* [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176
@ 2025-08-06 20:20 Thomas Perale via buildroot
2025-08-06 20:20 ` [Buildroot] [PATCH 2/2] package/tiff: add patch to fix CVE-2025-8177 Thomas Perale via buildroot
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Thomas Perale via buildroot @ 2025-08-06 20:20 UTC (permalink / raw)
To: buildroot
Fix the following vulnerability:
- CVE-2025-8176
A vulnerability was found in LibTIFF up to 4.7.0. It has been declared
as critical. This vulnerability affects the function get_histogram of
the file tools/tiffmedian.c. The manipulation leads to use after free.
The attack needs to be approached locally. The exploit has been
disclosed to the public and may be used. The patch is identified as
fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-8176
- https://gitlab.com/libtiff/libtiff/-/merge_requests/727
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
v1 -> v2: split the CVE-2025-8176 fix into multiple patches
---
...ip-the-first-line-of-the-input-image.patch | 61 +++++++++++++++++++
package/tiff/0002-fix-tiffmedian-bug.patch | 31 ++++++++++
package/tiff/0003-conflict-resolution.patch | 28 +++++++++
package/tiff/tiff.mk | 3 +
4 files changed, 123 insertions(+)
create mode 100644 package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
create mode 100644 package/tiff/0002-fix-tiffmedian-bug.patch
create mode 100644 package/tiff/0003-conflict-resolution.patch
diff --git a/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch b/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
new file mode 100644
index 0000000000..bdf4bd8e94
--- /dev/null
+++ b/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
@@ -0,0 +1,61 @@
+From 3994cf3b3bc6b54c32f240ca5a412cffa11633fa Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Mon, 19 May 2025 10:53:30 -0700
+Subject: [PATCH] Don't skip the first line of the input image. Addresses
+ issue #703
+
+Upstream: https://gitlab.com/libtiff/libtiff/-/commit/3994cf3b3bc6b54c32f240ca5a412cffa11633fa
+CVE: CVE-2025-8176
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ tools/tiffdither.c | 4 ++--
+ tools/tiffmedian.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiffdither.c b/tools/tiffdither.c
+index 714fe03d4..bfed6df18 100644
+--- a/tools/tiffdither.c
++++ b/tools/tiffdither.c
+@@ -98,7 +98,7 @@ static int fsdither(TIFF *in, TIFF *out)
+ nextptr = nextline;
+ for (j = 0; j < imagewidth; ++j)
+ *nextptr++ = *inptr++;
+- for (i = 1; i < imagelength; ++i)
++ for (i = 0; i < imagelength; ++i)
+ {
+ tmpptr = thisline;
+ thisline = nextline;
+@@ -146,7 +146,7 @@ static int fsdither(TIFF *in, TIFF *out)
+ nextptr[0] += v / 16;
+ }
+ }
+- if (TIFFWriteScanline(out, outline, i - 1, 0) < 0)
++ if (TIFFWriteScanline(out, outline, i, 0) < 0)
+ goto skip_on_error;
+ }
+ goto exit_label;
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 02b0bc2b4..f6cf26c2c 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -917,7 +917,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
+ outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+
+ GetInputLine(in, 0, goto bad); /* get first line */
+- for (i = 1; i <= imagelength; ++i)
++ for (i = 0; i <= imagelength; ++i)
+ {
+ SWAP(short *, thisline, nextline);
+ lastline = (i >= imax);
+@@ -997,7 +997,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
+ nextptr += 3;
+ }
+ }
+- if (TIFFWriteScanline(out, outline, i - 1, 0) < 0)
++ if (TIFFWriteScanline(out, outline, i, 0) < 0)
+ break;
+ }
+ bad:
+--
+GitLab
+
diff --git a/package/tiff/0002-fix-tiffmedian-bug.patch b/package/tiff/0002-fix-tiffmedian-bug.patch
new file mode 100644
index 0000000000..880bade7d8
--- /dev/null
+++ b/package/tiff/0002-fix-tiffmedian-bug.patch
@@ -0,0 +1,31 @@
+From ce46f002eca4148497363f80fab33f9396bcbeda Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:25:16 -0700
+Subject: [PATCH] Fix tiffmedian bug #707
+
+Upstream: https://gitlab.com/libtiff/libtiff/-/merge_requests/727/diffs?commit_id=ce46f002eca4148497363f80fab33f9396bcbeda
+CVE: CVE-2025-8176
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ tools/tiffmedian.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index f6cf26c2c..8c9978bab 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -414,7 +414,10 @@ static void get_histogram(TIFF *in, Colorbox *box)
+ for (i = 0; i < imagelength; i++)
+ {
+ if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+- break;
++ {
++ fprintf(stderr, "Error reading scanline\n");
++ exit(EXIT_FAILURE);
++ }
+ inptr = inputline;
+ for (j = imagewidth; j-- > 0;)
+ {
+--
+GitLab
+
diff --git a/package/tiff/0003-conflict-resolution.patch b/package/tiff/0003-conflict-resolution.patch
new file mode 100644
index 0000000000..0c16aa3271
--- /dev/null
+++ b/package/tiff/0003-conflict-resolution.patch
@@ -0,0 +1,28 @@
+From ecc4ddbf1f0fed7957d1e20361e37f01907898e0 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:38:09 -0700
+Subject: [PATCH] conflict resolution
+
+Upstream: https://gitlab.com/libtiff/libtiff/-/merge_requests/727/diffs?commit_id=ecc4ddbf1f0fed7957d1e20361e37f01907898e0
+CVE: CVE-2025-8176
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ tools/tiffmedian.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 8c9978bab..47e0524bc 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -920,7 +920,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
+ outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+
+ GetInputLine(in, 0, goto bad); /* get first line */
+- for (i = 0; i <= imagelength; ++i)
++ for (i = 0; i < imagelength; ++i)
+ {
+ SWAP(short *, thisline, nextline);
+ lastline = (i >= imax);
+--
+GitLab
+
diff --git a/package/tiff/tiff.mk b/package/tiff/tiff.mk
index 5d7219d7da..bd95fdca7f 100644
--- a/package/tiff/tiff.mk
+++ b/package/tiff/tiff.mk
@@ -13,6 +13,9 @@ TIFF_CPE_ID_VENDOR = libtiff
TIFF_CPE_ID_PRODUCT = libtiff
TIFF_INSTALL_STAGING = YES
+# 0001-don-t-skip-the-first-line-of-the-input-image.patch, 0002-fix-tiffmedian-bug.patch, 0003-conflict-resolution.patch
+TIFF_IGNORE_CVES += CVE-2025-8176
+
# webp has a (optional) dependency on tiff, so we can't have webp
# support in tiff, or that would create a circular dependency.
TIFF_CONF_OPTS = \
--
2.50.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 8+ messages in thread* [Buildroot] [PATCH 2/2] package/tiff: add patch to fix CVE-2025-8177
2025-08-06 20:20 [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176 Thomas Perale via buildroot
@ 2025-08-06 20:20 ` Thomas Perale via buildroot
2025-08-08 14:37 ` Peter Korsgaard
2025-08-08 14:37 ` [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176 Peter Korsgaard
2025-08-14 20:32 ` Thomas Perale via buildroot
2 siblings, 1 reply; 8+ messages in thread
From: Thomas Perale via buildroot @ 2025-08-06 20:20 UTC (permalink / raw)
To: buildroot
Fix the following vulnerability:
- CVE-2025-8177
A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as
critical. This issue affects the function setrow of the file
tools/thumbnail.c. The manipulation leads to buffer overflow. An
attack has to be approached locally. The patch is named
e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a
patch to fix this issue. This vulnerability only affects products that
are no longer supported by the maintainer.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-8177
- https://gitlab.com/libtiff/libtiff/-/merge_requests/737
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
v1 -> v2: renamed the patch from 0002 to 0004
---
.../tiff/0004-fix-for-thumbnail-issue.patch | 35 +++++++++++++++++++
package/tiff/tiff.mk | 3 ++
2 files changed, 38 insertions(+)
create mode 100644 package/tiff/0004-fix-for-thumbnail-issue.patch
diff --git a/package/tiff/0004-fix-for-thumbnail-issue.patch b/package/tiff/0004-fix-for-thumbnail-issue.patch
new file mode 100644
index 0000000000..237306f6c2
--- /dev/null
+++ b/package/tiff/0004-fix-for-thumbnail-issue.patch
@@ -0,0 +1,35 @@
+From e8de4dc1f923576dce9d625caeebd93f9db697e1 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Wed, 25 Jun 2025 17:14:18 +0000
+Subject: [PATCH] Fix for thumbnail issue #715
+
+CVE: CVE-2025-8177
+Upstream: https://gitlab.com/libtiff/libtiff/-/commit/e8de4dc1f923576dce9d625caeebd93f9db697e1
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ tools/thumbnail.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index 9cade913..7e21f521 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+@@ -620,7 +620,15 @@ static void setrow(uint8_t *row, uint32_t nrows, const uint8_t *rows[])
+ }
+ acc += bits[*src & mask1];
+ }
+- *row++ = cmap[(255 * acc) / area];
++ if (255 * acc / area < 256)
++ {
++ *row++ = cmap[(255 * acc) / area];
++ }
++ else
++ {
++ fprintf(stderr, "acc=%d, area=%d\n", acc, area);
++ *row++ = cmap[0];
++ }
+ }
+ }
+
+--
+GitLab
diff --git a/package/tiff/tiff.mk b/package/tiff/tiff.mk
index bd95fdca7f..3d426fad4d 100644
--- a/package/tiff/tiff.mk
+++ b/package/tiff/tiff.mk
@@ -16,6 +16,9 @@ TIFF_INSTALL_STAGING = YES
# 0001-don-t-skip-the-first-line-of-the-input-image.patch, 0002-fix-tiffmedian-bug.patch, 0003-conflict-resolution.patch
TIFF_IGNORE_CVES += CVE-2025-8176
+# 0004-fix-for-thumbnail-issue.patch
+TIFF_IGNORE_CVES += CVE-2025-8177
+
# webp has a (optional) dependency on tiff, so we can't have webp
# support in tiff, or that would create a circular dependency.
TIFF_CONF_OPTS = \
--
2.50.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176
2025-08-06 20:20 [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176 Thomas Perale via buildroot
2025-08-06 20:20 ` [Buildroot] [PATCH 2/2] package/tiff: add patch to fix CVE-2025-8177 Thomas Perale via buildroot
@ 2025-08-08 14:37 ` Peter Korsgaard
2025-08-14 20:32 ` Thomas Perale via buildroot
2 siblings, 0 replies; 8+ messages in thread
From: Peter Korsgaard @ 2025-08-08 14:37 UTC (permalink / raw)
To: Thomas Perale via buildroot; +Cc: Thomas Perale
>>>>> "Thomas" == Thomas Perale via buildroot <buildroot@buildroot.org> writes:
> Fix the following vulnerability:
> - CVE-2025-8176
> A vulnerability was found in LibTIFF up to 4.7.0. It has been declared
> as critical. This vulnerability affects the function get_histogram of
> the file tools/tiffmedian.c. The manipulation leads to use after free.
> The attack needs to be approached locally. The exploit has been
> disclosed to the public and may be used. The patch is identified as
> fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a
> patch to fix this issue.
> For more information, see:
> - https://www.cve.org/CVERecord?id=CVE-2025-8176
> - https://gitlab.com/libtiff/libtiff/-/merge_requests/727
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> ---
> v1 -> v2: split the CVE-2025-8176 fix into multiple patches
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176
2025-08-06 20:20 [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176 Thomas Perale via buildroot
2025-08-06 20:20 ` [Buildroot] [PATCH 2/2] package/tiff: add patch to fix CVE-2025-8177 Thomas Perale via buildroot
2025-08-08 14:37 ` [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176 Peter Korsgaard
@ 2025-08-14 20:32 ` Thomas Perale via buildroot
2 siblings, 0 replies; 8+ messages in thread
From: Thomas Perale via buildroot @ 2025-08-14 20:32 UTC (permalink / raw)
To: Thomas Perale; +Cc: buildroot
In reply of:
> Fix the following vulnerability:
>
> - CVE-2025-8176
>
> A vulnerability was found in LibTIFF up to 4.7.0. It has been declared
> as critical. This vulnerability affects the function get_histogram of
> the file tools/tiffmedian.c. The manipulation leads to use after free.
> The attack needs to be approached locally. The exploit has been
> disclosed to the public and may be used. The patch is identified as
> fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a
> patch to fix this issue.
>
> For more information, see:
> - https://www.cve.org/CVERecord?id=CVE-2025-8176
> - https://gitlab.com/libtiff/libtiff/-/merge_requests/727
>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Applied to 2025.02.x & 2025.05.x. Thanks
> ---
> v1 -> v2: split the CVE-2025-8176 fix into multiple patches
> ---
> ...ip-the-first-line-of-the-input-image.patch | 61 +++++++++++++++++++
> package/tiff/0002-fix-tiffmedian-bug.patch | 31 ++++++++++
> package/tiff/0003-conflict-resolution.patch | 28 +++++++++
> package/tiff/tiff.mk | 3 +
> 4 files changed, 123 insertions(+)
> create mode 100644 package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
> create mode 100644 package/tiff/0002-fix-tiffmedian-bug.patch
> create mode 100644 package/tiff/0003-conflict-resolution.patch
>
> diff --git a/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch b/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
> new file mode 100644
> index 0000000000..bdf4bd8e94
> --- /dev/null
> +++ b/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
> @@ -0,0 +1,61 @@
> +From 3994cf3b3bc6b54c32f240ca5a412cffa11633fa Mon Sep 17 00:00:00 2001
> +From: Lee Howard <faxguy@howardsilvan.com>
> +Date: Mon, 19 May 2025 10:53:30 -0700
> +Subject: [PATCH] Don't skip the first line of the input image. Addresses
> + issue #703
> +
> +Upstream: https://gitlab.com/libtiff/libtiff/-/commit/3994cf3b3bc6b54c32f240ca5a412cffa11633fa
> +CVE: CVE-2025-8176
> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> +---
> + tools/tiffdither.c | 4 ++--
> + tools/tiffmedian.c | 4 ++--
> + 2 files changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/tools/tiffdither.c b/tools/tiffdither.c
> +index 714fe03d4..bfed6df18 100644
> +--- a/tools/tiffdither.c
> ++++ b/tools/tiffdither.c
> +@@ -98,7 +98,7 @@ static int fsdither(TIFF *in, TIFF *out)
> + nextptr = nextline;
> + for (j = 0; j < imagewidth; ++j)
> + *nextptr++ = *inptr++;
> +- for (i = 1; i < imagelength; ++i)
> ++ for (i = 0; i < imagelength; ++i)
> + {
> + tmpptr = thisline;
> + thisline = nextline;
> +@@ -146,7 +146,7 @@ static int fsdither(TIFF *in, TIFF *out)
> + nextptr[0] += v / 16;
> + }
> + }
> +- if (TIFFWriteScanline(out, outline, i - 1, 0) < 0)
> ++ if (TIFFWriteScanline(out, outline, i, 0) < 0)
> + goto skip_on_error;
> + }
> + goto exit_label;
> +diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
> +index 02b0bc2b4..f6cf26c2c 100644
> +--- a/tools/tiffmedian.c
> ++++ b/tools/tiffmedian.c
> +@@ -917,7 +917,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
> + outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
> +
> + GetInputLine(in, 0, goto bad); /* get first line */
> +- for (i = 1; i <= imagelength; ++i)
> ++ for (i = 0; i <= imagelength; ++i)
> + {
> + SWAP(short *, thisline, nextline);
> + lastline = (i >= imax);
> +@@ -997,7 +997,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
> + nextptr += 3;
> + }
> + }
> +- if (TIFFWriteScanline(out, outline, i - 1, 0) < 0)
> ++ if (TIFFWriteScanline(out, outline, i, 0) < 0)
> + break;
> + }
> + bad:
> +--
> +GitLab
> +
> diff --git a/package/tiff/0002-fix-tiffmedian-bug.patch b/package/tiff/0002-fix-tiffmedian-bug.patch
> new file mode 100644
> index 0000000000..880bade7d8
> --- /dev/null
> +++ b/package/tiff/0002-fix-tiffmedian-bug.patch
> @@ -0,0 +1,31 @@
> +From ce46f002eca4148497363f80fab33f9396bcbeda Mon Sep 17 00:00:00 2001
> +From: Lee Howard <faxguy@howardsilvan.com>
> +Date: Sat, 24 May 2025 21:25:16 -0700
> +Subject: [PATCH] Fix tiffmedian bug #707
> +
> +Upstream: https://gitlab.com/libtiff/libtiff/-/merge_requests/727/diffs?commit_id=ce46f002eca4148497363f80fab33f9396bcbeda
> +CVE: CVE-2025-8176
> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> +---
> + tools/tiffmedian.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
> +index f6cf26c2c..8c9978bab 100644
> +--- a/tools/tiffmedian.c
> ++++ b/tools/tiffmedian.c
> +@@ -414,7 +414,10 @@ static void get_histogram(TIFF *in, Colorbox *box)
> + for (i = 0; i < imagelength; i++)
> + {
> + if (TIFFReadScanline(in, inputline, i, 0) <= 0)
> +- break;
> ++ {
> ++ fprintf(stderr, "Error reading scanline\n");
> ++ exit(EXIT_FAILURE);
> ++ }
> + inptr = inputline;
> + for (j = imagewidth; j-- > 0;)
> + {
> +--
> +GitLab
> +
> diff --git a/package/tiff/0003-conflict-resolution.patch b/package/tiff/0003-conflict-resolution.patch
> new file mode 100644
> index 0000000000..0c16aa3271
> --- /dev/null
> +++ b/package/tiff/0003-conflict-resolution.patch
> @@ -0,0 +1,28 @@
> +From ecc4ddbf1f0fed7957d1e20361e37f01907898e0 Mon Sep 17 00:00:00 2001
> +From: Lee Howard <faxguy@howardsilvan.com>
> +Date: Sat, 24 May 2025 21:38:09 -0700
> +Subject: [PATCH] conflict resolution
> +
> +Upstream: https://gitlab.com/libtiff/libtiff/-/merge_requests/727/diffs?commit_id=ecc4ddbf1f0fed7957d1e20361e37f01907898e0
> +CVE: CVE-2025-8176
> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> +---
> + tools/tiffmedian.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
> +index 8c9978bab..47e0524bc 100644
> +--- a/tools/tiffmedian.c
> ++++ b/tools/tiffmedian.c
> +@@ -920,7 +920,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
> + outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
> +
> + GetInputLine(in, 0, goto bad); /* get first line */
> +- for (i = 0; i <= imagelength; ++i)
> ++ for (i = 0; i < imagelength; ++i)
> + {
> + SWAP(short *, thisline, nextline);
> + lastline = (i >= imax);
> +--
> +GitLab
> +
> diff --git a/package/tiff/tiff.mk b/package/tiff/tiff.mk
> index 5d7219d7da..bd95fdca7f 100644
> --- a/package/tiff/tiff.mk
> +++ b/package/tiff/tiff.mk
> @@ -13,6 +13,9 @@ TIFF_CPE_ID_VENDOR = libtiff
> TIFF_CPE_ID_PRODUCT = libtiff
> TIFF_INSTALL_STAGING = YES
>
> +# 0001-don-t-skip-the-first-line-of-the-input-image.patch, 0002-fix-tiffmedian-bug.patch, 0003-conflict-resolution.patch
> +TIFF_IGNORE_CVES += CVE-2025-8176
> +
> # webp has a (optional) dependency on tiff, so we can't have webp
> # support in tiff, or that would create a circular dependency.
> TIFF_CONF_OPTS = \
> --
> 2.50.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176
@ 2025-08-06 19:31 Thomas Perale via buildroot
2025-08-06 19:55 ` Peter Korsgaard
0 siblings, 1 reply; 8+ messages in thread
From: Thomas Perale via buildroot @ 2025-08-06 19:31 UTC (permalink / raw)
To: buildroot
Fix the following vulnerability:
- CVE-2025-8176
A vulnerability was found in LibTIFF up to 4.7.0. It has been declared
as critical. This vulnerability affects the function get_histogram of
the file tools/tiffmedian.c. The manipulation leads to use after free.
