[mickledore,02/27] tiff: fix CVE-2023-41175

Message ID	b2518923dff885778c550f0faa22e99bf76b6288.1697233866.git.steve@sakoman.com
State	New
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.171, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 02/27] tiff: fix CVE-2023-41175 Date: Fri, 13 Oct 2023 11:52:26 -1000 Message-Id: <b2518923dff885778c550f0faa22e99bf76b6288.1697233866.git.steve@sakoman.com> In-Reply-To: <cover.1697233866.git.steve@sakoman.com> References: <cover.1697233866.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[mickledore,01/27] tiff: fix CVE-2023-40745 \| expand [mickledore,01/27] tiff: fix CVE-2023-40745 [mickledore,02/27] tiff: fix CVE-2023-41175 [mickledore,03/27] ghostscript: fix CVE-2023-43115 [mickledore,04/27] curl: fix CVE-2023-38545 [mickledore,05/27] curl: fix CVE-2023-38546 [mickledore,06/27] dbus: upgrade 1.14.8 -> 1.14.10 [mickledore,07/27] wireless-regdb: upgrade 2023.05.03 -> 2023.09.01 [mickledore,08/27] gzip: update 1.12 -> 1.13 [mickledore,09/27] screen: update 4.9.0 -> 4.9.1 [mickledore,10/27] vim: Upgrade 9.0.1894 -> 9.0.2009 [mickledore,11/27] nativesdk-intercept: Fix bad intercept chgrp/chown logic [mickledore,12/27] avahi: handle invalid service types gracefully [mickledore,13/27] runqemu: check permissions of available render nodes as well as their presence [mickledore,14/27] build-sysroots: target or native sysroot population need to be selected explicit… [mickledore,15/27] weston-init: remove misleading comment about udev rule [mickledore,16/27] weston-init: fix init code indentation [mickledore,17/27] libc-test: Run as non-root user [mickledore,18/27] oeqa dnf_runtime.py: fix HTTP server IP address and port [mickledore,19/27] oeqa/selftest/context.py: check git command return values [mickledore,20/27] igt-gpu-tools: do not write shortened git commit hash into binaries [mickledore,21/27] ptest: report tests that were killed on timeout [mickledore,22/27] strace: parallelize ptest [mickledore,23/27] openssl: parallelize tests [mickledore,24/27] openssl: ensure all ptest fails are caught [mickledore,25/27] libsoup-2.4: Only specify --cross-file when building for target [mickledore,26/27] oeqa/selftest/wic: Improve assertTrue calls [mickledore,27/27] gdb: fix RDEPENDS for PACKAGECONFIG[tui]

Message ID

b2518923dff885778c550f0faa22e99bf76b6288.1697233866.git.steve@sakoman.com

State

New

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][mickledore 02/27] tiff: fix CVE-2023-41175
Date: Fri, 13 Oct 2023 11:52:26 -1000
Message-Id: 
 <b2518923dff885778c550f0faa22e99bf76b6288.1697233866.git.steve@sakoman.com>
In-Reply-To: <cover.1697233866.git.steve@sakoman.com>
References: <cover.1697233866.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[mickledore,01/27] tiff: fix CVE-2023-40745 | expand

Commit Message

Steve Sakoman Oct. 13, 2023, 9:52 p.m. UTC

From: Yogita Urade <yogita.urade@windriver.com>

libtiff: potential integer overflow in raw2tiff.c

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2235264
https://security-tracker.debian.org/tracker/CVE-2023-41175
https://gitlab.com/libtiff/libtiff/-/issues/592

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4ee806cbc12fbc830b09ba6222e96b1e5f24539f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libtiff/files/CVE-2023-41175.patch        | 63 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.5.1.bb |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
new file mode 100644
index 0000000000..cca30b2196
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
@@ -0,0 +1,63 @@ 
+From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001
+From: Arie Haenel <arie.haenel@jct.ac.il>
+Date: Thu, 14 Sep 2023 04:36:58 +0000
+Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes
+   #592)
+
+CVE: CVE-2023-41175
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/raw2tiff.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
+index 4ee59e5..a811077 100644
+--- a/tools/raw2tiff.c
++++ b/tools/raw2tiff.c
+@@ -101,6 +101,7 @@ int main(int argc, char *argv[])
+     int fd;
+     char *outfilename = NULL;
+     TIFF *out;
++    uint32_t temp_limit_check = 0;     /* temp for integer overflow checking*/
+
+     uint32_t row, col, band;
+     int c;
+@@ -221,6 +222,33 @@ int main(int argc, char *argv[])
+     if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
+         return EXIT_FAILURE;
+
++    /* check for integer overflow in */
++    /* hdr_size + (*width) * (*length) * nbands * depth */
++
++    if ((width == 0) || (length == 0) ){
++        fprintf(stderr, "Too large nbands value specified.\n");
++        return (EXIT_FAILURE);
++    }
++
++    temp_limit_check = nbands * depth;
++
++    if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) )  {
++        fprintf(stderr, "Too large length size specified.\n");
++        return (EXIT_FAILURE);
++    }
++    temp_limit_check = temp_limit_check * length;
++
++    if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) )  {
++        fprintf(stderr, "Too large width size specified.\n");
++        return (EXIT_FAILURE);
++    }
++    temp_limit_check = temp_limit_check * width;
++
++    if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) )  {
++        fprintf(stderr, "Too large header size specified.\n");
++        return (EXIT_FAILURE);
++    }
++
+     if (outfilename == NULL)
+         outfilename = argv[optind + 1];
+     out = TIFFOpen(outfilename, "w");
+--
+2.35.5
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
index 9cd790a2da..2a5b7e7fcf 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
@@ -10,6 +10,7 @@  CVE_PRODUCT = "libtiff"
 
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2023-40745.patch \
+           file://CVE-2023-41175.patch \
            "
 
 SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"

[mickledore,02/27] tiff: fix CVE-2023-41175

Commit Message

Patch