* [meta][scarthgap][PATCH] tiff: fix CVE-2026-4775
@ 2026-06-12 3:41 Naman Jain
2026-06-12 7:22 ` [OE-core] " Mathieu Dubois-Briand
0 siblings, 1 reply; 3+ messages in thread
From: Naman Jain @ 2026-06-12 3:41 UTC (permalink / raw)
To: openembedded-core
Fix CVE-2026-4775
Reference: https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c
Signed-off-by: Naman Jain <namanj1@kpit.com>
---
.../libtiff/tiff/CVE-2026-4775.patch | 59 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 1 +
2 files changed, 60 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch
new file mode 100644
index 0000000000..ed5f0714a6
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2026-4775.patch
@@ -0,0 +1,59 @@
+From 782a11d6b5b61c6dc21e714950a4af5bf89f023c Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 22 Feb 2026 23:32:47 +0100
+Subject: [PATCH] TIFFReadRGBAImage(): prevent integer overflow and later heap
+ overflow on images with huge width in YCbCr tile decoding functions
+
+Fixes https://gitlab.com/libtiff/libtiff/-/issues/787
+
+CVE: CVE-2026-4775
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c]
+
+Signed-off-by: Naman Jain <namanj1@kpit.com>
+---
+ libtiff/tif_getimage.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 4543dddae..fa82d0910 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -2224,7 +2224,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile)
+ uint32_t *cp1 = cp + w + toskew;
+ uint32_t *cp2 = cp1 + w + toskew;
+ uint32_t *cp3 = cp2 + w + toskew;
+- int32_t incr = 3 * w + 4 * toskew;
++ const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew;
+
+ (void)y;
+ /* adjust fromskew */
+@@ -2364,7 +2364,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile)
+ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+ {
+ uint32_t *cp1 = cp + w + toskew;
+- int32_t incr = 2 * toskew + w;
++ const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+
+ (void)y;
+ fromskew = (fromskew / 4) * (4 * 2 + 2);
+@@ -2522,7 +2522,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+ uint32_t *cp2;
+- int32_t incr = 2 * toskew + w;
++ const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ (void)y;
+ fromskew = (fromskew / 2) * (2 * 2 + 2);
+ cp2 = cp + w + toskew;
+@@ -2625,7 +2625,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+ uint32_t *cp2;
+- int32_t incr = 2 * toskew + w;
++ const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ (void)y;
+ fromskew = (fromskew / 1) * (1 * 2 + 2);
+ cp2 = cp + w + toskew;
+--
+GitLab
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
index 07540692fc..fca846589f 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -18,6 +18,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-52356.patch \
file://CVE-2024-7006.patch \
file://CVE-2025-9900.patch \
+ file://CVE-2026-4775.patch \
"
SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [meta][scarthgap][PATCH] tiff: fix CVE-2026-4775
2026-06-12 3:41 [meta][scarthgap][PATCH] tiff: fix CVE-2026-4775 Naman Jain
@ 2026-06-12 7:22 ` Mathieu Dubois-Briand
2026-06-12 7:23 ` Mathieu Dubois-Briand
0 siblings, 1 reply; 3+ messages in thread
From: Mathieu Dubois-Briand @ 2026-06-12 7:22 UTC (permalink / raw)
To: nmjain23, openembedded-core
On Fri Jun 12, 2026 at 5:41 AM CEST, Naman Jain via lists.openembedded.org wrote:
> Fix CVE-2026-4775
>
> Reference: https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c
>
> Signed-off-by: Naman Jain <namanj1@kpit.com>
> ---
Hi Naman,
Thanks for your patch, but we already have this CVE backport in the
master branch. Was this meant to target a stable branch?
Thanks,
Mathieu
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [meta][scarthgap][PATCH] tiff: fix CVE-2026-4775
2026-06-12 7:22 ` [OE-core] " Mathieu Dubois-Briand
@ 2026-06-12 7:23 ` Mathieu Dubois-Briand
0 siblings, 0 replies; 3+ messages in thread
From: Mathieu Dubois-Briand @ 2026-06-12 7:23 UTC (permalink / raw)
To: nmjain23, openembedded-core
On Fri Jun 12, 2026 at 9:22 AM CEST, Mathieu Dubois-Briand wrote:
> On Fri Jun 12, 2026 at 5:41 AM CEST, Naman Jain via lists.openembedded.org wrote:
>> Fix CVE-2026-4775
>>
>> Reference: https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c
>>
>> Signed-off-by: Naman Jain <namanj1@kpit.com>
>> ---
>
> Hi Naman,
>
> Thanks for your patch, but we already have this CVE backport in the
> master branch. Was this meant to target a stable branch?
>
> Thanks,
> Mathieu
Hum, looks like I have a bad morning, sorry. Your patch is clearly
targeting scarthgap.
Sorry for the noise,
Mathieu
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-12 7:23 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-12 3:41 [meta][scarthgap][PATCH] tiff: fix CVE-2026-4775 Naman Jain
2026-06-12 7:22 ` [OE-core] " Mathieu Dubois-Briand
2026-06-12 7:23 ` Mathieu Dubois-Briand
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox