* [OE-Core][dunfell][PATCH] tiff: Fix for CVE-2022-2867/8/9
@ 2022-09-08 5:04 Virendra Thakur
2022-09-08 18:44 ` Steve Sakoman
0 siblings, 1 reply; 4+ messages in thread
From: Virendra Thakur @ 2022-09-08 5:04 UTC (permalink / raw)
To: openembedded-core; +Cc: Virendra Thakur
From: Virendra Thakur <virendrak@kpit.com>
Add Patch to fix CVE-2022-2867, CVE-2022-2868
CVE-2022-2869
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 ++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 +
2 files changed, 160 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
new file mode 100644
index 0000000000..131ff94119
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
@@ -0,0 +1,159 @@
+From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 9 Feb 2022 21:31:29 +0000
+Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
+ uint32_t underflow.
+
+CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+Index: tiff-4.1.0/tools/tiffcrop.c
+===================================================================
+--- tiff-4.1.0.orig/tools/tiffcrop.c
++++ tiff-4.1.0/tools/tiffcrop.c
+@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+ }
+- if (x1 < 1)
+- crop->regionlist[i].x1 = 0;
+- else
+- crop->regionlist[i].x1 = (uint32) (x1 - 1);
++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
++ * b) Corners are expected to be submitted as top-left to bottom-right.
++ * Therefore, check that and reorder input.
++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
++ */
++ uint32_t aux;
++ if (x1 > x2) {
++ aux = x1;
++ x1 = x2;
++ x2 = aux;
++ }
++ if (y1 > y2) {
++ aux = y1;
++ y1 = y2;
++ y2 = aux;
++ }
++ if (x1 > image->width - 1)
++ crop->regionlist[i].x1 = image->width - 1;
++ else if (x1 > 0)
++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
+
+ if (x2 > image->width - 1)
+ crop->regionlist[i].x2 = image->width - 1;
+- else
+- crop->regionlist[i].x2 = (uint32) (x2 - 1);
+- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+-
+- if (y1 < 1)
+- crop->regionlist[i].y1 = 0;
+- else
+- crop->regionlist[i].y1 = (uint32) (y1 - 1);
++ else if (x2 > 0)
++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
++
++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
++
++ if (y1 > image->length - 1)
++ crop->regionlist[i].y1 = image->length - 1;
++ else if (y1 > 0)
++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
+
+ if (y2 > image->length - 1)
+ crop->regionlist[i].y2 = image->length - 1;
+- else
+- crop->regionlist[i].y2 = (uint32) (y2 - 1);
+-
+- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
++ else if (y2 > 0)
++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
+
++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ if (zwidth > max_width)
+ max_width = zwidth;
+ if (zlength > max_length)
+@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
+ }
+ }
+ return (0);
+- }
++ } /* crop_mode == CROP_REGIONS */
+
+ /* Convert crop margins into offsets into image
+ * Margins are expressed as pixel rows and columns, not bytes
+@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
+ bmargin = (uint32) 0;
+ return (-1);
+ }
+- }
++ } /* crop_mode == CROP_MARGINS */
+ else
+ { /* no margins requested */
+ tmargin = (uint32) 0;
+@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
+ off->endx = endx;
+ off->endy = endy;
+
+- crop_width = endx - startx + 1;
+- crop_length = endy - starty + 1;
+-
+- if (crop_width <= 0)
++ if (endx + 1 <= startx)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Invalid left/right margins and /or image crop width requested");
+ return (-1);
+ }
++ crop_width = endx - startx + 1;
+ if (crop_width > image->width)
+ crop_width = image->width;
+
+- if (crop_length <= 0)
++ if (endy + 1 <= starty)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Invalid top/bottom margins and /or image crop length requested");
+ return (-1);
+ }
++ crop_length = endy - starty + 1;
+ if (crop_length > image->length)
+ crop_length = image->length;
+
+@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
+ else
+ crop->selections = crop->zones;
+
+- for (i = 0; i < crop->zones; i++)
++ /* Initialize regions iterator i */
++ i = 0;
++ for (int j = 0; j < crop->zones; j++)
+ {
+- seg = crop->zonelist[i].position;
+- total = crop->zonelist[i].total;
++ seg = crop->zonelist[j].position;
++ total = crop->zonelist[j].total;
++
++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
++ if (seg == 0 || total == 0 || seg > total) {
++ continue;
++ }
+
+ switch (crop->edge_ref)
+ {
+@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
+ i + 1, (uint32)zwidth, (uint32)zlength,
+ crop->regionlist[i].x1, crop->regionlist[i].x2,
+ crop->regionlist[i].y1, crop->regionlist[i].y2);
++ /* increment regions iterator */
++ i++;
+ }
+-
++ /* set number of generated regions out of given zones */
++ crop->selections = i;
+ return (0);
+ } /* end getCropOffsets */
+
+--
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index c061d2aaac..93a35230d6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2022-0924.patch \
file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
file://CVE-2022-34526.patch \
+ file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
"
SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
--
2.17.1
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-Core][dunfell][PATCH] tiff: Fix for CVE-2022-2867/8/9
2022-09-08 5:04 [OE-Core][dunfell][PATCH] tiff: Fix for CVE-2022-2867/8/9 Virendra Thakur
@ 2022-09-08 18:44 ` Steve Sakoman
2022-09-09 5:11 ` Virendra Kumar Thakur
[not found] ` <1713191FCF73F181.16466@lists.openembedded.org>
0 siblings, 2 replies; 4+ messages in thread
From: Steve Sakoman @ 2022-09-08 18:44 UTC (permalink / raw)
To: virendra.thakur; +Cc: openembedded-core, Virendra Thakur
On Wed, Sep 7, 2022 at 7:04 PM Virendra Thakur via
lists.openembedded.org
<virendra.thakur=kpit.com@lists.openembedded.org> wrote:
>
> From: Virendra Thakur <virendrak@kpit.com>
>
> Add Patch to fix CVE-2022-2867, CVE-2022-2868
> CVE-2022-2869
This fails on the autobuilder:
ERROR: tiff-4.1.0-r0 do_patch: Applying patch
'CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch' on target directory
'/home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/tiff-4.1.0'
Command Error: 'quilt --quiltrc
/home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/recipe-sysroot-native/etc/quiltrc
push' exited with 0 Output:
Applying patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
patching file tools/tiffcrop.c
Hunk #1 FAILED at 5153.
Hunk #2 succeeded at 4782 with fuzz 2 (offset -423 lines).
Hunk #4 FAILED at 5332.
Hunk #5 succeeded at 5449 with fuzz 2.
Hunk #6 succeeded at 5588 with fuzz 2.
2 out of 6 hunks FAILED -- rejects in file tools/tiffcrop.c
Patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch does not apply
(enforce with -f)
Perhaps your mailer is corrupting the patch? This has been an issue
lately with other patches from kpit!
Steve
>
> Signed-off-by: Virendra Thakur <virendrak@kpit.com>
> ---
> ...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 ++++++++++++++++++
> meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 +
> 2 files changed, 160 insertions(+)
> create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
>
> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
> new file mode 100644
> index 0000000000..131ff94119
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
> @@ -0,0 +1,159 @@
> +From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
> +From: Su Laus <sulau@freenet.de>
> +Date: Wed, 9 Feb 2022 21:31:29 +0000
> +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
> + uint32_t underflow.
> +
> +CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
> +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c]
> +Signed-off-by: Virendra Thakur <virendrak@kpit.com>
> +---
> +Index: tiff-4.1.0/tools/tiffcrop.c
> +===================================================================
> +--- tiff-4.1.0.orig/tools/tiffcrop.c
> ++++ tiff-4.1.0/tools/tiffcrop.c
> +@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
> + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
> + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
> + }
> +- if (x1 < 1)
> +- crop->regionlist[i].x1 = 0;
> +- else
> +- crop->regionlist[i].x1 = (uint32) (x1 - 1);
> ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
> ++ * b) Corners are expected to be submitted as top-left to bottom-right.
> ++ * Therefore, check that and reorder input.
> ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
> ++ */
> ++ uint32_t aux;
> ++ if (x1 > x2) {
> ++ aux = x1;
> ++ x1 = x2;
> ++ x2 = aux;
> ++ }
> ++ if (y1 > y2) {
> ++ aux = y1;
> ++ y1 = y2;
> ++ y2 = aux;
> ++ }
> ++ if (x1 > image->width - 1)
> ++ crop->regionlist[i].x1 = image->width - 1;
> ++ else if (x1 > 0)
> ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
> +
> + if (x2 > image->width - 1)
> + crop->regionlist[i].x2 = image->width - 1;
> +- else
> +- crop->regionlist[i].x2 = (uint32) (x2 - 1);
> +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
> +-
> +- if (y1 < 1)
> +- crop->regionlist[i].y1 = 0;
> +- else
> +- crop->regionlist[i].y1 = (uint32) (y1 - 1);
> ++ else if (x2 > 0)
> ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
> ++
> ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
> ++
> ++ if (y1 > image->length - 1)
> ++ crop->regionlist[i].y1 = image->length - 1;
> ++ else if (y1 > 0)
> ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
> +
> + if (y2 > image->length - 1)
> + crop->regionlist[i].y2 = image->length - 1;
> +- else
> +- crop->regionlist[i].y2 = (uint32) (y2 - 1);
> +-
> +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
> ++ else if (y2 > 0)
> ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
> +
> ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
> + if (zwidth > max_width)
> + max_width = zwidth;
> + if (zlength > max_length)
> +@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
> + }
> + }
> + return (0);
> +- }
> ++ } /* crop_mode == CROP_REGIONS */
> +
> + /* Convert crop margins into offsets into image
> + * Margins are expressed as pixel rows and columns, not bytes
> +@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
> + bmargin = (uint32) 0;
> + return (-1);
> + }
> +- }
> ++ } /* crop_mode == CROP_MARGINS */
> + else
> + { /* no margins requested */
> + tmargin = (uint32) 0;
> +@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
> + off->endx = endx;
> + off->endy = endy;
> +
> +- crop_width = endx - startx + 1;
> +- crop_length = endy - starty + 1;
> +-
> +- if (crop_width <= 0)
> ++ if (endx + 1 <= startx)
> + {
> + TIFFError("computeInputPixelOffsets",
> + "Invalid left/right margins and /or image crop width requested");
> + return (-1);
> + }
> ++ crop_width = endx - startx + 1;
> + if (crop_width > image->width)
> + crop_width = image->width;
> +
> +- if (crop_length <= 0)
> ++ if (endy + 1 <= starty)
> + {
> + TIFFError("computeInputPixelOffsets",
> + "Invalid top/bottom margins and /or image crop length requested");
> + return (-1);
> + }
> ++ crop_length = endy - starty + 1;
> + if (crop_length > image->length)
> + crop_length = image->length;
> +
> +@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
> + else
> + crop->selections = crop->zones;
> +
> +- for (i = 0; i < crop->zones; i++)
> ++ /* Initialize regions iterator i */
> ++ i = 0;
> ++ for (int j = 0; j < crop->zones; j++)
> + {
> +- seg = crop->zonelist[i].position;
> +- total = crop->zonelist[i].total;
> ++ seg = crop->zonelist[j].position;
> ++ total = crop->zonelist[j].total;
> ++
> ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
> ++ if (seg == 0 || total == 0 || seg > total) {
> ++ continue;
> ++ }
> +
> + switch (crop->edge_ref)
> + {
> +@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
> + i + 1, (uint32)zwidth, (uint32)zlength,
> + crop->regionlist[i].x1, crop->regionlist[i].x2,
> + crop->regionlist[i].y1, crop->regionlist[i].y2);
> ++ /* increment regions iterator */
> ++ i++;
> + }
> +-
> ++ /* set number of generated regions out of given zones */
> ++ crop->selections = i;
> + return (0);
> + } /* end getCropOffsets */
> +
> +--
> +GitLab
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
> index c061d2aaac..93a35230d6 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
> @@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
> file://CVE-2022-0924.patch \
> file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
> file://CVE-2022-34526.patch \
> + file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
> "
> SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
> SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#170448): https://lists.openembedded.org/g/openembedded-core/message/170448
> Mute This Topic: https://lists.openembedded.org/mt/93542683/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-Core][dunfell][PATCH] tiff: Fix for CVE-2022-2867/8/9
2022-09-08 18:44 ` Steve Sakoman
@ 2022-09-09 5:11 ` Virendra Kumar Thakur
[not found] ` <1713191FCF73F181.16466@lists.openembedded.org>
1 sibling, 0 replies; 4+ messages in thread
From: Virendra Kumar Thakur @ 2022-09-09 5:11 UTC (permalink / raw)
To: Steve Sakoman; +Cc: openembedded-core@lists.openembedded.org
[-- Attachment #1.1: Type: text/plain, Size: 12657 bytes --]
Hi Steve,
I am attaching here with tiff patchset .
please let me know if its fine.
________________________________
From: Steve Sakoman <steve@sakoman.com>
Sent: Friday, September 9, 2022 12:14 AM
To: Virendra Kumar Thakur <Virendra.Thakur@kpit.com>
Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; Virendra Kumar Thakur <Virendra.Thakur@kpit.com>
Subject: Re: [OE-Core][dunfell][PATCH] tiff: Fix for CVE-2022-2867/8/9
Caution: This email originated from outside of the KPIT. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On Wed, Sep 7, 2022 at 7:04 PM Virendra Thakur via
lists.openembedded.org
<virendra.thakur=kpit.com@lists.openembedded.org> wrote:
>
> From: Virendra Thakur <virendrak@kpit.com>
>
> Add Patch to fix CVE-2022-2867, CVE-2022-2868
> CVE-2022-2869
This fails on the autobuilder:
ERROR: tiff-4.1.0-r0 do_patch: Applying patch
'CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch' on target directory
'/home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/tiff-4.1.0'
Command Error: 'quilt --quiltrc
/home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/recipe-sysroot-native/etc/quiltrc
push' exited with 0 Output:
Applying patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
patching file tools/tiffcrop.c
Hunk #1 FAILED at 5153.
Hunk #2 succeeded at 4782 with fuzz 2 (offset -423 lines).
Hunk #4 FAILED at 5332.
Hunk #5 succeeded at 5449 with fuzz 2.
Hunk #6 succeeded at 5588 with fuzz 2.
2 out of 6 hunks FAILED -- rejects in file tools/tiffcrop.c
Patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch does not apply
(enforce with -f)
Perhaps your mailer is corrupting the patch? This has been an issue
lately with other patches from kpit!
Steve
>
> Signed-off-by: Virendra Thakur <virendrak@kpit.com>
> ---
> ...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 ++++++++++++++++++
> meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 +
> 2 files changed, 160 insertions(+)
> create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
>
> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
> new file mode 100644
> index 0000000000..131ff94119
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
> @@ -0,0 +1,159 @@
> +From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
> +From: Su Laus <sulau@freenet.de>
> +Date: Wed, 9 Feb 2022 21:31:29 +0000
> +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
> + uint32_t underflow.
> +
> +CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
> +Upstream-Status: Backport [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Flibtiff%2Flibtiff%2F-%2Fcommit%2F07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c&data=05%7C01%7Cvirendra.thakur%40kpit.com%7C06f4664a51014a38772c08da91ca2d06%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637982594827918330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KeN8brH6XLpD8sQUvDQHUfeG7Ld%2BnFtGl%2Bgr5WCiJX4%3D&reserved=0]
> +Signed-off-by: Virendra Thakur <virendrak@kpit.com>
> +---
> +Index: tiff-4.1.0/tools/tiffcrop.c
> +===================================================================
> +--- tiff-4.1.0.orig/tools/tiffcrop.c
> ++++ tiff-4.1.0/tools/tiffcrop.c
> +@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
> + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
> + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
> + }
> +- if (x1 < 1)
> +- crop->regionlist[i].x1 = 0;
> +- else
> +- crop->regionlist[i].x1 = (uint32) (x1 - 1);
> ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
> ++ * b) Corners are expected to be submitted as top-left to bottom-right.
> ++ * Therefore, check that and reorder input.
> ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
> ++ */
> ++ uint32_t aux;
> ++ if (x1 > x2) {
> ++ aux = x1;
> ++ x1 = x2;
> ++ x2 = aux;
> ++ }
> ++ if (y1 > y2) {
> ++ aux = y1;
> ++ y1 = y2;
> ++ y2 = aux;
> ++ }
> ++ if (x1 > image->width - 1)
> ++ crop->regionlist[i].x1 = image->width - 1;
> ++ else if (x1 > 0)
> ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
> +
> + if (x2 > image->width - 1)
> + crop->regionlist[i].x2 = image->width - 1;
> +- else
> +- crop->regionlist[i].x2 = (uint32) (x2 - 1);
> +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
> +-
> +- if (y1 < 1)
> +- crop->regionlist[i].y1 = 0;
> +- else
> +- crop->regionlist[i].y1 = (uint32) (y1 - 1);
> ++ else if (x2 > 0)
> ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
> ++
> ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
> ++
> ++ if (y1 > image->length - 1)
> ++ crop->regionlist[i].y1 = image->length - 1;
> ++ else if (y1 > 0)
> ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
> +
> + if (y2 > image->length - 1)
> + crop->regionlist[i].y2 = image->length - 1;
> +- else
> +- crop->regionlist[i].y2 = (uint32) (y2 - 1);
> +-
> +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
> ++ else if (y2 > 0)
> ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
> +
> ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
> + if (zwidth > max_width)
> + max_width = zwidth;
> + if (zlength > max_length)
> +@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
> + }
> + }
> + return (0);
> +- }
> ++ } /* crop_mode == CROP_REGIONS */
> +
> + /* Convert crop margins into offsets into image
> + * Margins are expressed as pixel rows and columns, not bytes
> +@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
> + bmargin = (uint32) 0;
> + return (-1);
> + }
> +- }
> ++ } /* crop_mode == CROP_MARGINS */
> + else
> + { /* no margins requested */
> + tmargin = (uint32) 0;
> +@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
> + off->endx = endx;
> + off->endy = endy;
> +
> +- crop_width = endx - startx + 1;
> +- crop_length = endy - starty + 1;
> +-
> +- if (crop_width <= 0)
> ++ if (endx + 1 <= startx)
> + {
> + TIFFError("computeInputPixelOffsets",
> + "Invalid left/right margins and /or image crop width requested");
> + return (-1);
> + }
> ++ crop_width = endx - startx + 1;
> + if (crop_width > image->width)
> + crop_width = image->width;
> +
> +- if (crop_length <= 0)
> ++ if (endy + 1 <= starty)
> + {
> + TIFFError("computeInputPixelOffsets",
> + "Invalid top/bottom margins and /or image crop length requested");
> + return (-1);
> + }
> ++ crop_length = endy - starty + 1;
> + if (crop_length > image->length)
> + crop_length = image->length;
> +
> +@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
> + else
> + crop->selections = crop->zones;
> +
> +- for (i = 0; i < crop->zones; i++)
> ++ /* Initialize regions iterator i */
> ++ i = 0;
> ++ for (int j = 0; j < crop->zones; j++)
> + {
> +- seg = crop->zonelist[i].position;
> +- total = crop->zonelist[i].total;
> ++ seg = crop->zonelist[j].position;
> ++ total = crop->zonelist[j].total;
> ++
> ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
> ++ if (seg == 0 || total == 0 || seg > total) {
> ++ continue;
> ++ }
> +
> + switch (crop->edge_ref)
> + {
> +@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
> + i + 1, (uint32)zwidth, (uint32)zlength,
> + crop->regionlist[i].x1, crop->regionlist[i].x2,
> + crop->regionlist[i].y1, crop->regionlist[i].y2);
> ++ /* increment regions iterator */
> ++ i++;
> + }
> +-
> ++ /* set number of generated regions out of given zones */
> ++ crop->selections = i;
> + return (0);
> + } /* end getCropOffsets */
> +
> +--
> +GitLab
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
> index c061d2aaac..93a35230d6 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
> @@ -26,6 +26,7 @@ SRC_URI = "https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdownload.osgeo.org%2Flibtiff%2Ftiff-%24&data=05%7C01%7Cvirendra.thakur%40kpit.com%7C06f4664a51014a38772c08da91ca2d06%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637982594827918330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Cfstd%2BIU%2FQTf5%2F3xbc03woC9PK4yLt9vzYyvgG5%2FVdg%3D&reserved=0{PV}.tar.gz \
> file://CVE-2022-0924.patch \
> file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
> file://CVE-2022-34526.patch \
> + file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
> "
> SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
> SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#170448): https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openembedded.org%2Fg%2Fopenembedded-core%2Fmessage%2F170448&data=05%7C01%7Cvirendra.thakur%40kpit.com%7C06f4664a51014a38772c08da91ca2d06%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637982594827918330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IMob4TLoMFyZPMn70p6Zw%2F0LrZk49QJPTtG4iKJL2cc%3D&reserved=0
> Mute This Topic: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openembedded.org%2Fmt%2F93542683%2F3620601&data=05%7C01%7Cvirendra.thakur%40kpit.com%7C06f4664a51014a38772c08da91ca2d06%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637982594828074560%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wm5lPdNoTh2gHTwUPnSa%2Bq7y1fbPLUfCTiJXwqXmx7I%3D&reserved=0
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openembedded.org%2Fg%2Fopenembedded-core%2Funsub&data=05%7C01%7Cvirendra.thakur%40kpit.com%7C06f4664a51014a38772c08da91ca2d06%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637982594828074560%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KdLCZubscfMsjI1cAebnNJHEgbjxseukod6tzS%2Fvetw%3D&reserved=0 [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
[-- Attachment #1.2: Type: text/html, Size: 21971 bytes --]
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-tiff-Fix-for-CVE-2022-2867-8-9.patch --]
[-- Type: text/x-patch; name="0001-tiff-Fix-for-CVE-2022-2867-8-9.patch", Size: 6969 bytes --]
From b9285aa99e1d5b948b738a79516bcee9fb2faca7 Mon Sep 17 00:00:00 2001
From: Virendra Thakur <virendrak@kpit.com>
Date: Mon, 5 Sep 2022 15:11:11 +0530
Subject: [PATCH] tiff: Fix for CVE-2022-2867/8/9
Add Patch to fix CVE-2022-2867, CVE-2022-2868
CVE-2022-2869
Change-Id: I01279c4896d36535c14776c5dcb213869df101ca
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 ++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 +
2 files changed, 160 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
new file mode 100644
index 0000000000..131ff94119
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
@@ -0,0 +1,159 @@
+From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 9 Feb 2022 21:31:29 +0000
+Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
+ uint32_t underflow.
+
+CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+Index: tiff-4.1.0/tools/tiffcrop.c
+===================================================================
+--- tiff-4.1.0.orig/tools/tiffcrop.c
++++ tiff-4.1.0/tools/tiffcrop.c
+@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+ }
+- if (x1 < 1)
+- crop->regionlist[i].x1 = 0;
+- else
+- crop->regionlist[i].x1 = (uint32) (x1 - 1);
++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
++ * b) Corners are expected to be submitted as top-left to bottom-right.
++ * Therefore, check that and reorder input.
++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
++ */
++ uint32_t aux;
++ if (x1 > x2) {
++ aux = x1;
++ x1 = x2;
++ x2 = aux;
++ }
++ if (y1 > y2) {
++ aux = y1;
++ y1 = y2;
++ y2 = aux;
++ }
++ if (x1 > image->width - 1)
++ crop->regionlist[i].x1 = image->width - 1;
++ else if (x1 > 0)
++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
+
+ if (x2 > image->width - 1)
+ crop->regionlist[i].x2 = image->width - 1;
+- else
+- crop->regionlist[i].x2 = (uint32) (x2 - 1);
+- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+-
+- if (y1 < 1)
+- crop->regionlist[i].y1 = 0;
+- else
+- crop->regionlist[i].y1 = (uint32) (y1 - 1);
++ else if (x2 > 0)
++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
++
++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
++
++ if (y1 > image->length - 1)
++ crop->regionlist[i].y1 = image->length - 1;
++ else if (y1 > 0)
++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
+
+ if (y2 > image->length - 1)
+ crop->regionlist[i].y2 = image->length - 1;
+- else
+- crop->regionlist[i].y2 = (uint32) (y2 - 1);
+-
+- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
++ else if (y2 > 0)
++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
+
++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ if (zwidth > max_width)
+ max_width = zwidth;
+ if (zlength > max_length)
+@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
+ }
+ }
+ return (0);
+- }
++ } /* crop_mode == CROP_REGIONS */
+
+ /* Convert crop margins into offsets into image
+ * Margins are expressed as pixel rows and columns, not bytes
+@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
+ bmargin = (uint32) 0;
+ return (-1);
+ }
+- }
++ } /* crop_mode == CROP_MARGINS */
+ else
+ { /* no margins requested */
+ tmargin = (uint32) 0;
+@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
+ off->endx = endx;
+ off->endy = endy;
+
+- crop_width = endx - startx + 1;
+- crop_length = endy - starty + 1;
+-
+- if (crop_width <= 0)
++ if (endx + 1 <= startx)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Invalid left/right margins and /or image crop width requested");
+ return (-1);
+ }
++ crop_width = endx - startx + 1;
+ if (crop_width > image->width)
+ crop_width = image->width;
+
+- if (crop_length <= 0)
++ if (endy + 1 <= starty)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Invalid top/bottom margins and /or image crop length requested");
+ return (-1);
+ }
++ crop_length = endy - starty + 1;
+ if (crop_length > image->length)
+ crop_length = image->length;
+
+@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
+ else
+ crop->selections = crop->zones;
+
+- for (i = 0; i < crop->zones; i++)
++ /* Initialize regions iterator i */
++ i = 0;
++ for (int j = 0; j < crop->zones; j++)
+ {
+- seg = crop->zonelist[i].position;
+- total = crop->zonelist[i].total;
++ seg = crop->zonelist[j].position;
++ total = crop->zonelist[j].total;
++
++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
++ if (seg == 0 || total == 0 || seg > total) {
++ continue;
++ }
+
+ switch (crop->edge_ref)
+ {
+@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
+ i + 1, (uint32)zwidth, (uint32)zlength,
+ crop->regionlist[i].x1, crop->regionlist[i].x2,
+ crop->regionlist[i].y1, crop->regionlist[i].y2);
++ /* increment regions iterator */
++ i++;
+ }
+-
++ /* set number of generated regions out of given zones */
++ crop->selections = i;
+ return (0);
+ } /* end getCropOffsets */
+
+--
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index c061d2aaac..93a35230d6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2022-0924.patch \
file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
file://CVE-2022-34526.patch \
+ file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
"
SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-Core][dunfell][PATCH] tiff: Fix for CVE-2022-2867/8/9
[not found] ` <1713191FCF73F181.16466@lists.openembedded.org>
@ 2022-09-09 5:15 ` Virendra Kumar Thakur
0 siblings, 0 replies; 4+ messages in thread
From: Virendra Kumar Thakur @ 2022-09-09 5:15 UTC (permalink / raw)
To: Steve Sakoman, Virendra Kumar Thakur
Cc: openembedded-core@lists.openembedded.org
[-- Attachment #1.1: Type: text/plain, Size: 12758 bytes --]
Please take this patch .
removed change-ID as its not needed.
________________________________
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Virendra Thakur via lists.openembedded.org <virendra.thakur=kpit.com@lists.openembedded.org>
Sent: Friday, September 9, 2022 10:41 AM
To: Steve Sakoman <steve@sakoman.com>
Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-Core][dunfell][PATCH] tiff: Fix for CVE-2022-2867/8/9
Caution: This email originated from outside of the KPIT. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi Steve,
I am attaching here with tiff patchset .
please let me know if its fine.
________________________________
From: Steve Sakoman <steve@sakoman.com>
Sent: Friday, September 9, 2022 12:14 AM
To: Virendra Kumar Thakur <Virendra.Thakur@kpit.com>
Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; Virendra Kumar Thakur <Virendra.Thakur@kpit.com>
Subject: Re: [OE-Core][dunfell][PATCH] tiff: Fix for CVE-2022-2867/8/9
Caution: This email originated from outside of the KPIT. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On Wed, Sep 7, 2022 at 7:04 PM Virendra Thakur via
lists.openembedded.org
<virendra.thakur=kpit.com@lists.openembedded.org> wrote:
>
> From: Virendra Thakur <virendrak@kpit.com>
>
> Add Patch to fix CVE-2022-2867, CVE-2022-2868
> CVE-2022-2869
This fails on the autobuilder:
ERROR: tiff-4.1.0-r0 do_patch: Applying patch
'CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch' on target directory
'/home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/tiff-4.1.0'
Command Error: 'quilt --quiltrc
/home/pokybuild/yocto-worker/reproducible/build/build-st-966841/reproducibleA/tmp/work/core2-64-poky-linux/tiff/4.1.0-r0/recipe-sysroot-native/etc/quiltrc
push' exited with 0 Output:
Applying patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
patching file tools/tiffcrop.c
Hunk #1 FAILED at 5153.
Hunk #2 succeeded at 4782 with fuzz 2 (offset -423 lines).
Hunk #4 FAILED at 5332.
Hunk #5 succeeded at 5449 with fuzz 2.
Hunk #6 succeeded at 5588 with fuzz 2.
2 out of 6 hunks FAILED -- rejects in file tools/tiffcrop.c
Patch CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch does not apply
(enforce with -f)
Perhaps your mailer is corrupting the patch? This has been an issue
lately with other patches from kpit!
Steve
>
> Signed-off-by: Virendra Thakur <virendrak@kpit.com>
> ---
> ...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 ++++++++++++++++++
> meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 +
> 2 files changed, 160 insertions(+)
> create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
>
> diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
> new file mode 100644
> index 0000000000..131ff94119
> --- /dev/null
> +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
> @@ -0,0 +1,159 @@
> +From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
> +From: Su Laus <sulau@freenet.de>
> +Date: Wed, 9 Feb 2022 21:31:29 +0000
> +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
> + uint32_t underflow.
> +
> +CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
> +Upstream-Status: Backport [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Flibtiff%2Flibtiff%2F-%2Fcommit%2F07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c&data=05%7C01%7Cvirendra.thakur%40kpit.com%7C06f4664a51014a38772c08da91ca2d06%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637982594827918330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KeN8brH6XLpD8sQUvDQHUfeG7Ld%2BnFtGl%2Bgr5WCiJX4%3D&reserved=0<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Flibtiff%2Flibtiff%2F-%2Fcommit%2F07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c&data=05%7C01%7Cvirendra.thakur%40kpit.com%7Cc7c73701ce6d4fb704b208da9221d9b0%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637982971413084460%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vQW2cVBF6m8oH0kbIE9Mcyh6HiCYQSkCj0HbJ2g%2FTR0%3D&reserved=0>]
> +Signed-off-by: Virendra Thakur <virendrak@kpit.com>
> +---
> +Index: tiff-4.1.0/tools/tiffcrop.c
> +===================================================================
> +--- tiff-4.1.0.orig/tools/tiffcrop.c
> ++++ tiff-4.1.0/tools/tiffcrop.c
> +@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
> + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
> + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
> + }
> +- if (x1 < 1)
> +- crop->regionlist[i].x1 = 0;
> +- else
> +- crop->regionlist[i].x1 = (uint32) (x1 - 1);
> ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
> ++ * b) Corners are expected to be submitted as top-left to bottom-right.
