* [Buildroot] [PATCH 1/1] package/tiff: fix CVE-2022-22844
@ 2022-02-05 14:14 Fabrice Fontaine
2022-02-05 17:24 ` Peter Korsgaard
2022-02-16 21:02 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-02-05 14:14 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in
certain situations involving a custom tag and 0x0200 as the second word
of the DE field.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...lobal-buffer-overflow-for-ASCII-tags.patch | 43 +++++++++++++++++++
package/tiff/tiff.mk | 4 ++
2 files changed, 47 insertions(+)
create mode 100644 package/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags.patch
diff --git a/package/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags.patch b/package/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags.patch
new file mode 100644
index 0000000000..ba1487782e
--- /dev/null
+++ b/package/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags.patch
@@ -0,0 +1,43 @@
+From 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 25 Jan 2022 16:25:28 +0000
+Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
+ count is required (fixes #355)
+
+[Retrieved from:
+https://gitlab.com/libtiff/libtiff/-/commit/03047a26952a82daaa0792957ce211e0aa51bc64]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ tools/tiffset.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiffset.c b/tools/tiffset.c
+index 8c9e23c5..e7a88c09 100644
+--- a/tools/tiffset.c
++++ b/tools/tiffset.c
+@@ -146,9 +146,19 @@ main(int argc, char* argv[])
+
+ arg_index++;
+ if (TIFFFieldDataType(fip) == TIFF_ASCII) {
+- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
+- fprintf( stderr, "Failed to set %s=%s\n",
+- TIFFFieldName(fip), argv[arg_index] );
++ if(TIFFFieldPassCount( fip )) {
++ size_t len;
++ len = strlen(argv[arg_index]) + 1;
++ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
++ (uint16_t)len, argv[arg_index]) != 1)
++ fprintf( stderr, "Failed to set %s=%s\n",
++ TIFFFieldName(fip), argv[arg_index] );
++ } else {
++ if (TIFFSetField(tiff, TIFFFieldTag(fip),
++ argv[arg_index]) != 1)
++ fprintf( stderr, "Failed to set %s=%s\n",
++ TIFFFieldName(fip), argv[arg_index] );
++ }
+ } else if (TIFFFieldWriteCount(fip) > 0
+ || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
+ int ret = 1;
+--
+GitLab
+
diff --git a/package/tiff/tiff.mk b/package/tiff/tiff.mk
index f6c6de12c5..f80ab7ac55 100644
--- a/package/tiff/tiff.mk
+++ b/package/tiff/tiff.mk
@@ -11,6 +11,10 @@ TIFF_LICENSE_FILES = COPYRIGHT
TIFF_CPE_ID_VENDOR = libtiff
TIFF_CPE_ID_PRODUCT = libtiff
TIFF_INSTALL_STAGING = YES
+
+# 0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags.patch
+TIFF_IGNORE_CVES += CVE-2022-22844
+
TIFF_CONF_OPTS = \
--disable-cxx \
--without-x
--
2.34.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/tiff: fix CVE-2022-22844
2022-02-05 14:14 [Buildroot] [PATCH 1/1] package/tiff: fix CVE-2022-22844 Fabrice Fontaine
@ 2022-02-05 17:24 ` Peter Korsgaard
2022-02-16 21:02 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-02-05 17:24 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in
> certain situations involving a custom tag and 0x0200 as the second word
> of the DE field.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/tiff: fix CVE-2022-22844
2022-02-05 14:14 [Buildroot] [PATCH 1/1] package/tiff: fix CVE-2022-22844 Fabrice Fontaine
2022-02-05 17:24 ` Peter Korsgaard
@ 2022-02-16 21:02 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-02-16 21:02 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in
> certain situations involving a custom tag and 0x0200 as the second word
> of the DE field.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x and 2021.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-02-16 21:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-05 14:14 [Buildroot] [PATCH 1/1] package/tiff: fix CVE-2022-22844 Fabrice Fontaine
2022-02-05 17:24 ` Peter Korsgaard
2022-02-16 21:02 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.