From patchwork Tue Aug 26 10:48:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 69149 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F7C4CA0EFA for ; Tue, 26 Aug 2025 10:49:25 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.61381.1756205347424567260 for ; Tue, 26 Aug 2025 03:49:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=DSfZ5Rag; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=033363bb87=yogita.urade@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 57Q83kch1224621 for ; Tue, 26 Aug 2025 03:49:06 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=PPS06212021; bh=s3l+vACm1cF9MdjYNpxc gWR/52HX5D6AJNkmc9b7g3o=; b=DSfZ5RagGqvMw6OrMjhBn5SpPAvfZs5klyUw 1/X47u5Ay+feC5n3Ta4iQUYRWYxiC/JWseC/7QilsgEgtMQShqdfaNxIFjdtc1gZ 2H+9+r/2B3l61sCj7zK5hpF8N2LSzYdXSJnj9We+49jDfu9maoc5xeK0323OPJej sDkz/as9RcCgS8DF4MjvJrZXxH5X4+xcrxFOZoUdJDWkMROz/+/RI0WyDynk4+Ij bOTfsxBEv4ct6hDHXiG+G6540ncE0K5yrHFOn1qIffovk8PmslILaENH/oeXeJhs T6Xr6M8CDnj3AvJCenaZMWZuOITU3VNxW6kAQ4H4aSopDx4VnA== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 48qd5hjmsc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 26 Aug 2025 03:49:06 -0700 (PDT) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.58; Tue, 26 Aug 2025 03:49:04 -0700 From: yurade To: Subject: [OE-core][kirkstone][PATCH 1/3] tiff: fix CVE-2024-13978 Date: Tue, 26 Aug 2025 16:18:32 +0530 Message-ID: <20250826104834.2432179-1-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (10.11.224.121) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODI2MDA5NSBTYWx0ZWRfX9LGG6ae+f/qb FHuj8vAhwvxkelBBQiixGCj4WUv6lCE44xcjgg8OALifaDytuiM6TZxH1WhGPUhpnDzrDIlpct/ 9SLSU0VnJt2RKPR/DjM9Ip5KU6PeFT5lgLe8m5ixzYWcHZbqK9gBH9+iYuUhF4xfcp4pgZOPmGg V7zwQwKAoM5wANEuxyvy1CDdsLvUHEFHiPAlGS3MQc8QCZJXa3PixlZthSjCHSbnTckoVKje/oM G+u1snoc8V5Anncp/gvU7qnN7/dlrko7Iub6k9aRp0yC+kzC/kFLUuZaGnK5I+hf31koJooqF4j A7JmSzJ2m3Hjwl9wfBy2DtX4JOWqwJ33sTeiwq9+ePyKGFKk3Vzss/V1bWwaq0= X-Proofpoint-ORIG-GUID: R8arbwai8OLSJyl74NO8aleRJtIMSiJY X-Authority-Analysis: v=2.4 cv=QNdoRhLL c=1 sm=1 tr=0 ts=68ad9122 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=2OwXVqhp2XgA:10 a=PYnjg3YJAAAA:8 a=p0WdMEafAAAA:8 a=Qs8GJauRAAAA:8 a=t7CeM3EgAAAA:8 a=5vSyN_hxAAAA:8 a=cMNQoHRAXdZNCDqp4WIA:9 a=-MsOl3yrPmtpHepMbiy1:22 a=FdTzh2GWekK77mhwV6Dw:22 a=1zBLIHEOKY9YwKILsQtb:22 X-Proofpoint-GUID: R8arbwai8OLSJyl74NO8aleRJtIMSiJY X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-26_02,2025-08-26_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 phishscore=0 clxscore=1015 priorityscore=1501 suspectscore=0 adultscore=0 spamscore=0 bulkscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2507300000 definitions=firstrun List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 26 Aug 2025 10:49:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/222437 From: Yogita Urade A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as problematic. Affected by this vulnerability is the function t2p_read_tiff_init of the file tools/tiff2pdf.c of the component fax2ps. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. The patch is named 2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply a patch to fix this issue. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-13978 Upstream patch: https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4 Signed-off-by: Yogita Urade --- .../libtiff/tiff/CVE-2024-13978.patch | 47 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch new file mode 100644 index 0000000000..3a4845d415 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch @@ -0,0 +1,47 @@ +From 2ebfffb0e8836bfb1cd7d85c059cd285c59761a4 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Sat, 5 Oct 2024 09:45:30 -0700 +Subject: [PATCH] Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH for valid + input, addresses issue #650 + +CVE: CVE-2024-13978 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4] + +Signed-off-by: Yogita Urade +--- + tools/tiff2pdf.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index 63751f1..fef28d1 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1255,9 +1255,25 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + TIFFGetField(input, + TIFFTAG_TILEWIDTH, + &( t2p->tiff_tiles[i].tiles_tilewidth) ); ++ if (t2p->tiff_tiles[i].tiles_tilewidth < 1) ++ { ++ TIFFError(TIFF2PDF_MODULE, "Invalid tile width (%d), %s", ++ t2p->tiff_tiles[i].tiles_tilewidth, ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + TIFFGetField(input, + TIFFTAG_TILELENGTH, + &( t2p->tiff_tiles[i].tiles_tilelength) ); ++ if (t2p->tiff_tiles[i].tiles_tilelength < 1) ++ { ++ TIFFError(TIFF2PDF_MODULE, "Invalid tile length (%d), %s", ++ t2p->tiff_tiles[i].tiles_tilelength, ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_tiles[i].tiles_tiles = + (T2P_TILE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,t2p->tiff_tiles[i].tiles_tilecount, + sizeof(T2P_TILE)) ); +-- +2.40.0 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 4c9c212312..d5ae82bc7c 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -59,6 +59,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2025-8176-0002.patch \ file://CVE-2025-8176-0003.patch \ file://CVE-2025-8177.patch \ + file://CVE-2024-13978.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" From patchwork Tue Aug 26 10:48:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 69150 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40BDACA0FED for ; Tue, 26 Aug 2025 10:49:25 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.61382.1756205349111254196 for ; Tue, 26 Aug 2025 03:49:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=jd9bIM6G; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=033363bb87=yogita.urade@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 57Q6Z1HY1038565 for ; Tue, 26 Aug 2025 10:49:08 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=k4fBOIiLc3wvXa36VhA7hTyckaKtG6S7qLO+l2lHlAM=; b=jd9bIM6GHUMr gwx7/W2ROy/QQwzCo8PYcS2gmubg4L429PdsHjp2VLulenjA9IY3gyB161TSRAPm oQpsaMhdo0iimkJ4OsyJLjtF6FFVPh6GNhK0iAZukPdUawajY4lcP4qF/lWGb475 naCWCgadWQxFo5UaU0t097D6aXOSu3lrjQDBubDaC7Wm/va4qEdchJfQCyPUa2QE hKrn6GN2RolP3vUZVt/lXxrWkoWk1uSFZCYLVkUu5y0PjercQzHnGyvaUySakJGv d+K74vs+nA/y8KZ6oXctuHYPGchaUTsnrVgfplDWZ1GbuFk58lAqQH1meiTYyylx hHerQuI2Lg== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 48q4m3txjv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 26 Aug 2025 10:49:07 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.58; Tue, 26 Aug 2025 03:49:05 -0700 From: yurade To: Subject: [OE-core][kirkstone][PATCH 2/3] tiff: fix CVE-2025-8534 Date: Tue, 26 Aug 2025 16:18:33 +0530 Message-ID: <20250826104834.2432179-2-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250826104834.2432179-1-yogita.urade@windriver.com> References: <20250826104834.2432179-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (10.11.224.121) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODI2MDA5NSBTYWx0ZWRfX+BKMgebvGSGl nS5Ce9Tw586GOPj5ziMWv2lT1oe3ljAIYGbR2wXqOXtX4kbazcriFO50kX5/zrWrMcdHD2IJ73o jOPK5rpQoG6AErNTcuIyU3TsBfRvKsjZmUSwU2Psx/Yr6Flr5YYjMadbnYHEZOrPSSj3m31tBbX FlGosqb825NeGCdFXxZh1B26oNgZs8fJ4fAKDn38DItbjInniTqes3E1M2gylMRjv+NTD5SHgHS HqKLw0nFlzhX0Kfc+hQXDDmZzRgbbGvv+9LStwwyKGZzSOnjFq620IWPN5yrow2RDgxOPOnnVkC D7alhz8TWWU/JHz0KT5yuBagovr28s0t1y9RvHtHt7iPr8/u8WbnmgFjt+NyCg= X-Proofpoint-ORIG-GUID: YJ0ChrXC1k0vYhlojN5_sL5CrCtbqQbX X-Proofpoint-GUID: YJ0ChrXC1k0vYhlojN5_sL5CrCtbqQbX X-Authority-Analysis: v=2.4 cv=CcwI5Krl c=1 sm=1 tr=0 ts=68ad9124 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=2OwXVqhp2XgA:10 a=PYnjg3YJAAAA:8 a=p0WdMEafAAAA:8 a=Qs8GJauRAAAA:8 a=t7CeM3EgAAAA:8 a=x9kpsMKOyEzXabdzLssA:9 a=-MsOl3yrPmtpHepMbiy1:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-26_02,2025-08-26_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 adultscore=0 bulkscore=0 clxscore=1015 impostorscore=0 suspectscore=0 malwarescore=0 phishscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2507300000 definitions=firstrun List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 26 Aug 2025 10:49:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/222438 From: Yogita Urade A vulnerability classified as problematic was found in libtiff 4.6.0. This vulnerability affects the function PS_Lvl2page of the file tools/tiff2ps.c of the component tiff2ps. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b. It is recommended to apply a patch to fix this issue. One of the maintainers explains, that "[t]his error only occurs if DEFER_STRILE_LOAD (defer-strile-load:BOOL=ON) or TIFFOpen( .. "rD") option is used." Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-8534 Upstream patch: https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b Signed-off-by: Yogita Urade --- .../libtiff/tiff/CVE-2025-8534.patch | 60 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch new file mode 100644 index 0000000000..59c14e2703 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch @@ -0,0 +1,60 @@ +From 6ba36f159fd396ad11bf6b7874554197736ecc8b Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 2 Aug 2025 18:55:54 +0200 +Subject: [PATCH] tiff2ps: check return of TIFFGetFiled() for + TIFFTAG_STRIPBYTECOUNTS and TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer + dereference. + +Closes #718 + +CVE: CVE-2025-8534 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b] + +Signed-off-by: Yogita Urade +--- + tools/tiff2ps.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c +index a598ede..05a346a 100644 +--- a/tools/tiff2ps.c ++++ b/tools/tiff2ps.c +@@ -2193,10 +2193,20 @@ PS_Lvl2page(FILE* fd, TIFF* tif, uint32_t w, uint32_t h) + tiled_image = TIFFIsTiled(tif); + if (tiled_image) { + num_chunks = TIFFNumberOfTiles(tif); +- TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc); ++ if (!TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc)) ++ { ++ TIFFError(filename, ++ "Can't read bytecounts of tiles at PS_Lvl2page()"); ++ return (FALSE); ++ } + } else { + num_chunks = TIFFNumberOfStrips(tif); +- TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc); ++ if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc)) ++ { ++ TIFFError(filename, ++ "Can't read bytecounts of strips at PS_Lvl2page()"); ++ return (FALSE); ++ } + } + + if (use_rawdata) { +@@ -2791,7 +2801,11 @@ PSRawDataBW(FILE* fd, TIFF* tif, uint32_t w, uint32_t h) + + (void) w; (void) h; + TIFFGetFieldDefaulted(tif, TIFFTAG_FILLORDER, &fillorder); +- TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc); ++ if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc)) ++ { ++ TIFFError(filename, "Can't read bytecounts of strips at PSRawDataBW()"); ++ return; ++ } + + /* + * Find largest strip: +-- +2.40.0 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index d5ae82bc7c..137dc7f478 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -60,6 +60,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2025-8176-0003.patch \ file://CVE-2025-8177.patch \ file://CVE-2024-13978.patch \ + file://CVE-2025-8534.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" From patchwork Tue Aug 26 10:48:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 69148 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D904CA0FE9 for ; Tue, 26 Aug 2025 10:49:15 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.61773.1756205350204155125 for ; Tue, 26 Aug 2025 03:49:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=S8kJWQL2; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=033363bb87=yogita.urade@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 57Q6vpcw2366497 for ; Tue, 26 Aug 2025 03:49:09 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=h14PFiUa6m6TBpnF/+siEHLbgq66y3hzXxAswq1YOEQ=; b=S8kJWQL2mJSJ s4C2HXMR0fdI0R5uMk8Qrhe8LlfB9kEM6gkQ1jKJaxOSxCS5slLbLHuMSAnFIMwd hZa/6oIbbJnp+2aNU4oSbzWccsr2078rZbN0tz4gXfOhDLcmAH0pF9Oe3lVlI8Di bXsx4QcjZgylNWoCsVTeM4cQUrp/NGg6zCwcedEdAYDPlPDZgpqQW3pgnDDnKtjg kW7oguQeFeck0fn+k+SSRrBm0LEDz2T8/jXCL9xo+IAUD+m2mC4f+mUwdYKQzd8B Ws6q1W9X0v6Cl4TVyJcdi7vTuH9In5NPXfB1iCU2Dx5RtS9nSa48nGHVcMtXv3Yx XmDW9ZKDWw== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 48q8x22s43-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 26 Aug 2025 03:49:09 -0700 (PDT) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.58; Tue, 26 Aug 2025 03:49:07 -0700 From: yurade To: Subject: [OE-core][kirkstone][PATCH 3/3] tiff: fix CVE-2025-8851 Date: Tue, 26 Aug 2025 16:18:34 +0530 Message-ID: <20250826104834.2432179-3-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250826104834.2432179-1-yogita.urade@windriver.com> References: <20250826104834.2432179-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (10.11.224.121) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Proofpoint-ORIG-GUID: 5aH8VdcJO4QVfQyaQYJyNkSzIhie-VTg X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODI2MDA5NSBTYWx0ZWRfXy1LPtKDXJej6 fcklQj8bxpI6D+4M40R96Fw8NhVpq90XhLjWcjO6y8khZXQim68IsuFbik5AsRldmqHJv9QYjeH rOU4G+sfmi1Fbrrvy/EOMwhCaZi+2jh0+exp6gFRPTT9vl4wSY1xvGVcoXInOc6ULjydG6moB8U 2GZ5Zu997pB7ld8jGnC5tyYctRIAP7UqVEeXh0BsbkRgaQ4omUK51jejGq7v72OWbms2WGo/9I+ 0yWFhiMPhARkm5fRy+H2/aAecYX9WK6/XWaJw+pqOgE64RGyDcynAMzMY3/E30OJwW2XRTf4KQa f9Ph7oIeXRRWBZHpNllezc197tz7oe33iQyVz1z2blhVb+02BCe9lvBckykTCo= X-Authority-Analysis: v=2.4 cv=JfW8rVKV c=1 sm=1 tr=0 ts=68ad9125 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=2OwXVqhp2XgA:10 a=PYnjg3YJAAAA:8 a=p0WdMEafAAAA:8 a=Qs8GJauRAAAA:8 a=t7CeM3EgAAAA:8 a=5vSyN_hxAAAA:8 a=jJJpTqQTVEfwAdH8KjEA:9 a=-MsOl3yrPmtpHepMbiy1:22 a=FdTzh2GWekK77mhwV6Dw:22 a=1zBLIHEOKY9YwKILsQtb:22 X-Proofpoint-GUID: 5aH8VdcJO4QVfQyaQYJyNkSzIhie-VTg X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-26_02,2025-08-26_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 suspectscore=0 spamscore=0 phishscore=0 malwarescore=0 adultscore=0 bulkscore=0 impostorscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2507300000 definitions=firstrun List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 26 Aug 2025 10:49:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/222439 From: Yogita Urade A vulnerability was determined in LibTIFF up to 4.5.1. Affected by this issue is the function readSeparateStripsetoBuffer of the file tools/tiffcrop.c of the component tiffcrop. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The patch is identified as 8a7a48d7a645992ca83062b3a1873c951661e2b3. It is recommended to apply a patch to fix this issue. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-8851 Upstream patch: https://gitlab.com/libtiff/libtiff/-/commit/8a7a48d7a645992ca83062b3a1873c951661e2b3 Signed-off-by: Yogita Urade --- .../libtiff/tiff/CVE-2025-8851.patch | 71 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 72 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch new file mode 100644 index 0000000000..29089ab833 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch @@ -0,0 +1,71 @@ +From 8a7a48d7a645992ca83062b3a1873c951661e2b3 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Sun, 11 Aug 2024 16:01:07 +0000 +Subject: [PATCH] Attempt to address tiffcrop Coverity scan issues 1605444, + 1605445, and 1605449. + +CVE: CVE-2025-8851 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/8a7a48d7a645992ca83062b3a1873c951661e2b3] + +Signed-off-by: Yogita Urade +--- + tools/tiffcrop.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 1b072d4..e16bc2d 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5024,7 +5024,14 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt + buff = srcbuffs[s]; + strip = (s * strips_per_sample) + j; + bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize); +- rows_this_strip = (uint32_t)(bytes_read / src_rowsize); ++ if (bytes_read < 0) ++ { ++ rows_this_strip = 0; ++ } ++ else ++ { ++ rows_this_strip = (uint32_t)(bytes_read / src_rowsize); ++ } + if (bytes_read < 0 && !ignore) + { + TIFFError(TIFFFileName(in), +@@ -5434,14 +5441,14 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres); + } + +- if ((lmargin + rmargin) > image->width) ++ if (lmargin == 0xFFFFFFFFU || rmargin == 0xFFFFFFFFU || (lmargin + rmargin) > image->width) + { + TIFFError("computeInputPixelOffsets", "Combined left and right margins exceed image width"); + lmargin = (uint32_t) 0; + rmargin = (uint32_t) 0; + return (-1); + } +- if ((tmargin + bmargin) > image->length) ++ if (tmargin == 0xFFFFFFFFU || bmargin == 0xFFFFFFFFU || (tmargin + bmargin) > image->length) + { + TIFFError("computeInputPixelOffsets", "Combined top and bottom margins exceed image length"); + tmargin = (uint32_t) 0; +@@ -5977,14 +5984,14 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8)); + } + +- if ((hmargin * 2.0) > (pwidth * page->hres)) ++ if (hmargin == 0xFFFFFFFFU || (hmargin * 2.0) > (pwidth * page->hres)) + { + TIFFError("computeOutputPixelOffsets", + "Combined left and right margins exceed page width"); + hmargin = (uint32_t) 0; + return (-1); + } +- if ((vmargin * 2.0) > (plength * page->vres)) ++ if (vmargin == 0xFFFFFFFFU || (vmargin * 2.0) > (plength * page->vres)) + { + TIFFError("computeOutputPixelOffsets", + "Combined top and bottom margins exceed page length"); +-- +2.40.0 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 137dc7f478..6db4d80cdf 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -61,6 +61,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2025-8177.patch \ file://CVE-2024-13978.patch \ file://CVE-2025-8534.patch \ + file://CVE-2025-8851.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"