Re: [OE-core][scarthgap][PATCH 3/3] tiff: ignore CVE-2025-61143, CVE-2025-61144 and CVE-2025-61145

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: "Yoann Congal" <yoann.congal@smile.fr>
To: "Marko, Peter" <Peter.Marko@siemens.com>,
	"ankur.tyagi85@gmail.com" <ankur.tyagi85@gmail.com>,
	"openembedded-core@lists.openembedded.org"
	<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][scarthgap][PATCH 3/3] tiff: ignore CVE-2025-61143, CVE-2025-61144 and CVE-2025-61145
Date: Wed, 18 Mar 2026 15:54:21 +0100	[thread overview]
Message-ID: <DH5ZT3815YCS.3KCLUDAHIOFAB@smile.fr> (raw)
In-Reply-To: <AS1PR10MB56979261E8061598669F8586FD4EA@AS1PR10MB5697.EURPRD10.PROD.OUTLOOK.COM>

On Wed Mar 18, 2026 at 2:58 PM CET, Peter Marko wrote:
>
>
>> -----Original Message-----
>> From: openembedded-core@lists.openembedded.org <openembedded-
>> core@lists.openembedded.org> On Behalf Of Yoann Congal via
>> lists.openembedded.org
>> Sent: Wednesday, March 18, 2026 14:42
>> To: ankur.tyagi85@gmail.com; openembedded-core@lists.openembedded.org
>> Subject: Re: [OE-core][scarthgap][PATCH 3/3] tiff: ignore CVE-2025-61143, CVE-
>> 2025-61144 and CVE-2025-61145
>> 
>> On Sat Mar 7, 2026 at 7:45 AM CET, Ankur Tyagi via lists.openembedded.org
>> wrote:
>> > From: Ankur Tyagi <ankur.tyagi85@gmail.com>
>> >
>> > These CVEs are for tools which were removed in v4.6.0[1]
>> >
>> > [1]https://gitlab.com/libtiff/libtiff/-
>> /commit/eab89a627f0a65e9a1a47c4b30b4802c80b1ac45
>> >
>> > Details:
>> > https://nvd.nist.gov/vuln/detail/CVE-2025-61143
>> 
>> This CVE: "libtiff up to v4.7.1 was discovered to contain a NULL pointer
>> dereference via the component libtiff/tif_open.c."
>> 
>> Despite tools being removed in the commit you mentionned
>> libtiff/tif_open.c was not touched and the patch linked by NVD apply to
>> files outside of "archive/" were the removed tools are...
>> 
>> Are you sure we can ignore this CVE?
>> 
>> FYI, Peter patched it on kirkstone:
>> [OE-core][kirkstone 07/17] tiff: patch CVE-2025-61143 - Yoann Congal
>> https://lore.kernel.org/openembedded-
>> core/944f481d214bebeaf51769d77fe16cd93cbff351.1773652940.git.yoann.congal
>> @smile.fr/
>> 
>> Regards,
>
> If I remember correctly, the archived files are not included in release tarball.
> We're not fetching the git repository in our recipe.

Indeed, we don't have tools/tiffcrop.c nor tools/tiffdither.c (the files
patched by the NVD linked merge request) in our sources. So the added
CVE_STATUS looks correct.

Thanks Peter.

I will take this with a note for clarification.

>
> Peter
>
>> 
>> > https://nvd.nist.gov/vuln/detail/CVE-2025-61144
>> > https://nvd.nist.gov/vuln/detail/CVE-2025-61145
>> >
>> > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
>> > ---
>> >  meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 2 +-
>> >  1 file changed, 1 insertion(+), 1 deletion(-)
>> >
>> > diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-
>> multimedia/libtiff/tiff_4.6.0.bb
>> > index 777783d7cc..07540692fc 100644
>> > --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
>> > +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
>> > @@ -29,7 +29,7 @@ CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested
>> with check from https://secur
>> >  CVE_STATUS[CVE-2023-3164] = "cpe-incorrect: Issue only affects the tiffcrop
>> tool not compiled by default since 4.6.0"
>> >
>> >  CVE_STATUS_GROUPS += "CVE_STATUS_REMOVED_TOOLS"
>> > -CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE-
>> 2025-8177 CVE-2025-8534 CVE-2025-8851 CVE-2025-8961"
>> > +CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE-
>> 2025-8177 CVE-2025-8534 CVE-2025-8851 CVE-2025-8961 CVE-2025-61143 CVE-
>> 2025-61144 CVE-2025-61145"
>> >  CVE_STATUS_REMOVED_TOOLS[status] = "cpe-incorrect: tools affected by
>> these CVEs are not present in this release"
>> >
>> >  inherit autotools multilib_header
>> 
>> 
>> --
>> Yoann Congal
>> Smile ECS


-- 
Yoann Congal
Smile ECS

next prev parent reply	other threads:[~2026-03-18 14:54 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-07  6:45 [OE-core][scarthgap][PATCH 1/3] tzdata,tzcode-native: Upgrade 2025b -> 2025c ankur.tyagi85
2026-03-07  6:45 ` [OE-core][scarthgap][PATCH 2/3] wireless-regdb: upgrade 2025.10.07 -> 2026.02.04 ankur.tyagi85
2026-03-07  6:45 ` [OE-core][scarthgap][PATCH 3/3] tiff: ignore CVE-2025-61143, CVE-2025-61144 and CVE-2025-61145 ankur.tyagi85
2026-03-18 13:42   ` Yoann Congal
2026-03-18 13:58     ` Marko, Peter
2026-03-18 14:54       ` Yoann Congal [this message]
2026-03-25  2:16 ` [OE-core][scarthgap][PATCH 1/3] tzdata,tzcode-native: Upgrade 2025b -> 2025c Vijay Anusuri
2026-03-25  9:27   ` Yoann Congal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DH5ZT3815YCS.3KCLUDAHIOFAB@smile.fr \
    --to=yoann.congal@smile.fr \
    --cc=Peter.Marko@siemens.com \
    --cc=ankur.tyagi85@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox