diff mbox series

[mickledore] tiff: backport a fix for CVE-2023-2731

Message ID 20230601195149.3558777-1-nat.bailey@windriver.com
State New
Headers show
Series [mickledore] tiff: backport a fix for CVE-2023-2731 | expand

Commit Message

Natasha Bailey June 1, 2023, 7:51 p.m. UTC
From: Natasha Bailey <nat.bailey@windriver.com>

This patch fixes an issue in libtiff's LZWDecode function which could cause a null pointer dereference.

Signed-off-by: Natasha Bailey <nat.bailey@windriver.com>
---
 .../libtiff/files/CVE-2023-2731.patch         | 39 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.5.0.bb |  4 +-
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch

Comments

Steve Sakoman June 1, 2023, 8 p.m. UTC | #1
Hi Nat,

Thanks for the patch, just one comment - see below.

On Thu, Jun 1, 2023 at 9:58 AM Nat Bailey via lists.openembedded.org
<nat.bailey=windriver.com@lists.openembedded.org> wrote:
>
> From: Natasha Bailey <nat.bailey@windriver.com>
>
> This patch fixes an issue in libtiff's LZWDecode function which could cause a null pointer dereference.
>
> Signed-off-by: Natasha Bailey <nat.bailey@windriver.com>
> ---
>  .../libtiff/files/CVE-2023-2731.patch         | 39 +++++++++++++++++++
>  meta/recipes-multimedia/libtiff/tiff_4.5.0.bb |  4 +-
>  2 files changed, 42 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch
>
> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch
> new file mode 100644
> index 0000000000..7db0a35f72
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch
> @@ -0,0 +1,39 @@
> +From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001
> +From: Even Rouault <even.rouault@spatialys.com>
> +Date: Sat, 29 Apr 2023 12:20:46 +0200
> +Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a
> + strip whith a missing end-of-information marker (fixes #548)
> +
> +CVE: CVE-2023-2731
> +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b]

You should also add your Signed-off-by here in the patch file too.

Regards,

Steve

> +
> +---
> + libtiff/tif_lzw.c | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
> +index ba75a07e..d631fa10 100644
> +--- a/libtiff/tif_lzw.c
> ++++ b/libtiff/tif_lzw.c
> +@@ -423,6 +423,10 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s)
> +
> +     if (sp->read_error)
> +     {
> ++        TIFFErrorExtR(tif, module,
> ++                      "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
> ++                      "previous error",
> ++                      tif->tif_row);
> +         return 0;
> +     }
> +
> +@@ -742,6 +746,7 @@ after_loop:
> +     return (1);
> +
> + no_eoi:
> ++    sp->read_error = 1;
> +     TIFFErrorExtR(tif, module,
> +                   "LZWDecode: Strip %" PRIu32 " not terminated with EOI code",
> +                   tif->tif_curstrip);
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
> index f8a2482a84..ce371a15f9 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
> @@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
>  CVE_PRODUCT = "libtiff"
>
>  SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
> -           file://CVE-2022-48281.patch"
> +           file://CVE-2022-48281.patch \
> +           file://CVE-2023-2731.patch \
> +           "
>
>  SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"
>
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#182118): https://lists.openembedded.org/g/openembedded-core/message/182118
> Mute This Topic: https://lists.openembedded.org/mt/99272816/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
diff mbox series

Patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch
new file mode 100644
index 0000000000..7db0a35f72
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch
@@ -0,0 +1,39 @@ 
+From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 29 Apr 2023 12:20:46 +0200
+Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a
+ strip whith a missing end-of-information marker (fixes #548)
+
+CVE: CVE-2023-2731
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b]
+
+---
+ libtiff/tif_lzw.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
+index ba75a07e..d631fa10 100644
+--- a/libtiff/tif_lzw.c
++++ b/libtiff/tif_lzw.c
+@@ -423,6 +423,10 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s)
+ 
+     if (sp->read_error)
+     {
++        TIFFErrorExtR(tif, module,
++                      "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
++                      "previous error",
++                      tif->tif_row);
+         return 0;
+     }
+ 
+@@ -742,6 +746,7 @@ after_loop:
+     return (1);
+ 
+ no_eoi:
++    sp->read_error = 1;
+     TIFFErrorExtR(tif, module,
+                   "LZWDecode: Strip %" PRIu32 " not terminated with EOI code",
+                   tif->tif_curstrip);
+-- 
+2.34.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index f8a2482a84..ce371a15f9 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -9,7 +9,9 @@  LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
 CVE_PRODUCT = "libtiff"
 
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
-           file://CVE-2022-48281.patch"
+           file://CVE-2022-48281.patch \
+           file://CVE-2023-2731.patch \
+           "
 
 SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"