The attack needs to be approached locally. The exploit has been
disclosed to the public and may be used. The patch is identified as
fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-8176
- https://gitlab.com/libtiff/libtiff/-/merge_requests/727
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
...ip-the-first-line-of-the-input-image.patch | 116 ++++++++++++++++++
package/tiff/tiff.mk | 3 +
2 files changed, 119 insertions(+)
create mode 100644 package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
diff --git a/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch b/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
new file mode 100644
index 0000000000..3bc0f26772
--- /dev/null
+++ b/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
@@ -0,0 +1,116 @@
+From 3994cf3b3bc6b54c32f240ca5a412cffa11633fa Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Mon, 19 May 2025 10:53:30 -0700
+Subject: [PATCH] Don't skip the first line of the input image. Addresses
+ issue #703
+
+Upstream: https://gitlab.com/libtiff/libtiff/-/commit/fe10872e53efba9cc36c66ac4ab3b41a839d5172.patch
+CVE: CVE-2025-8176
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ tools/tiffdither.c | 4 ++--
+ tools/tiffmedian.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiffdither.c b/tools/tiffdither.c
+index 714fe03d4..bfed6df18 100644
+--- a/tools/tiffdither.c
++++ b/tools/tiffdither.c
+@@ -98,7 +98,7 @@ static int fsdither(TIFF *in, TIFF *out)
+ nextptr = nextline;
+ for (j = 0; j < imagewidth; ++j)
+ *nextptr++ = *inptr++;
+- for (i = 1; i < imagelength; ++i)
++ for (i = 0; i < imagelength; ++i)
+ {
+ tmpptr = thisline;
+ thisline = nextline;
+@@ -146,7 +146,7 @@ static int fsdither(TIFF *in, TIFF *out)
+ nextptr[0] += v / 16;
+ }
+ }
+- if (TIFFWriteScanline(out, outline, i - 1, 0) < 0)
++ if (TIFFWriteScanline(out, outline, i, 0) < 0)
+ goto skip_on_error;
+ }
+ goto exit_label;
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 02b0bc2b4..f6cf26c2c 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -917,7 +917,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
+ outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+
+ GetInputLine(in, 0, goto bad); /* get first line */
+- for (i = 1; i <= imagelength; ++i)
++ for (i = 0; i <= imagelength; ++i)
+ {
+ SWAP(short *, thisline, nextline);
+ lastline = (i >= imax);
+@@ -997,7 +997,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
+ nextptr += 3;
+ }
+ }
+- if (TIFFWriteScanline(out, outline, i - 1, 0) < 0)
++ if (TIFFWriteScanline(out, outline, i, 0) < 0)
+ break;
+ }
+ bad:
+--
+GitLab
+
+
+From ce46f002eca4148497363f80fab33f9396bcbeda Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:25:16 -0700
+Subject: [PATCH] Fix tiffmedian bug #707
+
+---
+ tools/tiffmedian.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index f6cf26c2c..8c9978bab 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -414,7 +414,10 @@ static void get_histogram(TIFF *in, Colorbox *box)
+ for (i = 0; i < imagelength; i++)
+ {
+ if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+- break;
++ {
++ fprintf(stderr, "Error reading scanline\n");
++ exit(EXIT_FAILURE);
++ }
+ inptr = inputline;
+ for (j = imagewidth; j-- > 0;)
+ {
+--
+GitLab
+
+
+From ecc4ddbf1f0fed7957d1e20361e37f01907898e0 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:38:09 -0700
+Subject: [PATCH] conflict resolution
+
+---
+ tools/tiffmedian.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 8c9978bab..47e0524bc 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -920,7 +920,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
+ outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+
+ GetInputLine(in, 0, goto bad); /* get first line */
+- for (i = 0; i <= imagelength; ++i)
++ for (i = 0; i < imagelength; ++i)
+ {
+ SWAP(short *, thisline, nextline);
+ lastline = (i >= imax);
+--
+GitLab
+
diff --git a/package/tiff/tiff.mk b/package/tiff/tiff.mk
index 5d7219d7da..fe35ed01b5 100644
--- a/package/tiff/tiff.mk
+++ b/package/tiff/tiff.mk
@@ -13,6 +13,9 @@ TIFF_CPE_ID_VENDOR = libtiff
TIFF_CPE_ID_PRODUCT = libtiff
TIFF_INSTALL_STAGING = YES
+# 0001-don-t-skip-the-first-line-of-the-input-image.patch
+TIFF_IGNORE_CVES += CVE-2025-8176
+
# webp has a (optional) dependency on tiff, so we can't have webp
# support in tiff, or that would create a circular dependency.
TIFF_CONF_OPTS = \
--
2.50.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176
2025-08-06 19:31 Thomas Perale via buildroot
@ 2025-08-06 19:55 ` Peter Korsgaard
2025-08-06 20:24 ` Thomas Perale via buildroot
0 siblings, 1 reply; 8+ messages in thread
From: Peter Korsgaard @ 2025-08-06 19:55 UTC (permalink / raw)
To: Thomas Perale via buildroot; +Cc: Thomas Perale
>>>>> "Thomas" == Thomas Perale via buildroot <buildroot@buildroot.org> writes:
> Fix the following vulnerability:
> - CVE-2025-8176
> A vulnerability was found in LibTIFF up to 4.7.0. It has been declared
> as critical. This vulnerability affects the function get_histogram of
> the file tools/tiffmedian.c. The manipulation leads to use after free.
