From patchwork Mon Jul 3 12:30:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 26807 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E742AEB64DC for ; Mon, 3 Jul 2023 12:31:01 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.31275.1688387456328478380 for ; Mon, 03 Jul 2023 05:30:56 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id ABE8E2F4; Mon, 3 Jul 2023 05:31:38 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 83C1E3F73F; Mon, 3 Jul 2023 05:30:55 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH 1/2] cups: upgrade to 2.4.6 Date: Mon, 3 Jul 2023 13:30:48 +0100 Message-Id: <20230703123049.525813-1-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 03 Jul 2023 12:31:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/183801 From: Ross Burton This resolves CVE-2023-34241. Signed-off-by: Ross Burton --- meta/recipes-extended/cups/cups.inc | 1 - .../cups/cups/CVE-2023-32324.patch | 36 ------------------- .../cups/{cups_2.4.2.bb => cups_2.4.6.bb} | 2 +- 3 files changed, 1 insertion(+), 38 deletions(-) delete mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32324.patch rename meta/recipes-extended/cups/{cups_2.4.2.bb => cups_2.4.6.bb} (51%) diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index d77758fd3f4..da320b10855 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -15,7 +15,6 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ file://0004-cups-fix-multilib-install-file-conflicts.patch \ file://volatiles.99_cups \ file://cups-volatiles.conf \ - file://CVE-2023-32324.patch \ " GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32324.patch b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch deleted file mode 100644 index 40b89c98998..00000000000 --- a/meta/recipes-extended/cups/cups/CVE-2023-32324.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 07cbffd11107eed3aaf1c64e35552aec20f792da Mon Sep 17 00:00:00 2001 -From: Zdenek Dohnal -Date: Thu, 1 Jun 2023 12:04:00 +0200 -Subject: [PATCH] cups/string.c: Return if `size` is 0 (fixes CVE-2023-32324) - -CVE: CVE-2023-32324 -Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/fd8bc2d32589] - -(cherry picked from commit fd8bc2d32589d1fd91fe1c0521be2a7c0462109e) -Signed-off-by: Sanjay Chitroda ---- - cups/string.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/cups/string.c b/cups/string.c -index 93cdad19..6ef58515 100644 ---- a/cups/string.c -+++ b/cups/string.c -@@ -1,6 +1,7 @@ - /* - * String functions for CUPS. - * -+ * Copyright © 2023 by OpenPrinting. - * Copyright © 2007-2019 by Apple Inc. - * Copyright © 1997-2007 by Easy Software Products. - * -@@ -730,6 +731,9 @@ _cups_strlcpy(char *dst, /* O - Destination string */ - size_t srclen; /* Length of source string */ - - -+ if (size == 0) -+ return (0); -+ - /* - * Figure out how much room is needed... - */ diff --git a/meta/recipes-extended/cups/cups_2.4.2.bb b/meta/recipes-extended/cups/cups_2.4.6.bb similarity index 51% rename from meta/recipes-extended/cups/cups_2.4.2.bb rename to meta/recipes-extended/cups/cups_2.4.6.bb index f5ca749bacb..58029fdbd4d 100644 --- a/meta/recipes-extended/cups/cups_2.4.2.bb +++ b/meta/recipes-extended/cups/cups_2.4.6.bb @@ -2,4 +2,4 @@ require cups.inc LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRC_URI[sha256sum] = "f03ccb40b087d1e30940a40e0141dcbba263f39974c20eb9f2521066c9c6c908" +SRC_URI[sha256sum] = "58e970cf1955e1cc87d0847c32526d9c2ccee335e5f0e3882b283138ba0e7262" From patchwork Mon Jul 3 12:30:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 26808 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8882C0015E for ; Mon, 3 Jul 2023 12:31:01 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.31452.1688387457569161640 for ; Mon, 03 Jul 2023 05:30:57 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 7377CC14; Mon, 3 Jul 2023 05:31:39 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 312C93F73F; Mon, 3 Jul 2023 05:30:56 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH 2/2] tiff: upgrade to 4.5.1 Date: Mon, 3 Jul 2023 13:30:49 +0100 Message-Id: <20230703123049.525813-2-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230703123049.525813-1-ross.burton@arm.com> References: <20230703123049.525813-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 03 Jul 2023 12:31:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/183802 From: Ross Burton Also remove old CVE_CHECK_IGNOREs which are no longer needed due to CPE updates. Signed-off-by: Ross Burton --- .../libtiff/files/CVE-2022-48281.patch | 29 ------ .../libtiff/files/CVE-2023-26965.patch | 99 ------------------- .../libtiff/files/CVE-2023-2731.patch | 39 -------- .../libtiff/{tiff_4.5.0.bb => tiff_4.5.1.bb} | 13 +-- 4 files changed, 2 insertions(+), 178 deletions(-) delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch rename meta/recipes-multimedia/libtiff/{tiff_4.5.0.bb => tiff_4.5.1.bb} (82%) diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch deleted file mode 100644 index e356d377ead..00000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch +++ /dev/null @@ -1,29 +0,0 @@ -CVE: CVE-2022-48281 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Sat, 21 Jan 2023 15:58:10 +0000 -Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488. - ---- - tools/tiffcrop.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 14fa18da..7db69883 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image, - cropsize + NUM_BUFF_OVERSIZE_BYTES); - else - { -- prev_cropsize = seg_buffs[0].size; -+ prev_cropsize = seg_buffs[i].size; - if (prev_cropsize < cropsize) - { - next_buff = _TIFFrealloc( --- -GitLab - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch deleted file mode 100644 index 5fdc1ed0139..00000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch +++ /dev/null @@ -1,99 +0,0 @@ -From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Tue, 14 Feb 2023 20:43:43 +0100 -Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images. - Fix issue 527 - -Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value. - -Closes #527 - -CVE: CVE-2023-26965 -Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf] -Signed-off-by: Natasha Bailey ---- - tools/tiffcrop.c | 47 +++++++++++++---------------------------------- - 1 file changed, 13 insertions(+), 34 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index d7ad5ca8..d3e11ba2 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, - uint32_t tw = 0, tl = 0; /* Tile width and length */ - tmsize_t tile_rowsize = 0; - unsigned char *read_buff = NULL; -- unsigned char *new_buff = NULL; - int readunit = 0; -- static tmsize_t prev_readsize = 0; - - TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); - TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); -@@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, - } - - read_buff = *read_ptr; -- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ -- /* outside buffer */ -- if (!read_buff) -+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit -+ * outside buffer */ -+ /* Reuse of read_buff from previous image is quite unsafe, because other -+ * functions (like rotateImage() etc.) reallocate that buffer with different -+ * size without updating the local prev_readsize value. */ -+ if (read_buff) - { -- if (buffsize > 0xFFFFFFFFU - 3) -- { -- TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); -- return (-1); -- } -- read_buff = -- (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); -+ _TIFFfree(read_buff); - } -- else -+ if (buffsize > 0xFFFFFFFFU - 3) - { -- if (prev_readsize < buffsize) -- { -- if (buffsize > 0xFFFFFFFFU - 3) -- { -- TIFFError("loadImage", -- "Unable to allocate/reallocate read buffer"); -- return (-1); -- } -- new_buff = -- _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); -- if (!new_buff) -- { -- free(read_buff); -- read_buff = (unsigned char *)limitMalloc( -- buffsize + NUM_BUFF_OVERSIZE_BYTES); -- } -- else -- read_buff = new_buff; -- } -+ TIFFError("loadImage", "Required read buffer size too large"); -+ return (-1); - } -+ read_buff = -+ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); - if (!read_buff) - { -- TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); -+ TIFFError("loadImage", "Unable to allocate read buffer"); - return (-1); - } - -@@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, - read_buff[buffsize + 1] = 0; - read_buff[buffsize + 2] = 0; - -- prev_readsize = buffsize; - *read_ptr = read_buff; - - /* N.B. The read functions used copy separate plane data into a buffer as --- -2.39.0 - diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch deleted file mode 100644 index 7db0a35f72b..00000000000 --- a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 29 Apr 2023 12:20:46 +0200 -Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a - strip whith a missing end-of-information marker (fixes #548) - -CVE: CVE-2023-2731 -Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b] - ---- - libtiff/tif_lzw.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c -index ba75a07e..d631fa10 100644 ---- a/libtiff/tif_lzw.c -+++ b/libtiff/tif_lzw.c -@@ -423,6 +423,10 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s) - - if (sp->read_error) - { -+ TIFFErrorExtR(tif, module, -+ "LZWDecode: Scanline %" PRIu32 " cannot be read due to " -+ "previous error", -+ tif->tif_row); - return 0; - } - -@@ -742,6 +746,7 @@ after_loop: - return (1); - - no_eoi: -+ sp->read_error = 1; - TIFFErrorExtR(tif, module, - "LZWDecode: Strip %" PRIu32 " not terminated with EOI code", - tif->tif_curstrip); --- -2.34.1 - diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb similarity index 82% rename from meta/recipes-multimedia/libtiff/tiff_4.5.0.bb rename to meta/recipes-multimedia/libtiff/tiff_4.5.1.bb index 2bde8fe9d65..5af3f842650 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb @@ -8,13 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3" CVE_PRODUCT = "libtiff" -SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ - file://CVE-2022-48281.patch \ - file://CVE-2023-2731.patch \ - file://CVE-2023-26965.patch \ -" +SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz" -SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464" +SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b" # exclude betas UPSTREAM_CHECK_REGEX = "tiff-(?P\d+(\.\d+)+).tar" @@ -22,11 +18,6 @@ UPSTREAM_CHECK_REGEX = "tiff-(?P\d+(\.\d+)+).tar" # Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 # and 4.3.0 doesn't have the issue CVE_CHECK_IGNORE += "CVE-2015-7313" -# These issues only affect libtiff post-4.3.0 but before 4.4.0, -# caused by 3079627e and fixed by b4e79bfa. -CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623" -# Issue is in jbig which we don't enable -CVE_CHECK_IGNORE += "CVE-2022-1210" inherit autotools multilib_header