Re: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953

Qiu, Zheng Wed, 19 Oct 2022 12:32:56 -0700

kirkstone now has tiff version 4.3.0.

As described in https://nvd.nist.gov/vuln/detail/CVE-2022-2953, this issue is 
reported here: https://gitlab.com/libtiff/libtiff/-/issues/414


Tested with libtiff source code on version 4.3.0 by using " /libtiff$ git 
checkout v3.3.0", and follow the step listed in the bug report, cannot 
reproduce the bug.

Use " /libtiff$ git checkout b51bb157", is able to reproduce the problem 
following step listed above. That confirms the issue occurred after v3.3.0, and 
the commit that brings the bug is not on kirkstone, which means the issue/fix 
is not applicable for kirkstone.

Zheng Qiu
Linux Developer
_______________
Wind River
M/ (437) 341-1849

>-----Original Message-----
>From: openembedded-core@lists.openembedded.org <openembedded-
>c...@lists.openembedded.org> On Behalf Of Teoh, Jay Shen
>Sent: Thursday, September 29, 2022 4:33 AM
>To: openembedded-core@lists.openembedded.org
>Subject: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953
>
>[Please note: This e-mail is from an EXTERNAL e-mail address]
>
>From: Teoh Jay Shen <jay.shen.t...@intel.com>
>
>Link for the patch : https://gitlab.com/libtiff/libtiff/-
>/commit/48d6ece8389b01129e7d357f0985c8f938ce3da3
>
>Signed-off-by: Teoh Jay Shen <jay.shen.t...@intel.com>
>---
> .../libtiff/tiff/CVE-2022-2953.patch          | 86 +++++++++++++++++++
> meta/recipes-multimedia/libtiff/tiff_4.4.0.bb |  1 +
> 2 files changed, 87 insertions(+)
> create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-
>2953.patch
>
>diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
>b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
>new file mode 100644
>index 0000000000..2122b46566
>--- /dev/null
>+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
>@@ -0,0 +1,86 @@
>+CVE: CVE-2022-2953
>+Upstream-Status: Backport
>+Signed-off-by: Teoh Jay Shen <jay.shen.t...@intel.com>
>+
>+From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00
>2001
>+From: Su_Laus <su...@freenet.de>
>+Date: Mon, 15 Aug 2022 22:11:03 +0200
>+Subject: [PATCH]
>+=?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
>+
>+=?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20
>+ti?=
>+=?UTF-8?q?ffcrop=20option=20=E2=80=9E-
>S=E2=80=9C=20is=20also=20mutually
>+?=
>+=?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-
>Y),=2
>+0-?=
>+ =?UTF-8?q?Z=20and=20-z.?=
>+MIME-Version: 1.0
>+Content-Type: text/plain; charset=UTF-8
>+Content-Transfer-Encoding: 8bit
>+
>+This is now checked and ends tiffcrop if those arguments are not mutually
>exclusive.
>+
>+This MR will fix the following tiffcrop issues: #349, #414, #422, #423,
>+#424
>+---
>+ tools/tiffcrop.c | 31 ++++++++++++++++---------------
>+ 1 file changed, 16 insertions(+), 15 deletions(-)
>+
>+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index
>+90286a5e..c3b758ec 100644
>+--- a/tools/tiffcrop.c
>++++ b/tools/tiffcrop.c
>+@@ -173,12 +173,12 @@ static   char tiffcrop_rev_date[] = "02-09-2022";
>+ #define ROTATECW_270 32
>+ #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
>+
>+-#define CROP_NONE     0
>+-#define CROP_MARGINS  1
>+-#define CROP_WIDTH    2
>+-#define CROP_LENGTH   4
>+-#define CROP_ZONES    8
>+-#define CROP_REGIONS 16
>++#define CROP_NONE     0     /* "-S" -> Page_MODE_ROWSCOLS and page-
>>rows/->cols != 0 */
>++#define CROP_MARGINS  1     /* "-m" */
>++#define CROP_WIDTH    2     /* "-X" */
>++#define CROP_LENGTH   4     /* "-Y" */
>++#define CROP_ZONES    8     /* "-Z" */
>++#define CROP_REGIONS 16     /* "-z" */
>+ #define CROP_ROTATE  32
>+ #define CROP_MIRROR  64
>+ #define CROP_INVERT 128
>+@@ -316,7 +316,7 @@ struct crop_mask {
>+ #define PAGE_MODE_RESOLUTION   1
>+ #define PAGE_MODE_PAPERSIZE    2
>+ #define PAGE_MODE_MARGINS      4
>+-#define PAGE_MODE_ROWSCOLS     8
>++#define PAGE_MODE_ROWSCOLS     8    /* for -S option */
>+
>+ #define INVERT_DATA_ONLY      10
>+ #define INVERT_DATA_AND_TAG   11
>+@@ -781,7 +781,7 @@ static const char usage_info[] =
>+ "             The four debug/dump options are independent, though it makes
>little sense to\n"
>+ "             specify a dump file without specifying a detail level.\n"
>+ "\n"
>+-"Note:        The (-X|-Y), -Z and -z options are mutually exclusive.\n"
>++"Note:        The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
>+ "             In no case should the options be applied to a given selection
>successively.\n"
>+ "\n"
>+ ;
>+@@ -2131,13 +2131,14 @@ void  process_command_opts (int argc, char
>*argv[], char *mp, char *mode, uint32
>+               /*NOTREACHED*/
>+       }
>+     }
>+-    /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are
>mutually exclusive) --*/
>+-    char XY, Z, R;
>++    /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S 
>are
>mutually exclusive) --*/
>++    char XY, Z, R, S;
>+     XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data-
>>crop_mode & CROP_LENGTH));
>+     Z = (crop_data->crop_mode & CROP_ZONES);
>+     R = (crop_data->crop_mode & CROP_REGIONS);
>+-    if ((XY && Z) || (XY && R) || (Z && R)) {
>+-        TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and 
>-z are
>mutually exclusive.->Exit");
>++    S = (page->mode & PAGE_MODE_ROWSCOLS);
>++    if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && 
>S))
>{
>++        TIFFError("tiffcrop input error", "The crop options(-X|-Y),
>++ -Z, -z and -S are mutually exclusive.->Exit");
>+         exit(EXIT_FAILURE);
>+     }
>+   }  /* end process_command_opts */
>+--
>+2.34.1
>+
>diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-
>multimedia/libtiff/tiff_4.4.0.bb
>index e30df0b3e9..caf6f60479 100644
>--- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
>+++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
>@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
> SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
>            file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
>            file://CVE-2022-34526.patch \
>+           file://CVE-2022-2953.patch \
>            "
>
> SRC_URI[sha256sum] =
>"917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed
>"
>--
>2.37.3

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#171978): 
https://lists.openembedded.org/g/openembedded-core/message/171978
Mute This Topic: https://lists.openembedded.org/mt/93990330/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953

Reply via email to