> The attack needs to be approached locally. The exploit has been
> disclosed to the public and may be used. The patch is identified as
> fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a
> patch to fix this issue.
> For more information, see:
> - https://www.cve.org/CVERecord?id=CVE-2025-8176
> - https://gitlab.com/libtiff/libtiff/-/merge_requests/727
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> ---
> ...ip-the-first-line-of-the-input-image.patch | 116 ++++++++++++++++++
> package/tiff/tiff.mk | 3 +
> 2 files changed, 119 insertions(+)
> create mode 100644 package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
> diff --git a/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch b/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
> new file mode 100644
> index 0000000000..3bc0f26772
> --- /dev/null
> +++ b/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
> @@ -0,0 +1,116 @@
> +From 3994cf3b3bc6b54c32f240ca5a412cffa11633fa Mon Sep 17 00:00:00 2001
..
> +From ce46f002eca4148497363f80fab33f9396bcbeda Mon Sep 17 00:00:00 2001
While it probably works to concatenate 3 commits into a single patch,
that is not how we normally do it here. I would prefer to see the 3
upstream commits as 3 separate patches.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176
2025-08-06 19:55 ` Peter Korsgaard
@ 2025-08-06 20:24 ` Thomas Perale via buildroot
0 siblings, 0 replies; 8+ messages in thread
From: Thomas Perale via buildroot @ 2025-08-06 20:24 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Thomas Perale, Thomas Perale via buildroot
In reply of:
> >>>>> "Thomas" == Thomas Perale via buildroot <buildroot@buildroot.org> writes:
>
> > Fix the following vulnerability:
> > - CVE-2025-8176
>
> > A vulnerability was found in LibTIFF up to 4.7.0. It has been declared
> > as critical. This vulnerability affects the function get_histogram of
> > the file tools/tiffmedian.c. The manipulation leads to use after free.
> > The attack needs to be approached locally. The exploit has been
> > disclosed to the public and may be used. The patch is identified as
> > fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a
> > patch to fix this issue.
>
> > For more information, see:
> > - https://www.cve.org/CVERecord?id=CVE-2025-8176
> > - https://gitlab.com/libtiff/libtiff/-/merge_requests/727
>
> > Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> > ---
> > ...ip-the-first-line-of-the-input-image.patch | 116 ++++++++++++++++++
> > package/tiff/tiff.mk | 3 +
> > 2 files changed, 119 insertions(+)
> > create mode 100644 package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
>
> > diff --git a/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch b/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
> > new file mode 100644
> > index 0000000000..3bc0f26772
> > --- /dev/null
> > +++ b/package/tiff/0001-don-t-skip-the-first-line-of-the-input-image.patch
> > @@ -0,0 +1,116 @@
> > +From 3994cf3b3bc6b54c32f240ca5a412cffa11633fa Mon Sep 17 00:00:00 2001
> ..
> > +From ce46f002eca4148497363f80fab33f9396bcbeda Mon Sep 17 00:00:00 2001
>
> While it probably works to concatenate 3 commits into a single patch,
> that is not how we normally do it here. I would prefer to see the 3
> upstream commits as 3 separate patches.
Hi,
I sent a v2 that splitted the patches
https://lore.kernel.org/r/<20250806202029.625736-1-thomas.perale@mind.be>
I forgot last minute to add the v2 header sorry.
I may have sent patches that were bundled in the patch, I need to check.
Regards,
Thomas
>
> --
> Bye, Peter Korsgaard
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-08-14 20:32 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-06 20:20 [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176 Thomas Perale via buildroot
2025-08-06 20:20 ` [Buildroot] [PATCH 2/2] package/tiff: add patch to fix CVE-2025-8177 Thomas Perale via buildroot
2025-08-08 14:37 ` Peter Korsgaard
2025-08-08 14:37 ` [Buildroot] [PATCH 1/2] package/tiff: add patch to fix CVE-2025-8176 Peter Korsgaard
2025-08-14 20:32 ` Thomas Perale via buildroot
-- strict thread matches above, loose matches on Subject: below --
2025-08-06 19:31 Thomas Perale via buildroot
2025-08-06 19:55 ` Peter Korsgaard
2025-08-06 20:24 ` Thomas Perale via buildroot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox