that could be triggered
> by passing a crafted tiff file to the TIFFReadRGBATileExt() API.
> This flaw allows a remote attacker to cause a heap-buffer overflow, leading
> to a denial of service.
> 
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-52356
> https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a
> 
> Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
> ---
>  .../libtiff/tiff/CVE-2023-52356.patch         | 50 +++++++++++++++++++
>  meta/recipes-multimedia/libtiff/tiff_4.6.0.bb |  3 +-
>  2 files changed, 52 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch

Thanks Simone!

Reviewed-by: Yoann Congal <yoann.congal@smile.fr>

> 
> diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
> new file mode 100644
> index 0000000000..9a6d9a39d9
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
> @@ -0,0 +1,50 @@
> +From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
> +From: Even Rouault <even.rouault@spatialys.com>
> +Date: Tue, 31 Oct 2023 15:58:41 +0100
> +Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
> + col/row (fixes #622)
> +
> +CVE: CVE-2023-52356
> +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
> +
> +Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
> +
> +---
> + libtiff/tif_getimage.c | 15 +++++++++++++++
> + 1 file changed, 15 insertions(+)
> +
> +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
> +index 41f7dfd77..6fee35db2 100644
> +--- a/libtiff/tif_getimage.c
> ++++ b/libtiff/tif_getimage.c
> +@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster,
> +     if (TIFFRGBAImageOK(tif, emsg) &&
> +         TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
> +     {
> ++        if (row >= img.height)
> ++        {
> ++            TIFFErrorExtR(tif, TIFFFileName(tif),
> ++                          "Invalid row passed to TIFFReadRGBAStrip().");
> ++            TIFFRGBAImageEnd(&img);
> ++            return (0);
> ++        }
> + 
> +         img.row_offset = row;
> +         img.col_offset = 0;
> +@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster,
> +         return (0);
> +     }
> + 
> ++    if (col >= img.width || row >= img.height)
> ++    {
> ++        TIFFErrorExtR(tif, TIFFFileName(tif),
> ++                      "Invalid row/col passed to TIFFReadRGBATile().");
> ++        TIFFRGBAImageEnd(&img);
> ++        return (0);
> ++    }
> ++
> +     /*
> +      * The TIFFRGBAImageGet() function doesn't allow us to get off the
> +      * edge of the image, even to fill an otherwise valid tile.  So we
> +--
> +2.40.0
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
> index eb8a096f19..ab658a2a03 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
> @@ -13,7 +13,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
>             file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \
>             file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \
>             file://CVE-2023-6228.patch \
> -           "
> +           file://CVE-2023-52356.patch \
> +"
>  
>  SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"
>
diff mbox series

Patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
new file mode 100644
index 0000000000..9a6d9a39d9
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
@@ -0,0 +1,50 @@ 
+From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 15:58:41 +0100
+Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
+ col/row (fixes #622)
+
+CVE: CVE-2023-52356
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
+
+Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
+
+---
+ libtiff/tif_getimage.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 41f7dfd77..6fee35db2 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster,
+     if (TIFFRGBAImageOK(tif, emsg) &&
+         TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
+     {
++        if (row >= img.height)
++        {
++            TIFFErrorExtR(tif, TIFFFileName(tif),
++                          "Invalid row passed to TIFFReadRGBAStrip().");
++            TIFFRGBAImageEnd(&img);
++            return (0);
++        }
+ 
+         img.row_offset = row;
+         img.col_offset = 0;
+@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster,
+         return (0);
+     }
+ 
++    if (col >= img.width || row >= img.height)
++    {
++        TIFFErrorExtR(tif, TIFFFileName(tif),
++                      "Invalid row/col passed to TIFFReadRGBATile().");
++        TIFFRGBAImageEnd(&img);
++        return (0);
++    }
++
+     /*
+      * The TIFFRGBAImageGet() function doesn't allow us to get off the
+      * edge of the image, even to fill an otherwise valid tile.  So we
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
index eb8a096f19..ab658a2a03 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -13,7 +13,8 @@  SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \
            file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \
            file://CVE-2023-6228.patch \
-           "
+           file://CVE-2023-52356.patch \
+"
 
 SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"