[OE-core][kirkstone][PATCH 1/2] tiff: Fix CVE-2025-8961

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

* [OE-core][kirkstone][PATCH 1/2] tiff: Fix CVE-2025-8961
@ 2025-10-07  7:36 vanusuri
  2025-10-07  7:36 ` [OE-core][kirkstone][PATCH 2/2] tiff: Fix CVE-2025-9165 vanusuri
  0 siblings, 1 reply; 2+ messages in thread
From: vanusuri @ 2025-10-07  7:36 UTC (permalink / raw)
  To: openembedded-core; +Cc: Vijay Anusuri

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../libtiff/tiff/CVE-2025-8961.patch          | 74 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  1 +
 2 files changed, 75 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch
new file mode 100644
index 0000000000..05b11a866e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch
@@ -0,0 +1,74 @@
+From 0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Fri, 5 Sep 2025 21:42:35 +0000
+Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue
+ #721
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5]
+CVE: CVE-2025-8961
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tools/tiffcrop.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index e16bc2d..c7d2553 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -929,6 +929,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
+ 		      TIFFError("readContigTilesIntoBuffer",
+                                 "Unable to extract row %"PRIu32" from tile %"PRIu32,
+ 				row, TIFFCurrentTile(in));
++		      _TIFFfree(tilebuf);
+ 		      return 1;
+ 		      }
+ 		    break;
+@@ -943,6 +944,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
+ 		        TIFFError("readContigTilesIntoBuffer",
+                                   "Unable to extract row %"PRIu32" from tile %"PRIu32,
+ 				  row, TIFFCurrentTile(in));
++		        _TIFFfree(tilebuf);
+ 		        return 1;
+ 		        }
+ 		      break;
+@@ -957,6 +959,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
+ 		        TIFFError("readContigTilesIntoBuffer",
+                                   "Unable to extract row %"PRIu32" from tile %"PRIu32,
+ 			  	  row, TIFFCurrentTile(in));
++		        _TIFFfree(tilebuf);
+ 		        return 1;
+ 		        }
+ 	            break;
+@@ -969,6 +972,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
+ 		      TIFFError("readContigTilesIntoBuffer",
+                                 "Unable to extract row %"PRIu32" from tile %"PRIu32,
+ 		  	        row, TIFFCurrentTile(in));
++		      _TIFFfree(tilebuf);
+ 		      return 1;
+ 		      }
+ 		    break;
+@@ -983,10 +987,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
+ 		      TIFFError("readContigTilesIntoBuffer",
+                                 "Unable to extract row %"PRIu32" from tile %"PRIu32,
+ 			        row, TIFFCurrentTile(in));
++		      _TIFFfree(tilebuf);
+ 		      return 1;
+ 		      }
+ 		    break;
+             default: TIFFError("readContigTilesIntoBuffer", "Unsupported bit depth %"PRIu16, bps);
++		     _TIFFfree(tilebuf);
+ 		     return 1;
+ 	    }
+           }
+@@ -2535,7 +2541,7 @@ main(int argc, char* argv[])
+     }
+ 
+   /* If we did not use the read buffer as the crop buffer */
+-  if (read_buff)
++  if (read_buff && read_buff != crop_buff)
+     _TIFFfree(read_buff);
+ 
+   if (crop_buff)
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 0b4bef4c41..2ee6cdef73 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -63,6 +63,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2025-8534.patch \
            file://CVE-2025-8851.patch \
            file://CVE-2025-9900.patch \
+           file://CVE-2025-8961.patch \
            "
 
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
-- 
2.25.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [OE-core][kirkstone][PATCH 2/2] tiff: Fix CVE-2025-9165
  2025-10-07  7:36 [OE-core][kirkstone][PATCH 1/2] tiff: Fix CVE-2025-8961 vanusuri
@ 2025-10-07  7:36 ` vanusuri
  0 siblings, 0 replies; 2+ messages in thread
From: vanusuri @ 2025-10-07  7:36 UTC (permalink / raw)
  To: openembedded-core; +Cc: Vijay Anusuri

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Commit: https://gitlab.com/libtiff/libtiff/-/commit/ed141286a37f6e5ddafb5069347ff5d587e7a4e0

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../libtiff/tiff/CVE-2025-9165.patch          | 32 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-9165.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9165.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9165.patch
new file mode 100644
index 0000000000..3694b11c67
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9165.patch
@@ -0,0 +1,32 @@
+From ed141286a37f6e5ddafb5069347ff5d587e7a4e0 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 8 Aug 2025 21:35:30 +0200
+Subject: [PATCH] tiffcmp: fix memory leak when second file cannot be opened.
+
+Closes #728, #729
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ed141286a37f6e5ddafb5069347ff5d587e7a4e0]
+CVE: CVE-2025-9165
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tools/tiffcmp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/tiffcmp.c b/tools/tiffcmp.c
+index 2a35fe6..f812c7d 100644
+--- a/tools/tiffcmp.c
++++ b/tools/tiffcmp.c
+@@ -103,7 +103,10 @@ main(int argc, char* argv[])
+ 		return (2);
+ 	tif2 = TIFFOpen(argv[optind+1], "r");
+ 	if (tif2 == NULL)
++	{
++		TIFFClose(tif1);
+ 		return (2);
++	}
+ 	dirnum = 0;
+ 	while (tiffcmp(tif1, tif2)) {
+ 		if (!TIFFReadDirectory(tif1)) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 2ee6cdef73..84c3028b45 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -64,6 +64,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2025-8851.patch \
            file://CVE-2025-9900.patch \
            file://CVE-2025-8961.patch \
+           file://CVE-2025-9165.patch \
            "
 
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
-- 
2.25.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-10-07  7:36 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-07  7:36 [OE-core][kirkstone][PATCH 1/2] tiff: Fix CVE-2025-8961 vanusuri
2025-10-07  7:36 ` [OE-core][kirkstone][PATCH 2/2] tiff: Fix CVE-2025-9165 vanusuri

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox