diff options
author | Yogita Urade <yogita.urade@windriver.com> | 2023-09-15 07:34:49 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-09-20 08:55:49 +0100 |
commit | 4ee806cbc12fbc830b09ba6222e96b1e5f24539f (patch) | |
tree | 9c1883b0d80a09021ddf704d8a86354b7a4d6a27 /meta | |
parent | c3d4fbeb51278a04a6800c894c681733ad2259ca (diff) | |
download | openembedded-core-4ee806cbc12fbc830b09ba6222e96b1e5f24539f.tar.gz |
tiff: fix CVE-2023-41175
libtiff: potential integer overflow in raw2tiff.c
References:
https://bugzilla.redhat.com/show_bug.cgi?id=2235264
https://security-tracker.debian.org/tracker/CVE-2023-41175
https://gitlab.com/libtiff/libtiff/-/issues/592
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch | 63 | ||||
-rw-r--r-- | meta/recipes-multimedia/libtiff/tiff_4.5.1.bb | 1 |
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch new file mode 100644 index 0000000000..cca30b2196 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch @@ -0,0 +1,63 @@ +From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001 +From: Arie Haenel <arie.haenel@jct.ac.il> +Date: Thu, 14 Sep 2023 04:36:58 +0000 +Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes + #592) + +CVE: CVE-2023-41175 + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + tools/raw2tiff.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c +index 4ee59e5..a811077 100644 +--- a/tools/raw2tiff.c ++++ b/tools/raw2tiff.c +@@ -101,6 +101,7 @@ int main(int argc, char *argv[]) + int fd; + char *outfilename = NULL; + TIFF *out; ++ uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/ + + uint32_t row, col, band; + int c; +@@ -221,6 +222,33 @@ int main(int argc, char *argv[]) + if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0) + return EXIT_FAILURE; + ++ /* check for integer overflow in */ ++ /* hdr_size + (*width) * (*length) * nbands * depth */ ++ ++ if ((width == 0) || (length == 0) ){ ++ fprintf(stderr, "Too large nbands value specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ ++ temp_limit_check = nbands * depth; ++ ++ if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) { ++ fprintf(stderr, "Too large length size specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ temp_limit_check = temp_limit_check * length; ++ ++ if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) { ++ fprintf(stderr, "Too large width size specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ temp_limit_check = temp_limit_check * width; ++ ++ if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) { ++ fprintf(stderr, "Too large header size specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ + if (outfilename == NULL) + outfilename = argv[optind + 1]; + out = TIFFOpen(outfilename, "w"); +-- +2.35.5 diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb index d002e1b233..2b5e66b8f3 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb @@ -10,6 +10,7 @@ CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-40745.patch \ + file://CVE-2023-41175.patch \ " SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b" |