Message ID | 20220908050409.17606-1-virendra.thakur@kpit.com |
---|---|
State | Accepted, archived |
Commit | 67df7488bf66183ffdb9f497f00ad291b79210d3 |
Headers | show |
Series | [dunfell] tiff: Fix for CVE-2022-2867/8/9 | expand |
On Wed, Sep 7, 2022 at 7:04 PM Virendra Thakur via lists.openembedded.org <virendra.thakur=kpit.com@lists.openembedded.org> wrote: > > From: Virendra Thakur <virendrak@kpit.com> > > Add Patch to fix CVE-2022-2867, CVE-2022-2868 > CVE-2022-2869 This fails on the autobuilder: ERROR: tiff-4.1.0-r0 do_patch: Applying patch 'CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch' on target directory '/home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/tiff-4.1.0' Command Error: 'quilt --quiltrc /home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Applying patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch patching file tools/tiffcrop.c Hunk #1 FAILED at 5153. Hunk #2 succeeded at 4782 with fuzz 2 (offset -423 lines). Hunk #4 FAILED at 5332. Hunk #5 succeeded at 5449 with fuzz 2. Hunk #6 succeeded at 5588 with fuzz 2. 2 out of 6 hunks FAILED -- rejects in file tools/tiffcrop.c Patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch does not apply (enforce with -f) Perhaps your mailer is corrupting the patch? This has been an issue lately with other patches from kpit! Steve > > Signed-off-by: Virendra Thakur <virendrak@kpit.com> > --- > ...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 ++++++++++++++++++ > meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 + > 2 files changed, 160 insertions(+) > create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch > > diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch > new file mode 100644 > index 0000000000..131ff94119 > --- /dev/null > +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch > @@ -0,0 +1,159 @@ > +From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001 > +From: Su Laus <sulau@freenet.de> > +Date: Wed, 9 Feb 2022 21:31:29 +0000 > +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting > + uint32_t underflow. > + > +CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 > +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c] > +Signed-off-by: Virendra Thakur <virendrak@kpit.com> > +--- > +Index: tiff-4.1.0/tools/tiffcrop.c > +=================================================================== > +--- tiff-4.1.0.orig/tools/tiffcrop.c > ++++ tiff-4.1.0/tools/tiffcrop.c > +@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas > + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); > + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); > + } > +- if (x1 < 1) > +- crop->regionlist[i].x1 = 0; > +- else > +- crop->regionlist[i].x1 = (uint32) (x1 - 1); > ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 > ++ * b) Corners are expected to be submitted as top-left to bottom-right. > ++ * Therefore, check that and reorder input. > ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) > ++ */ > ++ uint32_t aux; > ++ if (x1 > x2) { > ++ aux = x1; > ++ x1 = x2; > ++ x2 = aux; > ++ } > ++ if (y1 > y2) { > ++ aux = y1; > ++ y1 = y2; > ++ y2 = aux; > ++ } > ++ if (x1 > image->width - 1) > ++ crop->regionlist[i].x1 = image->width - 1; > ++ else if (x1 > 0) > ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1); > + > + if (x2 > image->width - 1) > + crop->regionlist[i].x2 = image->width - 1; > +- else > +- crop->regionlist[i].x2 = (uint32) (x2 - 1); > +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; > +- > +- if (y1 < 1) > +- crop->regionlist[i].y1 = 0; > +- else > +- crop->regionlist[i].y1 = (uint32) (y1 - 1); > ++ else if (x2 > 0) > ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); > ++ > ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; > ++ > ++ if (y1 > image->length - 1) > ++ crop->regionlist[i].y1 = image->length - 1; > ++ else if (y1 > 0) > ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1); > + > + if (y2 > image->length - 1) > + crop->regionlist[i].y2 = image->length - 1; > +- else > +- crop->regionlist[i].y2 = (uint32) (y2 - 1); > +- > +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; > ++ else if (y2 > 0) > ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1); > + > ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; > + if (zwidth > max_width) > + max_width = zwidth; > + if (zlength > max_length) > +@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas > + } > + } > + return (0); > +- } > ++ } /* crop_mode == CROP_REGIONS */ > + > + /* Convert crop margins into offsets into image > + * Margins are expressed as pixel rows and columns, not bytes > +@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas > + bmargin = (uint32) 0; > + return (-1); > + } > +- } > ++ } /* crop_mode == CROP_MARGINS */ > + else > + { /* no margins requested */ > + tmargin = (uint32) 0; > +@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas > + off->endx = endx; > + off->endy = endy; > + > +- crop_width = endx - startx + 1; > +- crop_length = endy - starty + 1; > +- > +- if (crop_width <= 0) > ++ if (endx + 1 <= startx) > + { > + TIFFError("computeInputPixelOffsets", > + "Invalid left/right margins and /or image crop width requested"); > + return (-1); > + } > ++ crop_width = endx - startx + 1; > + if (crop_width > image->width) > + crop_width = image->width; > + > +- if (crop_length <= 0) > ++ if (endy + 1 <= starty) > + { > + TIFFError("computeInputPixelOffsets", > + "Invalid top/bottom margins and /or image crop length requested"); > + return (-1); > + } > ++ crop_length = endy - starty + 1; > + if (crop_length > image->length) > + crop_length = image->length; > + > +@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image, > + else > + crop->selections = crop->zones; > + > +- for (i = 0; i < crop->zones; i++) > ++ /* Initialize regions iterator i */ > ++ i = 0; > ++ for (int j = 0; j < crop->zones; j++) > + { > +- seg = crop->zonelist[i].position; > +- total = crop->zonelist[i].total; > ++ seg = crop->zonelist[j].position; > ++ total = crop->zonelist[j].total; > ++ > ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ > ++ if (seg == 0 || total == 0 || seg > total) { > ++ continue; > ++ } > + > + switch (crop->edge_ref) > + { > +@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image, > + i + 1, (uint32)zwidth, (uint32)zlength, > + crop->regionlist[i].x1, crop->regionlist[i].x2, > + crop->regionlist[i].y1, crop->regionlist[i].y2); > ++ /* increment regions iterator */ > ++ i++; > + } > +- > ++ /* set number of generated regions out of given zones */ > ++ crop->selections = i; > + return (0); > + } /* end getCropOffsets */ > + > +-- > +GitLab > diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb > index c061d2aaac..93a35230d6 100644 > --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb > +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb > @@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ > file://CVE-2022-0924.patch \ > file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \ > file://CVE-2022-34526.patch \ > + file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \ > " > SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" > SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" > -- > 2.17.1 > > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#170448): https://lists.openembedded.org/g/openembedded-core/message/170448 > Mute This Topic: https://lists.openembedded.org/mt/93542683/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Steve, I am attaching here with tiff patchset . please let me know if its fine.
Please take this patch . removed change-ID as its not needed.
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch new file mode 100644 index 0000000000..131ff94119 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch @@ -0,0 +1,159 @@ +From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001 +From: Su Laus <sulau@freenet.de> +Date: Wed, 9 Feb 2022 21:31:29 +0000 +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting + uint32_t underflow. + +CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- +Index: tiff-4.1.0/tools/tiffcrop.c +=================================================================== +--- tiff-4.1.0.orig/tools/tiffcrop.c ++++ tiff-4.1.0/tools/tiffcrop.c +@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } +- if (x1 < 1) +- crop->regionlist[i].x1 = 0; +- else +- crop->regionlist[i].x1 = (uint32) (x1 - 1); ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 ++ * b) Corners are expected to be submitted as top-left to bottom-right. ++ * Therefore, check that and reorder input. ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) ++ */ ++ uint32_t aux; ++ if (x1 > x2) { ++ aux = x1; ++ x1 = x2; ++ x2 = aux; ++ } ++ if (y1 > y2) { ++ aux = y1; ++ y1 = y2; ++ y2 = aux; ++ } ++ if (x1 > image->width - 1) ++ crop->regionlist[i].x1 = image->width - 1; ++ else if (x1 > 0) ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1); + + if (x2 > image->width - 1) + crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = (uint32) (x2 - 1); +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; +- +- if (y1 < 1) +- crop->regionlist[i].y1 = 0; +- else +- crop->regionlist[i].y1 = (uint32) (y1 - 1); ++ else if (x2 > 0) ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); ++ ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ ++ if (y1 > image->length - 1) ++ crop->regionlist[i].y1 = image->length - 1; ++ else if (y1 > 0) ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1); + + if (y2 > image->length - 1) + crop->regionlist[i].y2 = image->length - 1; +- else +- crop->regionlist[i].y2 = (uint32) (y2 - 1); +- +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ else if (y2 > 0) ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1); + ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + if (zwidth > max_width) + max_width = zwidth; + if (zlength > max_length) +@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas + } + } + return (0); +- } ++ } /* crop_mode == CROP_REGIONS */ + + /* Convert crop margins into offsets into image + * Margins are expressed as pixel rows and columns, not bytes +@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas + bmargin = (uint32) 0; + return (-1); + } +- } ++ } /* crop_mode == CROP_MARGINS */ + else + { /* no margins requested */ + tmargin = (uint32) 0; +@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas + off->endx = endx; + off->endy = endy; + +- crop_width = endx - startx + 1; +- crop_length = endy - starty + 1; +- +- if (crop_width <= 0) ++ if (endx + 1 <= startx) + { + TIFFError("computeInputPixelOffsets", + "Invalid left/right margins and /or image crop width requested"); + return (-1); + } ++ crop_width = endx - startx + 1; + if (crop_width > image->width) + crop_width = image->width; + +- if (crop_length <= 0) ++ if (endy + 1 <= starty) + { + TIFFError("computeInputPixelOffsets", + "Invalid top/bottom margins and /or image crop length requested"); + return (-1); + } ++ crop_length = endy - starty + 1; + if (crop_length > image->length) + crop_length = image->length; + +@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image, + else + crop->selections = crop->zones; + +- for (i = 0; i < crop->zones; i++) ++ /* Initialize regions iterator i */ ++ i = 0; ++ for (int j = 0; j < crop->zones; j++) + { +- seg = crop->zonelist[i].position; +- total = crop->zonelist[i].total; ++ seg = crop->zonelist[j].position; ++ total = crop->zonelist[j].total; ++ ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ ++ if (seg == 0 || total == 0 || seg > total) { ++ continue; ++ } + + switch (crop->edge_ref) + { +@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image, + i + 1, (uint32)zwidth, (uint32)zlength, + crop->regionlist[i].x1, crop->regionlist[i].x2, + crop->regionlist[i].y1, crop->regionlist[i].y2); ++ /* increment regions iterator */ ++ i++; + } +- ++ /* set number of generated regions out of given zones */ ++ crop->selections = i; + return (0); + } /* end getCropOffsets */ + +-- +GitLab diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index c061d2aaac..93a35230d6 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb @@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2022-0924.patch \ file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \ file://CVE-2022-34526.patch \ + file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \ " SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"