From patchwork Sun Mar 8 22:42:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 82827 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EA57EA8549 for ; Sun, 8 Mar 2026 22:42:58 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1598.1773009770395843910 for ; Sun, 08 Mar 2026 15:42:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=VPPhMQCf; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-20260308224247a63b0621dd0002071e-4moe76@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20260308224247a63b0621dd0002071e for ; Sun, 08 Mar 2026 23:42:47 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=/bC2JrwXrc+tJtgfoxWUwaZbwJDeylcxBk3kONminLY=; b=VPPhMQCfB0/fn9ljQ5BQfTlX9z7b83YbbXSBimHWRMCfroEU1pMCzddIwfSoqButt34bsF VFpVpiAttwf+LWLY8iAUBYVD/7/HjI/NZ6E5nJ5yd2e+kvLqdQjhfDzIcvk8e4Qag18fThO/ 1CedPbPpqbiXrUnanDRR2V6QkEi6Vr9QxfXlwjfwLYRYfnzr0oS0zaJ65YM3PJFmlXxL4Qct DAJ/5BfmdMEBfBd1x/uWSVogxAh3ctnApYeWISg2D9fj/Un7bZTMfuTuYOFe8YacoL1nWGR/ XPEi85KJBcBXc2ywP6da7c1akNBCJjW/QEkUy1MaAJ9+A/EYx0pnG5ag==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][kirkstone][PATCH 1/3] tiff: patch CVE-2025-61143 Date: Sun, 8 Mar 2026 23:42:38 +0100 Message-Id: <20260308224240.60802-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 08 Mar 2026 22:42:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232669 From: Peter Marko Pick patch from merge request mentioned in NVD report. Signed-off-by: Peter Marko --- .../libtiff/tiff/CVE-2025-61143.patch | 44 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-61143.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-61143.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-61143.patch new file mode 100644 index 00000000000..ed0438fec97 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-61143.patch @@ -0,0 +1,44 @@ +From 4d28af5fe61b1760f10981f5072ff1e6fd44f210 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Fri, 5 Sep 2025 21:44:49 +0000 +Subject: [PATCH] tiffcrop: avoid nullptr dereference + +Fixes #734 + +CVE: CVE-2025-61143 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/4d28af5fe61b1760f10981f5072ff1e6fd44f210] +Signed-off-by: Peter Marko +--- + tools/tiffcrop.c | 2 +- + tools/tiffdither.c | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index ae414efc..1cbb49b6 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -2561,7 +2561,7 @@ main(int argc, char* argv[]) + + if (dump.outfile != NULL) + { +- dump_info (dump.outfile, dump.format, "", "Completed run for %s", TIFFFileName(out)); ++ dump_info (dump.outfile, dump.format, "", "Completed run for %s", out ? TIFFFileName(out) : "(not opened)"); + fclose (dump.outfile); + } + } +diff --git a/tools/tiffdither.c b/tools/tiffdither.c +index 3c64fdc0..405527c7 100644 +--- a/tools/tiffdither.c ++++ b/tools/tiffdither.c +@@ -84,6 +84,11 @@ fsdither(TIFF* in, TIFF* out) + fprintf(stderr, "Out of memory.\n"); + goto skip_on_error; + } ++ if (imagewidth > TIFFScanlineSize(in)) ++ { ++ fprintf(stderr, "Image width exceeds scanline size.\n"); ++ goto skip_on_error; ++ } + + /* + * Get first line diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 84c3028b458..4c2b0a800b4 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -65,6 +65,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2025-9900.patch \ file://CVE-2025-8961.patch \ file://CVE-2025-9165.patch \ + file://CVE-2025-61143.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" From patchwork Sun Mar 8 22:42:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 82828 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4D9EEEA8548 for ; Sun, 8 Mar 2026 22:42:58 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1648.1773009776985057619 for ; Sun, 08 Mar 2026 15:42:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=D+QTIE2Z; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-20260308224254f16a250ea900020707-zadalg@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20260308224254f16a250ea900020707 for ; Sun, 08 Mar 2026 23:42:54 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=osXK2doqGxQ2CpdteOSXyYpILvv66nddk90RSk1s1EQ=; b=D+QTIE2ZZzZ//c2YGslAyEa5cQshO5ynINaK/DoIALfYfNUKby1qI7Zu4bWs9Xd13MgCx6 mSivOCH1KfPg5vxSGzy0VbroDWoLajazSY1vK5VDzt9M3H1NM13Q6v+e/VK5Q95t6iX9weE8 XqK6t5aWvZ+vcdiwDlqXofj56MZFhe3sGoD+2jlXw4Q2sRw2cdFgSOglYn6ZAC3ItLl2nqOH yH+ODZm3ds0wMQDwERi4wc/Uxyr/W95eSwnlD8Gkm/XKoU9UKtq945d11YhMMg3i1MwrNmPf bFsl1AHmIg5N10MjL2xQWcBueIN8sa8e+n35G7N2RoyWBJQK9vBD9jqw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][kirkstone][PATCH 2/3] tiff: patch CVE-2025-61144 Date: Sun, 8 Mar 2026 23:42:39 +0100 Message-Id: <20260308224240.60802-2-peter.marko@siemens.com> In-Reply-To: <20260308224240.60802-1-peter.marko@siemens.com> References: <20260308224240.60802-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 08 Mar 2026 22:42:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232670 From: Peter Marko Pick patch from merge request mentioned in NVD report. Signed-off-by: Peter Marko --- .../libtiff/tiff/CVE-2025-61144.patch | 27 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 28 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-61144.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-61144.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-61144.patch new file mode 100644 index 00000000000..8b25cdfab9e --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-61144.patch @@ -0,0 +1,27 @@ +From 88cf9dbb48f6e172629795ecffae35d5052f68aa Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Fri, 5 Sep 2025 21:46:03 +0000 +Subject: [PATCH] tiffcrop: avoid buffer overflow + +Fixes #740 + +CVE: CVE-2025-61144 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/88cf9dbb48f6e172629795ecffae35d5052f68aa] +Signed-off-by: Peter Marko +--- + tools/tiffcrop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index ae414efc..afa1cce5 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -3913,7 +3913,7 @@ combineSeparateSamplesBytes (unsigned char *srcbuffs[], unsigned char *out, + { + if ((dumpfile != NULL) && (level == 2)) + { +- for (s = 0; s < spp; s++) ++ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + dump_info (dumpfile, format, "combineSeparateSamplesBytes","Input data, Sample %"PRIu16, s); + dump_buffer(dumpfile, format, 1, cols, row, srcbuffs[s] + (row * src_rowsize)); diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 4c2b0a800b4..02fc956c232 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -66,6 +66,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2025-8961.patch \ file://CVE-2025-9165.patch \ file://CVE-2025-61143.patch \ + file://CVE-2025-61144.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" From patchwork Sun Mar 8 22:42:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 82829 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E24EEA8549 for ; Sun, 8 Mar 2026 22:43:08 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1601.1773009781997132197 for ; Sun, 08 Mar 2026 15:43:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=WdKD5ukL; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-20260308224300d08836b1f7000207b8-76i82b@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20260308224300d08836b1f7000207b8 for ; Sun, 08 Mar 2026 23:43:00 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=AnqM8RCf5gMoNoXnu5m1IBbwH/u8z3Qo0OK4BlqGsCw=; b=WdKD5ukL5Xx2qebFpSeqg0cuJ34G+Qp14t8gA9TQqWUS+w7byFEMbzLhSLecehNs/FX37z w8ZjN1G1jS9EGbSUFalQCPBQs73RVcrts6mS9SK6yShMK9r68xtDh/SWDRslb3yp6NnO4U8x n2UYfrsiLsJO4BL8B8cC2JRqJGSx/73NIZHFhbVF30fJq3fz5ZjF6Yi6gx4ZH72AiYW0OSit MOBYmSM9XalPBiyL3OIeAOuYZlFOhBTRSnBVTvTBTVGf6K3HhoxWVNRTJJUz4aSsU1Y2rNV0 rEroBgyexqid1iHBraW3bpAeT+yPeTLBPdFoTgtJM6yQu71aSD4J4MZw==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][kirkstone][PATCH 3/3] tiff: set status of CVE-2025-61145 as fixed by patch for CVE-2025-8961 Date: Sun, 8 Mar 2026 23:42:40 +0100 Message-Id: <20260308224240.60802-3-peter.marko@siemens.com> In-Reply-To: <20260308224240.60802-1-peter.marko@siemens.com> References: <20260308224240.60802-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 08 Mar 2026 22:43:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232671 From: Peter Marko Gitlab issues for these two CVEs mentioned in NVD inks lead to the same merge request. Signed-off-by: Peter Marko --- meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch index 05b11a866e7..f87eaeb1084 100644 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch @@ -6,6 +6,7 @@ Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5] CVE: CVE-2025-8961 +CVE: CVE-2025-61145 Signed-off-by: Vijay Anusuri --- tools/tiffcrop.c | 8 +++++++-