> ++ * Therefore, check that and reorder input.
> ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
> ++ */
> ++ uint32_t aux;
> ++ if (x1 > x2) {
> ++ aux = x1;
> ++ x1 = x2;
> ++ x2 = aux;
> ++ }
> ++ if (y1 > y2) {
> ++ aux = y1;
> ++ y1 = y2;
> ++ y2 = aux;
> ++ }
> ++ if (x1 > image->width - 1)
> ++ crop->regionlist[i].x1 = image->width - 1;
> ++ else if (x1 > 0)
> ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
> +
> + if (x2 > image->width - 1)
> + crop->regionlist[i].x2 = image->width - 1;
> +- else
> +- crop->regionlist[i].x2 = (uint32) (x2 - 1);
> +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
> +-
> +- if (y1 < 1)
> +- crop->regionlist[i].y1 = 0;
> +- else
> +- crop->regionlist[i].y1 = (uint32) (y1 - 1);
> ++ else if (x2 > 0)
> ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
> ++
> ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
> ++
> ++ if (y1 > image->length - 1)
> ++ crop->regionlist[i].y1 = image->length - 1;
> ++ else if (y1 > 0)
> ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
> +
> + if (y2 > image->length - 1)
> + crop->regionlist[i].y2 = image->length - 1;
> +- else
> +- crop->regionlist[i].y2 = (uint32) (y2 - 1);
> +-
> +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
> ++ else if (y2 > 0)
> ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
> +
> ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
> + if (zwidth > max_width)
> + max_width = zwidth;
> + if (zlength > max_length)
> +@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
> + }
> + }
> + return (0);
> +- }
> ++ } /* crop_mode == CROP_REGIONS */
> +
> + /* Convert crop margins into offsets into image
> + * Margins are expressed as pixel rows and columns, not bytes
> +@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
> + bmargin = (uint32) 0;
> + return (-1);
> + }
> +- }
> ++ } /* crop_mode == CROP_MARGINS */
> + else
> + { /* no margins requested */
> + tmargin = (uint32) 0;
> +@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
> + off->endx = endx;
> + off->endy = endy;
> +
> +- crop_width = endx - startx + 1;
> +- crop_length = endy - starty + 1;
> +-
> +- if (crop_width <= 0)
> ++ if (endx + 1 <= startx)
> + {
> + TIFFError("computeInputPixelOffsets",
> + "Invalid left/right margins and /or image crop width requested");
> + return (-1);
> + }
> ++ crop_width = endx - startx + 1;
> + if (crop_width > image->width)
> + crop_width = image->width;
> +
> +- if (crop_length <= 0)
> ++ if (endy + 1 <= starty)
> + {
> + TIFFError("computeInputPixelOffsets",
> + "Invalid top/bottom margins and /or image crop length requested");
> + return (-1);
> + }
> ++ crop_length = endy - starty + 1;
> + if (crop_length > image->length)
> + crop_length = image->length;
> +
> +@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
> + else
> + crop->selections = crop->zones;
> +
> +- for (i = 0; i < crop->zones; i++)
> ++ /* Initialize regions iterator i */
> ++ i = 0;
> ++ for (int j = 0; j < crop->zones; j++)
> + {
> +- seg = crop->zonelist[i].position;
> +- total = crop->zonelist[i].total;
> ++ seg = crop->zonelist[j].position;
> ++ total = crop->zonelist[j].total;
> ++
> ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
> ++ if (seg == 0 || total == 0 || seg > total) {
> ++ continue;
> ++ }
> +
> + switch (crop->edge_ref)
> + {
> +@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
> + i + 1, (uint32)zwidth, (uint32)zlength,
> + crop->regionlist[i].x1, crop->regionlist[i].x2,
> + crop->regionlist[i].y1, crop->regionlist[i].y2);
> ++ /* increment regions iterator */
> ++ i++;
> + }
> +-
> ++ /* set number of generated regions out of given zones */
> ++ crop->selections = i;
> + return (0);
> + } /* end getCropOffsets */
> +
> +--
> +GitLab
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
> index c061d2aaac..93a35230d6 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
> @@ -26,6 +26,7 @@ SRC_URI = "https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdownload.osgeo.org%2Flibtiff%2Ftiff-%24&data=05%7C01%7Cvirendra.thakur%40kpit.com%7C06f4664a51014a38772c08da91ca2d06%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637982594827918330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Cfstd%2BIU%2FQTf5%2F3xbc03woC9PK4yLt9vzYyvgG5%2FVdg%3D&reserved=0{PV}.tar.gz \
> file://CVE-2022-0924.patch \
> file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
> file://CVE-2022-34526.patch \
> + file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
> "
> SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
> SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
>
>
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
[-- Attachment #1.2: Type: text/html, Size: 21388 bytes --]
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-tiff-Fix-for-CVE-2022-2867-8-9.patch --]
[-- Type: text/x-patch; name="0001-tiff-Fix-for-CVE-2022-2867-8-9.patch", Size: 6916 bytes --]
From b9285aa99e1d5b948b738a79516bcee9fb2faca7 Mon Sep 17 00:00:00 2001
From: Virendra Thakur <virendrak@kpit.com>
Date: Mon, 5 Sep 2022 15:11:11 +0530
Subject: [PATCH] tiff: Fix for CVE-2022-2867/8/9
Add Patch to fix CVE-2022-2867, CVE-2022-2868
CVE-2022-2869
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 ++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 +
2 files changed, 160 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
new file mode 100644
index 0000000000..131ff94119
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
@@ -0,0 +1,159 @@
+From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 9 Feb 2022 21:31:29 +0000
+Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
+ uint32_t underflow.
+
+CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+Index: tiff-4.1.0/tools/tiffcrop.c
+===================================================================
+--- tiff-4.1.0.orig/tools/tiffcrop.c
++++ tiff-4.1.0/tools/tiffcrop.c
+@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+ }
+- if (x1 < 1)
+- crop->regionlist[i].x1 = 0;
+- else
+- crop->regionlist[i].x1 = (uint32) (x1 - 1);
++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
++ * b) Corners are expected to be submitted as top-left to bottom-right.
++ * Therefore, check that and reorder input.
++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
++ */
++ uint32_t aux;
++ if (x1 > x2) {
++ aux = x1;
++ x1 = x2;
++ x2 = aux;
++ }
++ if (y1 > y2) {
++ aux = y1;
++ y1 = y2;
++ y2 = aux;
++ }
++ if (x1 > image->width - 1)
++ crop->regionlist[i].x1 = image->width - 1;
++ else if (x1 > 0)
++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
+
+ if (x2 > image->width - 1)
+ crop->regionlist[i].x2 = image->width - 1;
+- else
+- crop->regionlist[i].x2 = (uint32) (x2 - 1);
+- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+-
+- if (y1 < 1)
+- crop->regionlist[i].y1 = 0;
+- else
+- crop->regionlist[i].y1 = (uint32) (y1 - 1);
++ else if (x2 > 0)
++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
++
++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
++
++ if (y1 > image->length - 1)
++ crop->regionlist[i].y1 = image->length - 1;
++ else if (y1 > 0)
++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
+
+ if (y2 > image->length - 1)
+ crop->regionlist[i].y2 = image->length - 1;
+- else
+- crop->regionlist[i].y2 = (uint32) (y2 - 1);
+-
+- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
++ else if (y2 > 0)
++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
+
++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ if (zwidth > max_width)
+ max_width = zwidth;
+ if (zlength > max_length)
+@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
+ }
+ }
+ return (0);
+- }
++ } /* crop_mode == CROP_REGIONS */
+
+ /* Convert crop margins into offsets into image
+ * Margins are expressed as pixel rows and columns, not bytes
+@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
+ bmargin = (uint32) 0;
+ return (-1);
+ }
+- }
++ } /* crop_mode == CROP_MARGINS */
+ else
+ { /* no margins requested */
+ tmargin = (uint32) 0;
+@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
+ off->endx = endx;
+ off->endy = endy;
+
+- crop_width = endx - startx + 1;
+- crop_length = endy - starty + 1;
+-
+- if (crop_width <= 0)
++ if (endx + 1 <= startx)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Invalid left/right margins and /or image crop width requested");
+ return (-1);
+ }
++ crop_width = endx - startx + 1;
+ if (crop_width > image->width)
+ crop_width = image->width;
+
+- if (crop_length <= 0)
++ if (endy + 1 <= starty)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Invalid top/bottom margins and /or image crop length requested");
+ return (-1);
+ }
++ crop_length = endy - starty + 1;
+ if (crop_length > image->length)
+ crop_length = image->length;
+
+@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
+ else
+ crop->selections = crop->zones;
+
+- for (i = 0; i < crop->zones; i++)
++ /* Initialize regions iterator i */
++ i = 0;
++ for (int j = 0; j < crop->zones; j++)
+ {
+- seg = crop->zonelist[i].position;
+- total = crop->zonelist[i].total;
++ seg = crop->zonelist[j].position;
++ total = crop->zonelist[j].total;
++
++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
++ if (seg == 0 || total == 0 || seg > total) {
++ continue;
++ }
+
+ switch (crop->edge_ref)
+ {
+@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
+ i + 1, (uint32)zwidth, (uint32)zlength,
+ crop->regionlist[i].x1, crop->regionlist[i].x2,
+ crop->regionlist[i].y1, crop->regionlist[i].y2);
++ /* increment regions iterator */
++ i++;
+ }
+-
++ /* set number of generated regions out of given zones */
++ crop->selections = i;
+ return (0);
+ } /* end getCropOffsets */
+
+--
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index c061d2aaac..93a35230d6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2022-0924.patch \
file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
file://CVE-2022-34526.patch \
+ file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
"
SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-09-09 5:16 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-09-08 5:04 [OE-Core][dunfell][PATCH] tiff: Fix for CVE-2022-2867/8/9 Virendra Thakur
2022-09-08 18:44 ` Steve Sakoman
2022-09-09 5:11 ` Virendra Kumar Thakur
[not found] ` <1713191FCF73F181.16466@lists.openembedded.org>
2022-09-09 5:15 ` Virendra Kumar Thakur
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox