[kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953


Teoh, Jay Shen
 

From: Teoh Jay Shen <jay.shen.teoh@...>

Link for the patch : https://gitlab.com/libtiff/libtiff/-/commit/48d6ece8389b01129e7d357f0985c8f938ce3da3

Signed-off-by: Teoh Jay Shen <jay.shen.teoh@...>
---
.../libtiff/tiff/CVE-2022-2953.patch | 86 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.4.0.bb | 1 +
2 files changed, 87 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
new file mode 100644
index 0000000000..2122b46566
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
@@ -0,0 +1,86 @@
+CVE: CVE-2022-2953
+Upstream-Status: Backport
+Signed-off-by: Teoh Jay Shen <jay.shen.teoh@...>
+
+From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@...>
+Date: Mon, 15 Aug 2022 22:11:03 +0200
+Subject: [PATCH] =?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
+ =?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20ti?=
+ =?UTF-8?q?ffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutually?=
+ =?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),=20-?=
+ =?UTF-8?q?Z=20and=20-z.?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is now checked and ends tiffcrop if those arguments are not mutually exclusive.
+
+This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
+---
+ tools/tiffcrop.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 90286a5e..c3b758ec 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
+ #define ROTATECW_270 32
+ #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
+
+-#define CROP_NONE 0
+-#define CROP_MARGINS 1
+-#define CROP_WIDTH 2
+-#define CROP_LENGTH 4
+-#define CROP_ZONES 8
+-#define CROP_REGIONS 16
++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
++#define CROP_MARGINS 1 /* "-m" */
++#define CROP_WIDTH 2 /* "-X" */
++#define CROP_LENGTH 4 /* "-Y" */
++#define CROP_ZONES 8 /* "-Z" */
++#define CROP_REGIONS 16 /* "-z" */
+ #define CROP_ROTATE 32
+ #define CROP_MIRROR 64
+ #define CROP_INVERT 128
+@@ -316,7 +316,7 @@ struct crop_mask {
+ #define PAGE_MODE_RESOLUTION 1
+ #define PAGE_MODE_PAPERSIZE 2
+ #define PAGE_MODE_MARGINS 4
+-#define PAGE_MODE_ROWSCOLS 8
++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
+
+ #define INVERT_DATA_ONLY 10
+ #define INVERT_DATA_AND_TAG 11
+@@ -781,7 +781,7 @@ static const char usage_info[] =
+ " The four debug/dump options are independent, though it makes little sense to\n"
+ " specify a dump file without specifying a detail level.\n"
+ "\n"
+-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
+ " In no case should the options be applied to a given selection successively.\n"
+ "\n"
+ ;
+@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
+ /*NOTREACHED*/
+ }
+ }
+- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/
+- char XY, Z, R;
++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
++ char XY, Z, R, S;
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
+ Z = (crop_data->crop_mode & CROP_ZONES);
+ R = (crop_data->crop_mode & CROP_REGIONS);
+- if ((XY && Z) || (XY && R) || (Z && R)) {
+- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit");
++ S = (page->mode & PAGE_MODE_ROWSCOLS);
++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
+ exit(EXIT_FAILURE);
+ }
+ } /* end process_command_opts */
+--
+2.34.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
index e30df0b3e9..caf6f60479 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
file://CVE-2022-34526.patch \
+ file://CVE-2022-2953.patch \
"

SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"
--
2.37.3


Qiu, Zheng
 

kirkstone now has tiff version 4.3.0.

As described in https://nvd.nist.gov/vuln/detail/CVE-2022-2953, this issue is reported here: https://gitlab.com/libtiff/libtiff/-/issues/414

Tested with libtiff source code on version 4.3.0 by using " /libtiff$ git checkout v3.3.0", and follow the step listed in the bug report, cannot reproduce the bug.

Use " /libtiff$ git checkout b51bb157", is able to reproduce the problem following step listed above. That confirms the issue occurred after v3.3.0, and the commit that brings the bug is not on kirkstone, which means the issue/fix is not applicable for kirkstone.

Zheng Qiu
Linux Developer
_______________
Wind River
M/ (437) 341-1849

-----Original Message-----
From: openembedded-core@... <openembedded-
core@...> On Behalf Of Teoh, Jay Shen
Sent: Thursday, September 29, 2022 4:33 AM
To: openembedded-core@...
Subject: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953

[Please note: This e-mail is from an EXTERNAL e-mail address]

From: Teoh Jay Shen <jay.shen.teoh@...>

Link for the patch : https://gitlab.com/libtiff/libtiff/-
/commit/48d6ece8389b01129e7d357f0985c8f938ce3da3

Signed-off-by: Teoh Jay Shen <jay.shen.teoh@...>
---
.../libtiff/tiff/CVE-2022-2953.patch | 86 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.4.0.bb | 1 +
2 files changed, 87 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-
2953.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
new file mode 100644
index 0000000000..2122b46566
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
@@ -0,0 +1,86 @@
+CVE: CVE-2022-2953
+Upstream-Status: Backport
+Signed-off-by: Teoh Jay Shen <jay.shen.teoh@...>
+
+From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00
2001
+From: Su_Laus <sulau@...>
+Date: Mon, 15 Aug 2022 22:11:03 +0200
+Subject: [PATCH]
+=?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
+
+=?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20
+ti?=
+=?UTF-8?q?ffcrop=20option=20=E2=80=9E-
S=E2=80=9C=20is=20also=20mutually
+?=
+=?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-
Y),=2
+0-?=
+ =?UTF-8?q?Z=20and=20-z.?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is now checked and ends tiffcrop if those arguments are not mutually
exclusive.
+
+This MR will fix the following tiffcrop issues: #349, #414, #422, #423,
+#424
+---
+ tools/tiffcrop.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index
+90286a5e..c3b758ec 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
+ #define ROTATECW_270 32
+ #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
+
+-#define CROP_NONE 0
+-#define CROP_MARGINS 1
+-#define CROP_WIDTH 2
+-#define CROP_LENGTH 4
+-#define CROP_ZONES 8
+-#define CROP_REGIONS 16
++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page-
rows/->cols != 0 */
++#define CROP_MARGINS 1 /* "-m" */
++#define CROP_WIDTH 2 /* "-X" */
++#define CROP_LENGTH 4 /* "-Y" */
++#define CROP_ZONES 8 /* "-Z" */
++#define CROP_REGIONS 16 /* "-z" */
+ #define CROP_ROTATE 32
+ #define CROP_MIRROR 64
+ #define CROP_INVERT 128
+@@ -316,7 +316,7 @@ struct crop_mask {
+ #define PAGE_MODE_RESOLUTION 1
+ #define PAGE_MODE_PAPERSIZE 2
+ #define PAGE_MODE_MARGINS 4
+-#define PAGE_MODE_ROWSCOLS 8
++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
+
+ #define INVERT_DATA_ONLY 10
+ #define INVERT_DATA_AND_TAG 11
+@@ -781,7 +781,7 @@ static const char usage_info[] =
+ " The four debug/dump options are independent, though it makes
little sense to\n"
+ " specify a dump file without specifying a detail level.\n"
+ "\n"
+-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
+ " In no case should the options be applied to a given selection
successively.\n"
+ "\n"
+ ;
+@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char
*argv[], char *mp, char *mode, uint32
+ /*NOTREACHED*/
+ }
+ }
+- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are
mutually exclusive) --*/
+- char XY, Z, R;
++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are
mutually exclusive) --*/
++ char XY, Z, R, S;
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data-
crop_mode & CROP_LENGTH));
+ Z = (crop_data->crop_mode & CROP_ZONES);
+ R = (crop_data->crop_mode & CROP_REGIONS);
+- if ((XY && Z) || (XY && R) || (Z && R)) {
+- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are
mutually exclusive.->Exit");
++ S = (page->mode & PAGE_MODE_ROWSCOLS);
++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S))
{
++ TIFFError("tiffcrop input error", "The crop options(-X|-Y),
++ -Z, -z and -S are mutually exclusive.->Exit");
+ exit(EXIT_FAILURE);
+ }
+ } /* end process_command_opts */
+--
+2.34.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-
multimedia/libtiff/tiff_4.4.0.bb
index e30df0b3e9..caf6f60479 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
file://CVE-2022-34526.patch \
+ file://CVE-2022-2953.patch \
"

SRC_URI[sha256sum] =
"917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed
"
--
2.37.3


Randy MacLeod
 

On 2022-10-19 15:32, Qiu, Zheng wrote:
kirkstone now has tiff version 4.3.0.

As described in https://nvd.nist.gov/vuln/detail/CVE-2022-2953, this issue is reported here: https://gitlab.com/libtiff/libtiff/-/issues/414

Tested with libtiff source code on version 4.3.0 by using " /libtiff$ git checkout v3.3.0", and follow the step listed in the bug report, cannot reproduce the bug.

Use " /libtiff$ git checkout b51bb157", is able to reproduce the problem following step listed above. That confirms the issue occurred after v3.3.0, and the commit that brings the bug is not on kirkstone, which means the issue/fix is not applicable for kirkstone.
Hold on...

We also checked, because I'm paranoid, by doing:

$ cd .../poky-contrib.git
$ git checkout stable/kirkstone-nut
$ git pull
$ cd ...
$ .  ../poky-contrib.git/tiff-patches
$ bitbake -c patch tiff

$ mkdir cp-tiff-patch-by-bb-kirkstone-nut
$ cp -a tmp/work/core2-64-poky-linux/tiff/4.3.0-r0 cp-tiff-patch-by-bb-kirkstone-nut/
$ cd cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0
$ ./autogen.sh
$ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared
$ make -j; make install; make clean
$ wget https://gitlab.com/libtiff/libtiff/uploads/54e5139c4d9d6b740f537c691aad2b03/poc
$ ./build_asan/bin/tiffcrop -Z 1:4,3:3 -R 90 -H 300  -S 2:2  -i poc /tmp/foo

and a very similar issue still occurs.

See log below. We'll investigate more and send a patch as needed.

We will enable the address sanitizer and check if the issue
is reproducible in qemux86-64.

../Randy


...

loadImage: Image lacks Photometric interpretation tag.
TIFFFillStrip: Read error on strip 0; got 672 bytes, expected 1142418.
=================================================================
==269609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd1864ff695 at pc 0x55de6ca63f9a bp 0x7ffe727049a0 sp 0x7ffe72704990
READ of size 1 at 0x7fd1864ff695 thread T0
    #0 0x55de6ca63f99 in extractImageSection /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6897
    #1 0x55de6ca6515a in writeImageSections /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:7085
    #2 0x55de6ca4abe9 in main /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:2453
    #3 0x7fd189b39d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #4 0x7fd189b39e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #5 0x55de6ca413a4 in _start (/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/build_asan/bin/tiffcrop+0x2a3a4)

0x7fd1864ff695 is located 0 bytes to the right of 1142421-byte region [0x7fd1863e8800,0x7fd1864ff695)
allocated by thread T0 here:
    #0 0x7fd18a0a1867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55de6cadcd83 in _TIFFmalloc /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/libtiff/tif_unix.c:314
    #2 0x55de6ca41543 in limitMalloc /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:627
    #3 0x55de6ca61299 in loadImage /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6212
    #4 0x55de6ca4a4a1 in main /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:2376
    #5 0x7fd189b39d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6897 in extractImageSection
Shadow bytes around the buggy address:
  0x0ffab0c97e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffab0c97e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffab0c97ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffab0c97eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffab0c97ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffab0c97ed0: 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffab0c97ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffab0c97ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffab0c97f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffab0c97f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffab0c97f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==269609==ABORTING


Zheng Qiu
Linux Developer
_______________
Wind River
M/ (437) 341-1849

-----Original Message-----
From: openembedded-core@... <openembedded-
core@...> On Behalf Of Teoh, Jay Shen
Sent: Thursday, September 29, 2022 4:33 AM
To: openembedded-core@...
Subject: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953

[Please note: This e-mail is from an EXTERNAL e-mail address]

From: Teoh Jay Shen <jay.shen.teoh@...>

Link for the patch : https://gitlab.com/libtiff/libtiff/-
/commit/48d6ece8389b01129e7d357f0985c8f938ce3da3

Signed-off-by: Teoh Jay Shen <jay.shen.teoh@...>
---
.../libtiff/tiff/CVE-2022-2953.patch | 86 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.4.0.bb | 1 +
2 files changed, 87 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-
2953.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
new file mode 100644
index 0000000000..2122b46566
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
@@ -0,0 +1,86 @@
+CVE: CVE-2022-2953
+Upstream-Status: Backport
+Signed-off-by: Teoh Jay Shen <jay.shen.teoh@...>
+
+From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00
2001
+From: Su_Laus <sulau@...>
+Date: Mon, 15 Aug 2022 22:11:03 +0200
+Subject: [PATCH]
+=?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
+
+=?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20
+ti?=
+=?UTF-8?q?ffcrop=20option=20=E2=80=9E-
S=E2=80=9C=20is=20also=20mutually
+?=
+=?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-
Y),=2
+0-?=
+ =?UTF-8?q?Z=20and=20-z.?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is now checked and ends tiffcrop if those arguments are not mutually
exclusive.
+
+This MR will fix the following tiffcrop issues: #349, #414, #422, #423,
+#424
+---
+ tools/tiffcrop.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index
+90286a5e..c3b758ec 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
+ #define ROTATECW_270 32
+ #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
+
+-#define CROP_NONE 0
+-#define CROP_MARGINS 1
+-#define CROP_WIDTH 2
+-#define CROP_LENGTH 4
+-#define CROP_ZONES 8
+-#define CROP_REGIONS 16
++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page-
rows/->cols != 0 */
++#define CROP_MARGINS 1 /* "-m" */
++#define CROP_WIDTH 2 /* "-X" */
++#define CROP_LENGTH 4 /* "-Y" */
++#define CROP_ZONES 8 /* "-Z" */
++#define CROP_REGIONS 16 /* "-z" */
+ #define CROP_ROTATE 32
+ #define CROP_MIRROR 64
+ #define CROP_INVERT 128
+@@ -316,7 +316,7 @@ struct crop_mask {
+ #define PAGE_MODE_RESOLUTION 1
+ #define PAGE_MODE_PAPERSIZE 2
+ #define PAGE_MODE_MARGINS 4
+-#define PAGE_MODE_ROWSCOLS 8
++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
+
+ #define INVERT_DATA_ONLY 10
+ #define INVERT_DATA_AND_TAG 11
+@@ -781,7 +781,7 @@ static const char usage_info[] =
+ " The four debug/dump options are independent, though it makes
little sense to\n"
+ " specify a dump file without specifying a detail level.\n"
+ "\n"
+-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
+ " In no case should the options be applied to a given selection
successively.\n"
+ "\n"
+ ;
+@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char
*argv[], char *mp, char *mode, uint32
+ /*NOTREACHED*/
+ }
+ }
+- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are
mutually exclusive) --*/
+- char XY, Z, R;
++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are
mutually exclusive) --*/
++ char XY, Z, R, S;
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data-
crop_mode & CROP_LENGTH));
+ Z = (crop_data->crop_mode & CROP_ZONES);
+ R = (crop_data->crop_mode & CROP_REGIONS);
+- if ((XY && Z) || (XY && R) || (Z && R)) {
+- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are
mutually exclusive.->Exit");
++ S = (page->mode & PAGE_MODE_ROWSCOLS);
++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S))
{
++ TIFFError("tiffcrop input error", "The crop options(-X|-Y),
++ -Z, -z and -S are mutually exclusive.->Exit");
+ exit(EXIT_FAILURE);
+ }
+ } /* end process_command_opts */
+--
+2.34.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-
multimedia/libtiff/tiff_4.4.0.bb
index e30df0b3e9..caf6f60479 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
file://CVE-2022-34526.patch \
+ file://CVE-2022-2953.patch \
"

