Message ID | 20240206163027.2727885-1-simone.p.weiss@posteo.com |
---|---|
State | Superseded, archived |
Headers | show |
Series | tiff: fix CVE 2023-52356 | expand |
Hi, Le 06/02/2024 à 17:30, simone.p.weiss@posteo.com a écrit : > From: Simone Weiß <simone.p.weiss@posteo.com> > > fix CVE 2023-52356 > A segment fault (SEGV) flaw was found in libtiff that could be triggered > by passing a crafted tiff file to the TIFFReadRGBATileExt() API. > This flaw allows a remote attacker to cause a heap-buffer overflow, leading > to a denial of service. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2023-52356 > https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a > > Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> > --- > .../libtiff/tiff/CVE-2023-52356.patch | 50 +++++++++++++++++++ > meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 3 +- > 2 files changed, 52 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch Thanks Simone! Reviewed-by: Yoann Congal <yoann.congal@smile.fr> > > diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch > new file mode 100644 > index 0000000000..9a6d9a39d9 > --- /dev/null > +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch > @@ -0,0 +1,50 @@ > +From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 > +From: Even Rouault <even.rouault@spatialys.com> > +Date: Tue, 31 Oct 2023 15:58:41 +0100 > +Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of > + col/row (fixes #622) > + > +CVE: CVE-2023-52356 > +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] > + > +Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> > + > +--- > + libtiff/tif_getimage.c | 15 +++++++++++++++ > + 1 file changed, 15 insertions(+) > + > +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c > +index 41f7dfd77..6fee35db2 100644 > +--- a/libtiff/tif_getimage.c > ++++ b/libtiff/tif_getimage.c > +@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster, > + if (TIFFRGBAImageOK(tif, emsg) && > + TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) > + { > ++ if (row >= img.height) > ++ { > ++ TIFFErrorExtR(tif, TIFFFileName(tif), > ++ "Invalid row passed to TIFFReadRGBAStrip()."); > ++ TIFFRGBAImageEnd(&img); > ++ return (0); > ++ } > + > + img.row_offset = row; > + img.col_offset = 0; > +@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster, > + return (0); > + } > + > ++ if (col >= img.width || row >= img.height) > ++ { > ++ TIFFErrorExtR(tif, TIFFFileName(tif), > ++ "Invalid row/col passed to TIFFReadRGBATile()."); > ++ TIFFRGBAImageEnd(&img); > ++ return (0); > ++ } > ++ > + /* > + * The TIFFRGBAImageGet() function doesn't allow us to get off the > + * edge of the image, even to fill an otherwise valid tile. So we > +-- > +2.40.0 > diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb > index eb8a096f19..ab658a2a03 100644 > --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb > +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb > @@ -13,7 +13,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ > file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \ > file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \ > file://CVE-2023-6228.patch \ > - " > + file://CVE-2023-52356.patch \ > +" > > SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a" >
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch new file mode 100644 index 0000000000..9a6d9a39d9 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch @@ -0,0 +1,50 @@ +From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 31 Oct 2023 15:58:41 +0100 +Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of + col/row (fixes #622) + +CVE: CVE-2023-52356 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] + +Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> + +--- + libtiff/tif_getimage.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 41f7dfd77..6fee35db2 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster, + if (TIFFRGBAImageOK(tif, emsg) && + TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) + { ++ if (row >= img.height) ++ { ++ TIFFErrorExtR(tif, TIFFFileName(tif), ++ "Invalid row passed to TIFFReadRGBAStrip()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } + + img.row_offset = row; + img.col_offset = 0; +@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster, + return (0); + } + ++ if (col >= img.width || row >= img.height) ++ { ++ TIFFErrorExtR(tif, TIFFFileName(tif), ++ "Invalid row/col passed to TIFFReadRGBATile()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } ++ + /* + * The TIFFRGBAImageGet() function doesn't allow us to get off the + * edge of the image, even to fill an otherwise valid tile. So we +-- +2.40.0 diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb index eb8a096f19..ab658a2a03 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb @@ -13,7 +13,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-6277-At-image-reading-compare-data-size-of-some-tags-data-2.patch \ file://CVE-2023-6277-Apply-1-suggestion-s-to-1-file-s.patch \ file://CVE-2023-6228.patch \ - " + file://CVE-2023-52356.patch \ +" SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"