From: Peter Korsgaard <peter@korsgaard.com>
To: Thomas Perale via buildroot <buildroot@buildroot.org>
Cc: Thomas Perale <thomas.perale@mind.be>
Subject: Re: [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176
Date: Wed, 06 Aug 2025 21:55:17 +0200 [thread overview]
Message-ID: <87zfccgr8a.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20250806193107.528541-1-thomas.perale@mind.be> (Thomas Perale via buildroot's message of "Wed, 6 Aug 2025 21:31:06 +0200")
>>>>> "Thomas" == Thomas Perale via buildroot <buildroot@buildroot.org> writes:
> Fix the following vulnerability:
> - CVE-2025-8176
> A vulnerability was found in LibTIFF up to 4.7.0. It has been declared
> as critical. This vulnerability affects the function get_histogram of
> the file tools/tiffmedian.c. The manipulation leads to use after free.
> The attack needs to be approached locally. The exploit has been
> disclosed to the public and may be used. The patch is identified as
> fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a
> patch to fix this issue.
> For more information, see:
> - https://www.cve.org/CVERecord?id=CVE-2025-8176
> - https://gitlab.com/libtiff/libtiff/-/merge_requests/727
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> ---
> ...ip-the-first-line-of-the-input-image.patch | 116 ++++++++++++++++++
> package/tiff/tiff.mk | 3 +
> 2 files changed, 119 insertions(+)
> create mode 100644 package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
> diff --git a/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch b/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
> new file mode 100644
> index 0000000000..3bc0f26772
> --- /dev/null
> +++ b/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
> @@ -0,0 +1,116 @@
> +From 3994cf3b3bc6b54c32f240ca5a412cffa11633fa Mon Sep 17 00:00:00 2001
..
> +From ce46f002eca4148497363f80fab33f9396bcbeda Mon Sep 17 00:00:00 2001
While it probably works to concatenate 3 commits into a single patch,
that is not how we normally do it here. I would prefer to see the 3
upstream commits as 3 separate patches.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2025-08-06 19:55 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-06 19:31 [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176 Thomas Perale via buildroot
2025-08-06 19:31 ` [Buildroot] [PATCH 2/2] package/tiff: add patch to fix CVE-2025-8177 Thomas Perale via buildroot
2025-08-06 19:55 ` Peter Korsgaard [this message]
2025-08-06 20:24 ` [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176 Thomas Perale via buildroot
-- strict thread matches above, loose matches on Subject: below --
2025-08-06 20:20 Thomas Perale via buildroot
2025-08-08 14:37 ` Peter Korsgaard
2025-08-14 20:32 ` Thomas Perale via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zfccgr8a.fsf@dell.be.48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.