* [PATCH 1/2] cups: upgrade to 2.4.6
@ 2023-07-03 12:30 ross.burton
2023-07-03 12:30 ` [PATCH 2/2] tiff: upgrade to 4.5.1 ross.burton
0 siblings, 1 reply; 2+ messages in thread
From: ross.burton @ 2023-07-03 12:30 UTC (permalink / raw)
To: openembedded-core; +Cc: nd
From: Ross Burton <ross.burton@arm.com>
This resolves CVE-2023-34241.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
meta/recipes-extended/cups/cups.inc | 1 -
.../cups/cups/CVE-2023-32324.patch | 36 -------------------
.../cups/{cups_2.4.2.bb => cups_2.4.6.bb} | 2 +-
3 files changed, 1 insertion(+), 38 deletions(-)
delete mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32324.patch
rename meta/recipes-extended/cups/{cups_2.4.2.bb => cups_2.4.6.bb} (51%)
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index d77758fd3f4..da320b10855 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -15,7 +15,6 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
file://0004-cups-fix-multilib-install-file-conflicts.patch \
file://volatiles.99_cups \
file://cups-volatiles.conf \
- file://CVE-2023-32324.patch \
"
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32324.patch b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch
deleted file mode 100644
index 40b89c98998..00000000000
--- a/meta/recipes-extended/cups/cups/CVE-2023-32324.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 07cbffd11107eed3aaf1c64e35552aec20f792da Mon Sep 17 00:00:00 2001
-From: Zdenek Dohnal <zdohnal@redhat.com>
-Date: Thu, 1 Jun 2023 12:04:00 +0200
-Subject: [PATCH] cups/string.c: Return if `size` is 0 (fixes CVE-2023-32324)
-
-CVE: CVE-2023-32324
-Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/fd8bc2d32589]
-
-(cherry picked from commit fd8bc2d32589d1fd91fe1c0521be2a7c0462109e)
-Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
----
- cups/string.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/cups/string.c b/cups/string.c
-index 93cdad19..6ef58515 100644
---- a/cups/string.c
-+++ b/cups/string.c
-@@ -1,6 +1,7 @@
- /*
- * String functions for CUPS.
- *
-+ * Copyright © 2023 by OpenPrinting.
- * Copyright © 2007-2019 by Apple Inc.
- * Copyright © 1997-2007 by Easy Software Products.
- *
-@@ -730,6 +731,9 @@ _cups_strlcpy(char *dst, /* O - Destination string */
- size_t srclen; /* Length of source string */
-
-
-+ if (size == 0)
-+ return (0);
-+
- /*
- * Figure out how much room is needed...
- */
diff --git a/meta/recipes-extended/cups/cups_2.4.2.bb b/meta/recipes-extended/cups/cups_2.4.6.bb
similarity index 51%
rename from meta/recipes-extended/cups/cups_2.4.2.bb
rename to meta/recipes-extended/cups/cups_2.4.6.bb
index f5ca749bacb..58029fdbd4d 100644
--- a/meta/recipes-extended/cups/cups_2.4.2.bb
+++ b/meta/recipes-extended/cups/cups_2.4.6.bb
@@ -2,4 +2,4 @@ require cups.inc
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
-SRC_URI[sha256sum] = "f03ccb40b087d1e30940a40e0141dcbba263f39974c20eb9f2521066c9c6c908"
+SRC_URI[sha256sum] = "58e970cf1955e1cc87d0847c32526d9c2ccee335e5f0e3882b283138ba0e7262"
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH 2/2] tiff: upgrade to 4.5.1
2023-07-03 12:30 [PATCH 1/2] cups: upgrade to 2.4.6 ross.burton
@ 2023-07-03 12:30 ` ross.burton
0 siblings, 0 replies; 2+ messages in thread
From: ross.burton @ 2023-07-03 12:30 UTC (permalink / raw)
To: openembedded-core; +Cc: nd
From: Ross Burton <ross.burton@arm.com>
Also remove old CVE_CHECK_IGNOREs which are no longer needed due to CPE
updates.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
.../libtiff/files/CVE-2022-48281.patch | 29 ------
.../libtiff/files/CVE-2023-26965.patch | 99 -------------------
.../libtiff/files/CVE-2023-2731.patch | 39 --------
.../libtiff/{tiff_4.5.0.bb => tiff_4.5.1.bb} | 13 +--
4 files changed, 2 insertions(+), 178 deletions(-)
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch
rename meta/recipes-multimedia/libtiff/{tiff_4.5.0.bb => tiff_4.5.1.bb} (82%)
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch
deleted file mode 100644
index e356d377ead..00000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-CVE: CVE-2022-48281
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001
-From: Su Laus <sulau@freenet.de>
-Date: Sat, 21 Jan 2023 15:58:10 +0000
-Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488.
-
----
- tools/tiffcrop.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 14fa18da..7db69883 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image,
- cropsize + NUM_BUFF_OVERSIZE_BYTES);
- else
- {
-- prev_cropsize = seg_buffs[0].size;
-+ prev_cropsize = seg_buffs[i].size;
- if (prev_cropsize < cropsize)
- {
- next_buff = _TIFFrealloc(
---
-GitLab
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
deleted file mode 100644
index 5fdc1ed0139..00000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
-From: Su_Laus <sulau@freenet.de>
-Date: Tue, 14 Feb 2023 20:43:43 +0100
-Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
- Fix issue 527
-
-Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
-
-Closes #527
-
-CVE: CVE-2023-26965
-Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
-Signed-off-by: Natasha Bailey <nat.bailey@windriver.com>
----
- tools/tiffcrop.c | 47 +++++++++++++----------------------------------
- 1 file changed, 13 insertions(+), 34 deletions(-)
-
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index d7ad5ca8..d3e11ba2 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
- uint32_t tw = 0, tl = 0; /* Tile width and length */
- tmsize_t tile_rowsize = 0;
- unsigned char *read_buff = NULL;
-- unsigned char *new_buff = NULL;
- int readunit = 0;
-- static tmsize_t prev_readsize = 0;
-
- TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
- TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
-@@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
- }
-
- read_buff = *read_ptr;
-- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
-- /* outside buffer */
-- if (!read_buff)
-+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
-+ * outside buffer */
-+ /* Reuse of read_buff from previous image is quite unsafe, because other
-+ * functions (like rotateImage() etc.) reallocate that buffer with different
-+ * size without updating the local prev_readsize value. */
-+ if (read_buff)
- {
-- if (buffsize > 0xFFFFFFFFU - 3)
-- {
-- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
-- return (-1);
-- }
-- read_buff =
-- (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
-+ _TIFFfree(read_buff);
- }
-- else
-+ if (buffsize > 0xFFFFFFFFU - 3)
- {
-- if (prev_readsize < buffsize)
-- {
-- if (buffsize > 0xFFFFFFFFU - 3)
-- {
-- TIFFError("loadImage",
-- "Unable to allocate/reallocate read buffer");
-- return (-1);
-- }
-- new_buff =
-- _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
-- if (!new_buff)
-- {
-- free(read_buff);
-- read_buff = (unsigned char *)limitMalloc(
-- buffsize + NUM_BUFF_OVERSIZE_BYTES);
-- }
-- else
-- read_buff = new_buff;
-- }
-+ TIFFError("loadImage", "Required read buffer size too large");
-+ return (-1);
- }
-+ read_buff =
-+ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
- if (!read_buff)
- {
-- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
-+ TIFFError("loadImage", "Unable to allocate read buffer");
- return (-1);
- }
-
-@@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
- read_buff[buffsize + 1] = 0;
- read_buff[buffsize + 2] = 0;
-
-- prev_readsize = buffsize;
- *read_ptr = read_buff;
-
- /* N.B. The read functions used copy separate plane data into a buffer as
---
-2.39.0
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch
deleted file mode 100644
index 7db0a35f72b..00000000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2023-2731.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 29 Apr 2023 12:20:46 +0200
-Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a
- strip whith a missing end-of-information marker (fixes #548)
-
-CVE: CVE-2023-2731
-Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b]
-
----
- libtiff/tif_lzw.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
-index ba75a07e..d631fa10 100644
---- a/libtiff/tif_lzw.c
-+++ b/libtiff/tif_lzw.c
-@@ -423,6 +423,10 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s)
-
- if (sp->read_error)
- {
-+ TIFFErrorExtR(tif, module,
-+ "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
-+ "previous error",
-+ tif->tif_row);
- return 0;
- }
-
-@@ -742,6 +746,7 @@ after_loop:
- return (1);
-
- no_eoi:
-+ sp->read_error = 1;
- TIFFErrorExtR(tif, module,
- "LZWDecode: Strip %" PRIu32 " not terminated with EOI code",
- tif->tif_curstrip);
---
-2.34.1
-
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
similarity index 82%
rename from meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
rename to meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
index 2bde8fe9d65..5af3f842650 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
@@ -8,13 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a3e32d664d6db1386b4689c8121531c3"
CVE_PRODUCT = "libtiff"
-SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
- file://CVE-2022-48281.patch \
- file://CVE-2023-2731.patch \
- file://CVE-2023-26965.patch \
-"
+SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz"
-SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c423464"
+SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b"
# exclude betas
UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
@@ -22,11 +18,6 @@ UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
# and 4.3.0 doesn't have the issue
CVE_CHECK_IGNORE += "CVE-2015-7313"
-# These issues only affect libtiff post-4.3.0 but before 4.4.0,
-# caused by 3079627e and fixed by b4e79bfa.
-CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
-# Issue is in jbig which we don't enable
-CVE_CHECK_IGNORE += "CVE-2022-1210"
inherit autotools multilib_header
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-07-03 12:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-03 12:30 [PATCH 1/2] cups: upgrade to 2.4.6 ross.burton
2023-07-03 12:30 ` [PATCH 2/2] tiff: upgrade to 4.5.1 ross.burton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).