Re: [OE-core] [master][PATCH] tiff: Security fix for CVE-2022-3970

[Ross Burton]

master has libtiff 4.4.0 so this doesn’t apply.  Is the CVE still valid in that 
release, or has it been fixed?

Ross

> On 22 Nov 2022, at 15:37, Qiu, Zheng via lists.openembedded.org 
> <Zheng.Qiu=windriver....@lists.openembedded.org> wrote:
> 
> This patch contains a fix for CVE-2022-3970
> 
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2022-3970
> https://security-tracker.debian.org/tracker/CVE-2022-3970
> 
> Patch generated from :
> https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
> 
> Upstream-Status: Accepted
> 
> Signed-off-by: Zheng Qiu <zheng....@windriver.com>
> ---
> .../libtiff/tiff/CVE-2022-3970.patch          | 38 +++++++++++++++++++
> meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  1 +
> 2 files changed, 39 insertions(+)
> create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
> 
> diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch 
> b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
> new file mode 100644
> index 0000000000..e8f143933a
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch
> @@ -0,0 +1,38 @@
> +From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001
> +From: Even Rouault <even.roua...@spatialys.com>
> +Date: Tue, 8 Nov 2022 15:16:58 +0100
> +Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
> + strips/tiles > 2 GB
> +
> +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
> +---
> + libtiff/tif_getimage.c | 8 ++++----
> + 1 file changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
> +index a4d0c1d6..60b94d8e 100644
> +--- a/libtiff/tif_getimage.c
> ++++ b/libtiff/tif_getimage.c
> +@@ -3016,15 +3016,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, 
> uint32_t row, uint32_t * raster, in
> +         return( ok );
> + 
> +     for( i_row = 0; i_row < read_ysize; i_row++ ) {
> +-        memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
> +-                 raster + (read_ysize - i_row - 1) * read_xsize,
> ++        memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
> ++                 raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
> +                  read_xsize * sizeof(uint32_t) );
> +-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * 
> tile_xsize+read_xsize,
> ++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * 
> tile_xsize+read_xsize,
> +                      0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
> +     }
> + 
> +     for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
> +-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
> ++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
> +                      0, sizeof(uint32_t) * tile_xsize );
> +     }
> + 
> +-- 
> +2.33.0
> +
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb 
> b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
> index f84057c46b..0fbe515e9d 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
> @@ -24,6 +24,7 @@ SRC_URI = 
> "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
>            file://CVE-2022-34526.patch \
>            file://CVE-2022-2869.patch \
>            file://CVE-2022-2867.patch \
> +           file://CVE-2022-3970.patch \
>            file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \
>            "
> 
> -- 
> 2.33.0
> 
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#173768): 
https://lists.openembedded.org/g/openembedded-core/message/173768
Mute This Topic: https://lists.openembedded.org/mt/95197777/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-