From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 4/7] tiff: fix CVE-2025-9900
Date: Tue, 30 Sep 2025 12:50:06 -0700 [thread overview]
Message-ID: <f4e5cdeccee02d3ea78db91d5dfdcfd017c40ee0.1759260542.git.steve@sakoman.com> (raw)
In-Reply-To: <cover.1759260542.git.steve@sakoman.com>
From: Yogita Urade <yogita.urade@windriver.com>
A flaw was found in Libtiff. This vulnerability is a "write-what-where"
condition, triggered when the library processes a specially crafted TIFF
image file.[EOL][EOL]By providing an abnormally large image height value
in the file's metadata, an attacker can trick the library into writing
attacker-controlled color data to an arbitrary memory location. This
memory corruption can be exploited to cause a denial of service (application
crash) or to achieve arbitrary code execution with the permissions of the user.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9900
Upstream patch:
https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libtiff/tiff/CVE-2025-9900.patch | 57 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 +
2 files changed, 58 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch
new file mode 100644
index 0000000000..9199cc6090
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch
@@ -0,0 +1,57 @@
+From 3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 11 Jun 2025 19:45:19 +0000
+Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
+ rows at TIFFReadRGBAImageOriented()
+
+CVE: CVE-2025-9900
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99]
+
+Changes-
+- Use old API TIFFWarningExt instead of TIFFWarningExtR.
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ libtiff/tif_getimage.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a9cd48f..4c807ad 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h)
+ "No \"put\" routine setupl; probably can not handle image format");
+ return (0);
+ }
++ /* Verify raster width and height against image width and height. */
++ if (h > img->height)
++ {
++ /* Adapt parameters to read only available lines and put image at
++ * the bottom of the raster. */
++ raster += (size_t)(h - img->height) * w;
++ h = img->height;
++ }
++ if (w > img->width)
++ {
++ TIFFWarningExt(img->tif, TIFFFileName(img->tif),
++ "Raster width of %d shall not be larger than image "
++ "width of %d -> raster width adapted for reading",
++ w, img->width);
++ w = img->width;
++ }
+ return (*img->get)(img, raster, w, h);
+ }
+
+@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
+
+ if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
+ img.req_orientation = (uint16_t)orientation;
+- /* XXX verify rwidth and rheight against width and height */
+- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
+- rwidth, img.height);
++ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
+ TIFFRGBAImageEnd(&img);
+ } else {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 6db4d80cdf..0b4bef4c41 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -62,6 +62,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2024-13978.patch \
file://CVE-2025-8534.patch \
file://CVE-2025-8851.patch \
+ file://CVE-2025-9900.patch \
"
SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
--
2.43.0
next prev parent reply other threads:[~2025-09-30 19:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-30 19:50 [OE-core][kirkstone 0/7] Patch review Steve Sakoman
2025-09-30 19:50 ` [OE-core][kirkstone 1/7] go: fix CVE-2025-47907 Steve Sakoman
2025-09-30 19:50 ` [OE-core][kirkstone 2/7] grub2: fix CVE-2024-56738 Steve Sakoman
2025-09-30 19:50 ` [OE-core][kirkstone 3/7] curl: fix CVE-2025-9086 Steve Sakoman
2025-09-30 19:50 ` Steve Sakoman [this message]
2025-09-30 19:50 ` [OE-core][kirkstone 5/7] vim: upgrade 9.1.1652 -> 9.1.1683 Steve Sakoman
2025-09-30 19:50 ` [OE-core][kirkstone 6/7] python3-jinja2: upgrade 3.1.4 -> 3.1.6 Steve Sakoman
2025-09-30 19:50 ` [OE-core][kirkstone 7/7] libhandy: update git branch name Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f4e5cdeccee02d3ea78db91d5dfdcfd017c40ee0.1759260542.git.steve@sakoman.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox