[master] tiff: Security fix for CVE-2022-3970

This patch contains a fix for CVE-2022-3970

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-3970
https://security-tracker.debian.org/tracker/CVE-2022-3970

Patch generated from :
https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be

Upstream-Status: Accepted

Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
---
 .../libtiff/tiff/CVE-2022-3970.patch          | 38 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch

master has libtiff 4.4.0 so this doesn’t apply.  Is the CVE still valid in that release, or has it been fixed?

Ross

> On 22 Nov 2022, at 15:37, Qiu, Zheng via lists.openembedded.org <Zheng.Qiu=windriver.com@lists.openembedded.org> wrote:
> 
> This patch contains a fix for CVE-2022-3970
> 
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2022-3970
> https://security-tracker.debian.org/tracker/CVE-2022-3970
> 
> Patch generated from :
> https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
> 
> Upstream-Status: Accepted
> 
> Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
> ---
> .../libtiff/tiff/CVE-2022-3970.patch          | 38 +++++++++++++++++++
> meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  1 +
> 2 files changed, 39 insertions(+)
> create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
> 
> diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
> new file mode 100644
> index 0000000000..e8f143933a
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
> @@ -0,0 +1,38 @@
> +From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001
> +From: Even Rouault <even.rouault@spatialys.com>
> +Date: Tue, 8 Nov 2022 15:16:58 +0100
> +Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
> + strips/tiles > 2 GB
> +
> +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
> +---
> + libtiff/tif_getimage.c | 8 ++++----
> + 1 file changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
> +index a4d0c1d6..60b94d8e 100644
> +--- a/libtiff/tif_getimage.c
> ++++ b/libtiff/tif_getimage.c
> +@@ -3016,15 +3016,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
> +         return( ok );
> + 
> +     for( i_row = 0; i_row < read_ysize; i_row++ ) {
> +-        memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
> +-                 raster + (read_ysize - i_row - 1) * read_xsize,
> ++        memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
> ++                 raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
> +                  read_xsize * sizeof(uint32_t) );
> +-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
> ++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
> +                      0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
> +     }
> + 
> +     for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
> +-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
> ++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
> +                      0, sizeof(uint32_t) * tile_xsize );
> +     }
> + 
> +-- 
> +2.33.0
> +
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
> index f84057c46b..0fbe515e9d 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
> @@ -24,6 +24,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
>            file://CVE-2022-34526.patch \
>            file://CVE-2022-2869.patch \
>            file://CVE-2022-2867.patch \
> +           file://CVE-2022-3970.patch \
>            file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \
>            "
> 
> -- 
> 2.33.0
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#173686): https://lists.openembedded.org/g/openembedded-core/message/173686
> Mute This Topic: https://lists.openembedded.org/mt/95197777/6875888
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ross.burton@arm.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

On Nov 25, 2022, at 9:54 AM, Ross Burton <Ross.Burton@arm.com> wrote:

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.

master has libtiff 4.4.0 so this doesn’t apply.  Is the CVE still valid in that release, or has it been fixed?

Ross

It seems like this CVE is fixed after 4.4.0 to me.

ZQ


On 22 Nov 2022, at 15:37, Qiu, Zheng via lists.openembedded.org <Zheng.Qiu=windriver.com@lists.openembedded.org> wrote:

This patch contains a fix for CVE-2022-3970

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-3970
https://security-tracker.debian.org/tracker/CVE-2022-3970

Patch generated from :
https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be

Upstream-Status: Accepted

Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
---
.../libtiff/tiff/CVE-2022-3970.patch          | 38 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  1 +
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
new file mode 100644
index 0000000000..e8f143933a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
@@ -0,0 +1,38 @@
+From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 8 Nov 2022 15:16:58 +0100
+Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
+ strips/tiles > 2 GB
+
+Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
+---
+ libtiff/tif_getimage.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a4d0c1d6..60b94d8e 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -3016,15 +3016,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
+         return( ok );
+
+     for( i_row = 0; i_row < read_ysize; i_row++ ) {
+-        memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
+-                 raster + (read_ysize - i_row - 1) * read_xsize,
++        memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
++                 raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
+                  read_xsize * sizeof(uint32_t) );
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+                      0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
+     }
+
+     for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+                      0, sizeof(uint32_t) * tile_xsize );
+     }
+
+--
+2.33.0
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index f84057c46b..0fbe515e9d 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
          file://CVE-2022-34526.patch \
          file://CVE-2022-2869.patch \
          file://CVE-2022-2867.patch \
+           file://CVE-2022-3970.patch \
          file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \
          "

--
2.33.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#173686): https://lists.openembedded.org/g/openembedded-core/message/173686
Mute This Topic: https://lists.openembedded.org/mt/95197777/6875888
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ross.burton@arm.com]
-=-=-=-=-=-=-=-=-=-=-=-

On 25 Nov 2022, at 15:03, Qiu, Zheng via lists.openembedded.org <Zheng.Qiu=windriver.com@lists.openembedded.org> wrote:
> 
>> On Nov 25, 2022, at 9:54 AM, Ross Burton <Ross.Burton@arm.com> wrote:
>> 
>> master has libtiff 4.4.0 so this doesn’t apply.  Is the CVE still valid in that release, or has it been fixed?
>> 
>> Ross
> 
> It seems like this CVE is fixed after 4.4.0 to me.

Can you rebase and resend then?

Thanks,
Ross

>-----Original Message-----
>From: Ross Burton <Ross.Burton@arm.com>
>Sent: Friday, November 25, 2022 10:50 AM
>To: Qiu, Zheng <Zheng.Qiu@windriver.com>
>Cc: Openembedded Core <openembedded-core@lists.openembedded.org>;
>MacLeod, Randy <Randy.MacLeod@windriver.com>
>Subject: Re: [OE-core] [master][PATCH] tiff: Security fix for CVE-2022-3970
>
>CAUTION: This email comes from a non Wind River email account!
>Do not click links or open attachments unless you recognize the sender and
>know the content is safe.
>
>On 25 Nov 2022, at 15:03, Qiu, Zheng via lists.openembedded.org
><Zheng.Qiu=windriver.com@lists.openembedded.org> wrote:
>>
>>> On Nov 25, 2022, at 9:54 AM, Ross Burton <Ross.Burton@arm.com> wrote:
>>>
>>> master has libtiff 4.4.0 so this doesn’t apply.  Is the CVE still valid in that
>release, or has it been fixed?
>>>
>>> Ross
>>
>> It seems like this CVE is fixed after 4.4.0 to me.
>
>Can you rebase and resend then?

[] I rebased and sent a new patch this Tuesday @ 10:49 AM. Do you still want me to send a new one?

ZQ

>
>Thanks,
>Ross