Message ID | 20221122153757.2287659-1-zheng.qiu@windriver.com |
---|---|
State | Accepted, archived |
Commit | 668ff495ac44e5b6d9e1af15d3861b5c2b4dfcd1 |
Headers | show |
Series | [master] tiff: Security fix for CVE-2022-3970 | expand |
master has libtiff 4.4.0 so this doesn’t apply. Is the CVE still valid in that release, or has it been fixed? Ross > On 22 Nov 2022, at 15:37, Qiu, Zheng via lists.openembedded.org <Zheng.Qiu=windriver.com@lists.openembedded.org> wrote: > > This patch contains a fix for CVE-2022-3970 > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2022-3970 > https://security-tracker.debian.org/tracker/CVE-2022-3970 > > Patch generated from : > https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be > > Upstream-Status: Accepted > > Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com> > --- > .../libtiff/tiff/CVE-2022-3970.patch | 38 +++++++++++++++++++ > meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + > 2 files changed, 39 insertions(+) > create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch > > diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch > new file mode 100644 > index 0000000000..e8f143933a > --- /dev/null > +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch > @@ -0,0 +1,38 @@ > +From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001 > +From: Even Rouault <even.rouault@spatialys.com> > +Date: Tue, 8 Nov 2022 15:16:58 +0100 > +Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on > + strips/tiles > 2 GB > + > +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 > +--- > + libtiff/tif_getimage.c | 8 ++++---- > + 1 file changed, 4 insertions(+), 4 deletions(-) > + > +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c > +index a4d0c1d6..60b94d8e 100644 > +--- a/libtiff/tif_getimage.c > ++++ b/libtiff/tif_getimage.c > +@@ -3016,15 +3016,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in > + return( ok ); > + > + for( i_row = 0; i_row < read_ysize; i_row++ ) { > +- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize, > +- raster + (read_ysize - i_row - 1) * read_xsize, > ++ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, > ++ raster + (size_t)(read_ysize - i_row - 1) * read_xsize, > + read_xsize * sizeof(uint32_t) ); > +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize, > ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize, > + 0, sizeof(uint32_t) * (tile_xsize - read_xsize) ); > + } > + > + for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) { > +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize, > ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, > + 0, sizeof(uint32_t) * tile_xsize ); > + } > + > +-- > +2.33.0 > + > diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb > index f84057c46b..0fbe515e9d 100644 > --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb > +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb > @@ -24,6 +24,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ > file://CVE-2022-34526.patch \ > file://CVE-2022-2869.patch \ > file://CVE-2022-2867.patch \ > + file://CVE-2022-3970.patch \ > file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \ > " > > -- > 2.33.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#173686): https://lists.openembedded.org/g/openembedded-core/message/173686 > Mute This Topic: https://lists.openembedded.org/mt/95197777/6875888 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ross.burton@arm.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Nov 25, 2022, at 9:54 AM, Ross Burton <Ross.Burton@arm.com> wrote:
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.
master has libtiff 4.4.0 so this doesn’t apply. Is the CVE still valid in that release, or has it been fixed?
Ross
It seems like this CVE is fixed after 4.4.0 to me.
ZQ
On 22 Nov 2022, at 15:37, Qiu, Zheng via lists.openembedded.org <Zheng.Qiu=windriver.com@lists.openembedded.org> wrote:
This patch contains a fix for CVE-2022-3970
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-3970
https://security-tracker.debian.org/tracker/CVE-2022-3970
Patch generated from :
https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
Upstream-Status: Accepted
Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
---
.../libtiff/tiff/CVE-2022-3970.patch | 38 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
new file mode 100644
index 0000000000..e8f143933a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
@@ -0,0 +1,38 @@
+From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 8 Nov 2022 15:16:58 +0100
+Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
+ strips/tiles > 2 GB
+
+Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
+---
+ libtiff/tif_getimage.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a4d0c1d6..60b94d8e 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -3016,15 +3016,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
+ return( ok );
+
+ for( i_row = 0; i_row < read_ysize; i_row++ ) {
+- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
+- raster + (read_ysize - i_row - 1) * read_xsize,
++ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
++ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
+ read_xsize * sizeof(uint32_t) );
+- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+ 0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
+ }
+
+ for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
+- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+ 0, sizeof(uint32_t) * tile_xsize );
+ }
+
+--
+2.33.0
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index f84057c46b..0fbe515e9d 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2022-34526.patch \
file://CVE-2022-2869.patch \
file://CVE-2022-2867.patch \
+ file://CVE-2022-3970.patch \
file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \
"
--
2.33.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#173686): https://lists.openembedded.org/g/openembedded-core/message/173686
Mute This Topic: https://lists.openembedded.org/mt/95197777/6875888
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ross.burton@arm.com]
-=-=-=-=-=-=-=-=-=-=-=-
On 25 Nov 2022, at 15:03, Qiu, Zheng via lists.openembedded.org <Zheng.Qiu=windriver.com@lists.openembedded.org> wrote: > >> On Nov 25, 2022, at 9:54 AM, Ross Burton <Ross.Burton@arm.com> wrote: >> >> master has libtiff 4.4.0 so this doesn’t apply. Is the CVE still valid in that release, or has it been fixed? >> >> Ross > > It seems like this CVE is fixed after 4.4.0 to me. Can you rebase and resend then? Thanks, Ross
>-----Original Message----- >From: Ross Burton <Ross.Burton@arm.com> >Sent: Friday, November 25, 2022 10:50 AM >To: Qiu, Zheng <Zheng.Qiu@windriver.com> >Cc: Openembedded Core <openembedded-core@lists.openembedded.org>; >MacLeod, Randy <Randy.MacLeod@windriver.com> >Subject: Re: [OE-core] [master][PATCH] tiff: Security fix for CVE-2022-3970 > >CAUTION: This email comes from a non Wind River email account! >Do not click links or open attachments unless you recognize the sender and >know the content is safe. > >On 25 Nov 2022, at 15:03, Qiu, Zheng via lists.openembedded.org ><Zheng.Qiu=windriver.com@lists.openembedded.org> wrote: >> >>> On Nov 25, 2022, at 9:54 AM, Ross Burton <Ross.Burton@arm.com> wrote: >>> >>> master has libtiff 4.4.0 so this doesn’t apply. Is the CVE still valid in that >release, or has it been fixed? >>> >>> Ross >> >> It seems like this CVE is fixed after 4.4.0 to me. > >Can you rebase and resend then? [] I rebased and sent a new patch this Tuesday @ 10:49 AM. Do you still want me to send a new one? ZQ > >Thanks, >Ross
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch new file mode 100644 index 0000000000..e8f143933a --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch @@ -0,0 +1,38 @@ +From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 8 Nov 2022 15:16:58 +0100 +Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on + strips/tiles > 2 GB + +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 +--- + libtiff/tif_getimage.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index a4d0c1d6..60b94d8e 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -3016,15 +3016,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in + return( ok ); + + for( i_row = 0; i_row < read_ysize; i_row++ ) { +- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize, +- raster + (read_ysize - i_row - 1) * read_xsize, ++ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, ++ raster + (size_t)(read_ysize - i_row - 1) * read_xsize, + read_xsize * sizeof(uint32_t) ); +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize, + 0, sizeof(uint32_t) * (tile_xsize - read_xsize) ); + } + + for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) { +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, + 0, sizeof(uint32_t) * tile_xsize ); + } + +-- +2.33.0 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index f84057c46b..0fbe515e9d 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -24,6 +24,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2022-34526.patch \ file://CVE-2022-2869.patch \ file://CVE-2022-2867.patch \ + file://CVE-2022-3970.patch \ file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \ "
This patch contains a fix for CVE-2022-3970 Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-3970 https://security-tracker.debian.org/tracker/CVE-2022-3970 Patch generated from : https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be Upstream-Status: Accepted Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com> --- .../libtiff/tiff/CVE-2022-3970.patch | 38 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch