From: "Steve Sakoman" <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 02/26] tiff: Add fix for CVE-2020-35521 and CVE-2020-35522
Date: Tue, 1 Jun 2021 04:17:50 -1000 [thread overview]
Message-ID: <03a65159093e0b2df4bc867c873b5c43721b9a9c.1622556919.git.steve@sakoman.com> (raw)
In-Reply-To: <cover.1622556919.git.steve@sakoman.com>
From: akash hadke <akash.hadke@kpit.com>
Added fix for CVE-2020-35521 and CVE-2020-35522
Link: https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch
Added below support patches for CVE-2020-35521 and CVE-2020-35522
1. 001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
Link: https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch
2. 002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
Link: https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch
Signed-off-by: akash hadke <akash.hadke@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...or_CVE-2020-35521_and_CVE-2020-35522.patch | 148 ++++++++++++++++++
...or_CVE-2020-35521_and_CVE-2020-35522.patch | 27 ++++
.../CVE-2020-35521_and_CVE-2020-35522.patch | 119 ++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 3 +
4 files changed, 297 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
diff --git a/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..9b4724a325
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,148 @@
+From 02875964eba5c4a2ea98c41562835428214adfe7 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sat, 7 Mar 2020 13:21:56 +0100
+Subject: [PATCH] tiff2rgba: output usage to stdout when using -h
+
+also uses std C EXIT_FAILURE / EXIT_SUCCESS
+see #17
+
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ tools/tiff2rgba.c | 39 ++++++++++++++++++++++++---------------
+ 1 file changed, 24 insertions(+), 15 deletions(-)
+---
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch]
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index 2eb6f6c4..ef643653 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -39,6 +39,13 @@
+ #include "tiffiop.h"
+ #include "tiffio.h"
+
++#ifndef EXIT_SUCCESS
++#define EXIT_SUCCESS 0
++#endif
++#ifndef EXIT_FAILURE
++#define EXIT_FAILURE 1
++#endif
++
+ #define streq(a,b) (strcmp(a,b) == 0)
+ #define CopyField(tag, v) \
+ if (TIFFGetField(in, tag, &v)) TIFFSetField(out, tag, v)
+@@ -68,7 +75,7 @@ main(int argc, char* argv[])
+ extern char *optarg;
+ #endif
+
+- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
++ while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
+ switch (c) {
+ case 'b':
+ process_by_block = 1;
+@@ -86,7 +93,7 @@ main(int argc, char* argv[])
+ else if (streq(optarg, "zip"))
+ compression = COMPRESSION_DEFLATE;
+ else
+- usage(-1);
++ usage(EXIT_FAILURE);
+ break;
+
+ case 'r':
+@@ -105,17 +112,20 @@ main(int argc, char* argv[])
+ bigtiff_output = 1;
+ break;
+
++ case 'h':
++ usage(EXIT_SUCCESS);
++ /*NOTREACHED*/
+ case '?':
+- usage(0);
++ usage(EXIT_FAILURE);
+ /*NOTREACHED*/
+ }
+
+ if (argc - optind < 2)
+- usage(-1);
++ usage(EXIT_FAILURE);
+
+ out = TIFFOpen(argv[argc-1], bigtiff_output?"w8":"w");
+ if (out == NULL)
+- return (-2);
++ return (EXIT_FAILURE);
+
+ for (; optind < argc-1; optind++) {
+ in = TIFFOpen(argv[optind], "r");
+@@ -132,7 +142,7 @@ main(int argc, char* argv[])
+ }
+ }
+ (void) TIFFClose(out);
+- return (0);
++ return (EXIT_SUCCESS);
+ }
+
+ static int
+@@ -166,7 +176,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+- exit(-1);
++ exit(EXIT_FAILURE);
+ }
+ raster = (uint32*)_TIFFmalloc(rastersize);
+ if (raster == 0) {
+@@ -182,7 +192,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ if (tile_width != wrk_linesize / sizeof (uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+- exit(-1);
++ exit(EXIT_FAILURE);
+ }
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+ if (!wrk_line) {
+@@ -279,7 +289,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+- exit(-1);
++ exit(EXIT_FAILURE);
+ }
+ raster = (uint32*)_TIFFmalloc(rastersize);
+ if (raster == 0) {
+@@ -295,7 +305,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ if (width != wrk_linesize / sizeof (uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+- exit(-1);
++ exit(EXIT_FAILURE);
+ }
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+ if (!wrk_line) {
+@@ -528,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ return( cvt_whole_image( in, out ) );
+ }
+
+-static char* stuff[] = {
++const static char* stuff[] = {
+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+ "where comp is one of the following compression algorithms:",
+ " jpeg\t\tJPEG encoding",
+@@ -547,13 +557,12 @@ static char* stuff[] = {
+ static void
+ usage(int code)
+ {
+- char buf[BUFSIZ];
+ int i;
++ FILE * out = (code == EXIT_SUCCESS) ? stdout : stderr;
+
+- setbuf(stderr, buf);
+- fprintf(stderr, "%s\n\n", TIFFGetVersion());
++ fprintf(out, "%s\n\n", TIFFGetVersion());
+ for (i = 0; stuff[i] != NULL; i++)
+- fprintf(stderr, "%s\n", stuff[i]);
++ fprintf(out, "%s\n", stuff[i]);
+ exit(code);
+ }
+
+--
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..b6e1842a54
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,27 @@
+From ca70b5e702b9f503333344b2d46691de9feae84e Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 3 Oct 2020 18:16:27 +0200
+Subject: [PATCH] tiff2rgba.c: fix -Wold-style-declaration warning
+
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ tools/tiff2rgba.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+---
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch]
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index ef643653..fbc383aa 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -538,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ return( cvt_whole_image( in, out ) );
+ }
+
+-const static char* stuff[] = {
++static const char* stuff[] = {
+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+ "where comp is one of the following compression algorithms:",
+ " jpeg\t\tJPEG encoding",
+--
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..129721ff3e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,119 @@
+From 98a254f5b92cea22f5436555ff7fceb12afee84d Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:02:51 +0100
+Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba
+
+fixes #207
+fixes #209
+
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+---
+CVE: CVE-2020-35521
+CVE: CVE-2020-35522
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch]
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index fbc383aa..764395f6 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -60,6 +60,10 @@ uint32 rowsperstrip = (uint32) -1;
+ int process_by_block = 0; /* default is whole image at once */
+ int no_alpha = 0;
+ int bigtiff_output = 0;
++#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
++/* malloc size limit (in bytes)
++ * disabled when set to 0 */
++static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
+
+
+ static int tiffcvt(TIFF* in, TIFF* out);
+@@ -75,8 +79,11 @@ main(int argc, char* argv[])
+ extern char *optarg;
+ #endif
+
+- while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
++ while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1)
+ switch (c) {
++ case 'M':
++ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
++ break;
+ case 'b':
+ process_by_block = 1;
+ break;
+@@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
+ (unsigned long)width, (unsigned long)height);
+ return 0;
+ }
++ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
++ TIFFError(TIFFFileName(in),
++ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
++ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
++ return 0;
++ }
+
+ rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+@@ -530,6 +543,13 @@ tiffcvt(TIFF* in, TIFF* out)
+ TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
+ CopyField(TIFFTAG_DOCUMENTNAME, stringv);
+
++ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
++ {
++ TIFFError(TIFFFileName(in),
++ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
++ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
++ return 0;
++ }
+ if( process_by_block && TIFFIsTiled( in ) )
+ return( cvt_by_tile( in, out ) );
+ else if( process_by_block )
+@@ -539,7 +559,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ }
+
+ static const char* stuff[] = {
+- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
++ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
+ "where comp is one of the following compression algorithms:",
+ " jpeg\t\tJPEG encoding",
+ " zip\t\tZip/Deflate encoding",
+@@ -551,6 +571,7 @@ static const char* stuff[] = {
+ " -b (progress by block rather than as a whole image)",
+ " -n don't emit alpha component.",
+ " -8 write BigTIFF file instead of ClassicTIFF",
++ " -M set the memory allocation limit in MiB. 0 to disable limit",
+ NULL
+ };
+
+--
+GitLab
+
+
+From e9e504193ef1f87e9cb5e986586b0cbe3254e421 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:08:42 +0100
+Subject: [PATCH 2/2] tiff2rgba.1: -M option
+
+---
+ man/tiff2rgba.1 | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1
+index d9c9baae..fe9ebb2c 100644
+--- a/man/tiff2rgba.1
++++ b/man/tiff2rgba.1
+@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file.
+ Currently this does not work if the
+ .B \-b
+ flag is also in effect.
++.TP
++.BI \-M " size"
++Set maximum memory allocation size (in MiB). The default is 256MiB.
++Set to 0 to disable the limit.
+ .SH "SEE ALSO"
+ .BR tiff2bw (1),
+ .BR TIFFReadRGBAImage (3t),
+--
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index cfea18ed29..43f210111d 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -12,6 +12,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2020-35523.patch \
file://CVE-2020-35524-1.patch \
file://CVE-2020-35524-2.patch \
+ file://001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
+ file://002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
+ file://CVE-2020-35521_and_CVE-2020-35522.patch \
"
SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
--
2.25.1
next prev parent reply other threads:[~2021-06-01 14:18 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-01 14:17 [OE-core][dunfell 00/26] Patch review Steve Sakoman
2021-06-01 14:17 ` [OE-core][dunfell 01/26] cups: whitelist CVE-2021-25317 Steve Sakoman
2021-06-01 14:17 ` Steve Sakoman [this message]
2021-06-01 14:17 ` [OE-core][dunfell 03/26] openssh: Add fixes for CVEs reported for openssh Steve Sakoman
2021-06-01 14:17 ` [OE-core][dunfell 04/26] expat: set CVE_PRODUCT Steve Sakoman
2021-06-01 14:17 ` [OE-core][dunfell 05/26] cve-extra-exclusions.inc: add exclusion list for intractable CVE's Steve Sakoman
2021-06-01 14:17 ` [OE-core][dunfell 06/26] cve-extra-exclusions: Fix typos Steve Sakoman
2021-06-01 14:17 ` [OE-core][dunfell 07/26] cve-extra-exclusions.inc: Clean up merged CPE updates Steve Sakoman
2021-06-01 14:17 ` [OE-core][dunfell 08/26] busybox: make busybox's syslog.cfg depend on VIRTUAL-RUNTIME_base-utils-syslog Steve Sakoman
2021-06-01 14:17 ` [OE-core][dunfell 09/26] kernel-yocto: provide debug / summary information for metadata Steve Sakoman
2021-06-01 14:17 ` [OE-core][dunfell 10/26] linux-yocto/5.4: update to v5.4.117 Steve Sakoman
2021-06-01 14:17 ` [OE-core][dunfell 11/26] linux-yocto/5.4: update to v5.4.118 Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 12/26] linux-yocto/5.4: update to v5.4.119 Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 13/26] libxml2: Reformat runtest.patch Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 14/26] libxml2: Add bash dependency for ptests Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 15/26] glibc: Add 8GB VM usage cap for usermode test suite Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 16/26] grub: Exclude CVE-2019-14865 from cve-check Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 17/26] sstate: Ignore sstate signing key Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 18/26] lib/oe/gpg_sign.py: Fix gpg verification Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 19/26] kernel-fitimage.bbclass: fix a wrong conditional check Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 20/26] initramfs-framework:rootfs: fix wrong indentions Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 21/26] unfs3: correct configure option Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 22/26] package_rpm: pass XZ_THREADS to rpm Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 23/26] image-live.bbclass: order do_bootimg after do_rootfs Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 24/26] oeqa/runtime/rpm: Drop log message counting test component Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 25/26] pkgconfig: update SRC_URI Steve Sakoman
2021-06-01 14:18 ` [OE-core][dunfell 26/26] linux-firmware: upgrade 20210315 -> 20210511 Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=03a65159093e0b2df4bc867c873b5c43721b9a9c.1622556919.git.steve@sakoman.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.