diff mbox series

[master,v2] libtiff: Fix CVE-2022-3970

Message ID 20221122154901.2290930-1-zheng.qiu@windriver.com
State New
Headers show
Series [master,v2] libtiff: Fix CVE-2022-3970 | expand

Commit Message

Zheng Qiu Nov. 22, 2022, 3:49 p.m. UTC 
This patch contains a fix for CVE-2022-3970

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-3970
https://security-tracker.debian.org/tracker/CVE-2022-3970

Patch generated from :
https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be

Upstream-Status: Accepted

Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
---
 .../libtiff/files/CVE-2022-3970.patch         | 38 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.4.0.bb |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch

Comments

Randy MacLeod Nov. 22, 2022, 10:43 p.m. UTC | #1 
On 2022-11-22 10:49, Zheng Qiu wrote:
> This patch contains a fix for CVE-2022-3970
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2022-3970
> https://security-tracker.debian.org/tracker/CVE-2022-3970
>
> Patch generated from :
> https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
>
> Upstream-Status: Accepted
>
> Signed-off-by: Zheng Qiu<zheng.qiu@windriver.com>
> ---
>   .../libtiff/files/CVE-2022-3970.patch         | 38 +++++++++++++++++++
>   meta/recipes-multimedia/libtiff/tiff_4.4.0.bb |  1 +
>   2 files changed, 39 insertions(+)
>   create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
>
> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
> new file mode 100644
> index 0000000000..e8f143933a
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
> @@ -0,0 +1,38 @@
> +From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001
> +From: Even Rouault<even.rouault@spatialys.com>
> +Date: Tue, 8 Nov 2022 15:16:58 +0100
> +Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
> + strips/tiles > 2 GB

The Upstream-Status should be here in the headre of the patch.

v3, please or update the patch if this gets merged.

"While adding this tracking information to*the patch headers* is 
currently optional, it is highly recommended and some maintainers may 
require it. It is optional at this time so that it can be evaluated as 
to its usefulness over time. Existing patches will be updated with the 
tag as they are modified."

https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Patch_Header_Recommendations:_Upstream-Status


../Randy

> +
> +Fixeshttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
> +---
> + libtiff/tif_getimage.c | 8 ++++----
> + 1 file changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
> +index a4d0c1d6..60b94d8e 100644
> +--- a/libtiff/tif_getimage.c
> ++++ b/libtiff/tif_getimage.c
> +@@ -3016,15 +3016,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
> +         return( ok );
> +
> +     for( i_row = 0; i_row < read_ysize; i_row++ ) {
> +-        memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
> +-                 raster + (read_ysize - i_row - 1) * read_xsize,
> ++        memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
> ++                 raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
> +                  read_xsize * sizeof(uint32_t) );
> +-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
> ++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
> +                      0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
> +     }
> +
> +     for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
> +-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
> ++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
> +                      0, sizeof(uint32_t) * tile_xsize );
> +     }
> +
> +--
> +2.33.0
> +
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
> index 29cb4111d6..f92b034c4c 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
> @@ -12,6 +12,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
>              file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch  \
>              file://CVE-2022-34526.patch  \
>              file://CVE-2022-2953.patch  \
> +	file://CVE-2022-3970.patch  \
>              file://0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch  \
>              file://0001-tiffcrop-S-option-Make-decision-simpler.patch  \
>              file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch  \
Richard Purdie Nov. 22, 2022, 11:13 p.m. UTC | #2 
On Tue, 2022-11-22 at 17:43 -0500, Randy MacLeod wrote:
> On 2022-11-22 10:49, Zheng Qiu wrote:
>  
> 
> > This patch contains a fix for CVE-2022-3970
> > 
> > Reference:
> > https://nvd.nist.gov/vuln/detail/CVE-2022-3970
> > https://security-tracker.debian.org/tracker/CVE-2022-3970
> > 
> > Patch generated from :
> > https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
> > 
> > Upstream-Status: Accepted
> > 
> > Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
> > ---
> >  .../libtiff/files/CVE-2022-3970.patch         | 38 +++++++++++++++++++
> >  meta/recipes-multimedia/libtiff/tiff_4.4.0.bb |  1 +
> >  2 files changed, 39 insertions(+)
> >  create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
> > 
> > diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
> > new file mode 100644
> > index 0000000000..e8f143933a
> > --- /dev/null
> > +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
> > @@ -0,0 +1,38 @@
> > +From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001
> > +From: Even Rouault <even.rouault@spatialys.com>
> > +Date: Tue, 8 Nov 2022 15:16:58 +0100
> > +Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
> > + strips/tiles > 2 GB
> The Upstream-Status should be here in the headre of the patch.
> v3, please or update the patch if this gets merged.
> "While adding this tracking information to the patch headers is currently optional, it is highly recommended and some maintainers may require it. It is optional at this time so that it can be evaluated as to its usefulness over time. Existing patches will be updated with the tag as they are modified."
> https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Patch_Header_Recommendations:_Upstream-Status

For OE-Core, Upstream-Status isn't optional, we have 100% coverage of
patches with such headers.

Cheers,

Richard
diff mbox series

Patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
new file mode 100644
index 0000000000..e8f143933a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
@@ -0,0 +1,38 @@ 
+From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 8 Nov 2022 15:16:58 +0100
+Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
+ strips/tiles > 2 GB
+
+Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
+---
+ libtiff/tif_getimage.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a4d0c1d6..60b94d8e 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -3016,15 +3016,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
+         return( ok );
+ 
+     for( i_row = 0; i_row < read_ysize; i_row++ ) {
+-        memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
+-                 raster + (read_ysize - i_row - 1) * read_xsize,
++        memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
++                 raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
+                  read_xsize * sizeof(uint32_t) );
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+                      0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
+     }
+ 
+     for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+                      0, sizeof(uint32_t) * tile_xsize );
+     }
+ 
+-- 
+2.33.0
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
index 29cb4111d6..f92b034c4c 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
@@ -12,6 +12,7 @@  SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
            file://CVE-2022-34526.patch \
            file://CVE-2022-2953.patch \
+	   file://CVE-2022-3970.patch \
            file://0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch \
            file://0001-tiffcrop-S-option-Make-decision-simpler.patch \
            file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch \