[dunfell,01/10] libtiff: Add fix for tiffcrop CVE-2023-1916

Message ID	28ad0fdd30f490612aca6cc96ee503e5f92360a8.1697567211.git.steve@sakoman.com
State	Accepted, archived
Commit	28ad0fdd30f490612aca6cc96ee503e5f92360a8
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.176, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 01/10] libtiff: Add fix for tiffcrop CVE-2023-1916 Date: Tue, 17 Oct 2023 08:42:21 -1000 Message-Id: <28ad0fdd30f490612aca6cc96ee503e5f92360a8.1697567211.git.steve@sakoman.com> In-Reply-To: <cover.1697567211.git.steve@sakoman.com> References: <cover.1697567211.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,01/10] libtiff: Add fix for tiffcrop CVE-2023-1916 \| expand [dunfell,01/10] libtiff: Add fix for tiffcrop CVE-2023-1916 [dunfell,02/10] curl: Backport fix for CVE-2023-38545 [dunfell,03/10] curl: Backport fix for CVE-2023-38546 [dunfell,04/10] glib-2.0: Fix multiple vulnerabilities [dunfell,05/10] libwebp: Update CVE ID CVE-2023-4863 [dunfell,06/10] vim: Upgrade 9.0.1894 -> 9.0.2009 [dunfell,07/10] xorg-lib-common: Add variable to set tarball type [dunfell,08/10] libxpm: upgrade to 3.5.17 [dunfell,09/10] kernel.bbclass: Add force flag to rm calls [dunfell,10/10] systemd: Backport systemd-resolved: use hostname for certificate validation in DoT

Message ID

28ad0fdd30f490612aca6cc96ee503e5f92360a8.1697567211.git.steve@sakoman.com

State

Accepted, archived

Commit

28ad0fdd30f490612aca6cc96ee503e5f92360a8

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 01/10] libtiff: Add fix for tiffcrop CVE-2023-1916
Date: Tue, 17 Oct 2023 08:42:21 -1000
Message-Id: 
 <28ad0fdd30f490612aca6cc96ee503e5f92360a8.1697567211.git.steve@sakoman.com>
In-Reply-To: <cover.1697567211.git.steve@sakoman.com>
References: <cover.1697567211.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,01/10] libtiff: Add fix for tiffcrop CVE-2023-1916 | expand

Commit Message

Steve Sakoman Oct. 17, 2023, 6:42 p.m. UTC

From: Marek Vasut <marex@denx.de>

Add fix for tiffcrop tool CVE-2023-1916 [1].

A flaw was found in tiffcrop, a program distributed by the libtiff
package. A specially crafted tiff file can lead to an out-of-bounds
read in the extractImageSection function in tools/tiffcrop.c, resulting
in a denial of service and limited information disclosure. This issue
affects libtiff versions 4.x.

The tool is no longer part of newer libtiff distributions, hence the
fix is rejected by upstream in [2]. The backport is still applicable
to older versions of libtiff, pick the CVE fix from ubuntu 20.04 [3].

[1] https://nvd.nist.gov/vuln/detail/CVE-2023-1916
[2] https://gitlab.com/libtiff/libtiff/-/merge_requests/535
[3] https://packages.ubuntu.com/source/focal-updates/tiff

Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libtiff/files/CVE-2023-1916.patch         | 91 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |  1 +
 2 files changed, 92 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch
new file mode 100644
index 0000000000..9915b77645
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch
@@ -0,0 +1,91 @@ 
+From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Thu, 16 Mar 2023 16:16:54 +0800
+Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection
+
+CVE: CVE-2023-1916
+Upstream-Status: Submitted [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535]
+Signed-off-by: Marek Vasut <marex@denx.de>
+---
+ archive/tools/tiffcrop.c | 62 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 45 insertions(+), 17 deletions(-)
+
+--- tiff-4.1.0+git191117.orig/tools/tiffcrop.c
++++ tiff-4.1.0+git191117/tools/tiffcrop.c
+@@ -5549,6 +5549,15 @@ getCropOffsets(struct image_data *image,
+              crop->combined_width += (uint32)zwidth;
+            else
+              crop->combined_width = (uint32)zwidth;
++
++           /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++           if (((crop->rotation == 90) || (crop->rotation == 270))
++               && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++           {
++               TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++               return -1;
++           }
++
+            break;
+       case EDGE_BOTTOM: /* width from left, zones from bottom to top */
+            zwidth = offsets.crop_width;
+@@ -5579,6 +5588,15 @@ getCropOffsets(struct image_data *image,
+            else
+              crop->combined_length = (uint32)zlength;
+            crop->combined_width = (uint32)zwidth;
++
++           /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++           if (((crop->rotation == 90) || (crop->rotation == 270))
++               && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++           {
++               TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++               return -1;
++           }
++
+            break;
+       case EDGE_RIGHT: /* zones from right to left, length from top */
+            zlength = offsets.crop_length;
+@@ -5606,6 +5624,15 @@ getCropOffsets(struct image_data *image,
+              crop->combined_width += (uint32)zwidth;
+            else
+              crop->combined_width = (uint32)zwidth;
++
++           /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++           if (((crop->rotation == 90) || (crop->rotation == 270))
++               && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++           {
++               TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++               return -1;
++           }
++
+            break;
+       case EDGE_TOP: /* width from left, zones from top to bottom */
+       default:
+@@ -5632,6 +5659,15 @@ getCropOffsets(struct image_data *image,
+            else
+              crop->combined_length = (uint32)zlength;
+            crop->combined_width = (uint32)zwidth;
++
++           /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++           if (((crop->rotation == 90) || (crop->rotation == 270))
++               && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++           {
++               TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++               return -1;
++           }
++
+            break;
+       } /* end switch statement */
+ 
+@@ -6827,9 +6863,9 @@ extractImageSection(struct image_data *i
+      * regardless of the way the data are organized in the input file.
+      * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 
+      */
+-    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */
+-    full_bytes = (sect_width * spp * bps) / 8;            /* number of COMPLETE bytes per row in section */
+-    trailing_bits = (sect_width * spp * bps) % 8;         /* trailing bits within the last byte of destination buffer */
++    img_rowsize = (((img_width * spp * bps) + 7) / 8);  /* row size in full bytes of source image */
++    full_bytes = (sect_width * spp * bps) / 8;          /* number of COMPLETE bytes per row in section */
++    trailing_bits = (sect_width * spp * bps) % 8;       /* trailing bits within the last byte of destination buffer */
+ 
+ #ifdef DEVELMODE
+     TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index e3daaf1007..6df4244697 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -36,6 +36,7 @@  SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2022-48281.patch \
            file://CVE-2023-0795_0796_0797_0798_0799.patch \
            file://CVE-2023-0800_0801_0802_0803_0804.patch \
+           file://CVE-2023-1916.patch \
            file://CVE-2023-25433.patch \
            file://CVE-2023-25434-CVE-2023-25435.patch \
            file://CVE-2023-26965.patch \

[dunfell,01/10] libtiff: Add fix for tiffcrop CVE-2023-1916

Commit Message

Patch