SRC_URI[sha256sum] =
"917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed
"
--
2.37.3
--
# Randy MacLeod
# Wind River Linux


Steve Sakoman
 

On Wed, Oct 19, 2022 at 11:07 AM Randy MacLeod
<randy.macleod@...> wrote:

On 2022-10-19 15:32, Qiu, Zheng wrote:
kirkstone now has tiff version 4.3.0.

As described in https://nvd.nist.gov/vuln/detail/CVE-2022-2953, this issue is reported here: https://gitlab.com/libtiff/libtiff/-/issues/414

Tested with libtiff source code on version 4.3.0 by using " /libtiff$ git checkout v3.3.0", and follow the step listed in the bug report, cannot reproduce the bug.

Use " /libtiff$ git checkout b51bb157", is able to reproduce the problem following step listed above. That confirms the issue occurred after v3.3.0, and the commit that brings the bug is not on kirkstone, which means the issue/fix is not applicable for kirkstone.
Hold on...

We also checked, because I'm paranoid, by doing:

$ cd .../poky-contrib.git
$ git checkout stable/kirkstone-nut
$ git pull
$ cd ...
$ . ../poky-contrib.git/tiff-patches
$ bitbake -c patch tiff

$ mkdir cp-tiff-patch-by-bb-kirkstone-nut
$ cp -a tmp/work/core2-64-poky-linux/tiff/4.3.0-r0
cp-tiff-patch-by-bb-kirkstone-nut/
$ cd cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0
$ ./autogen.sh
$ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g
-fsanitize=address -fno-omit-frame-pointer" ./configure
--prefix=$PWD/build_asan --disable-shared
$ make -j; make install; make clean
$ wget
https://gitlab.com/libtiff/libtiff/uploads/54e5139c4d9d6b740f537c691aad2b03/poc
$ ./build_asan/bin/tiffcrop -Z 1:4,3:3 -R 90 -H 300 -S 2:2 -i poc /tmp/foo

and a very similar issue still occurs.

See log below. We'll investigate more and send a patch as needed.
Thanks Randy. I'm pretty sure I didn't take the referenced patch
because it was for a version of tiff not in kirkstone.

But I don't see an email from me explaining why, so my bad :-( I
usually try to give feedback when a patch isn't taken.

Steve


We will enable the address sanitizer and check if the issue
is reproducible in qemux86-64.

../Randy


...

loadImage: Image lacks Photometric interpretation tag.
TIFFFillStrip: Read error on strip 0; got 672 bytes, expected 1142418.
=================================================================
==269609==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7fd1864ff695 at pc 0x55de6ca63f9a bp 0x7ffe727049a0 sp 0x7ffe72704990
READ of size 1 at 0x7fd1864ff695 thread T0
#0 0x55de6ca63f99 in extractImageSection
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6897
#1 0x55de6ca6515a in writeImageSections
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:7085
#2 0x55de6ca4abe9 in main
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:2453
#3 0x7fd189b39d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#4 0x7fd189b39e3f in __libc_start_main_impl ../csu/libc-start.c:392
#5 0x55de6ca413a4 in _start
(/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/build_asan/bin/tiffcrop+0x2a3a4)

0x7fd1864ff695 is located 0 bytes to the right of 1142421-byte region
[0x7fd1863e8800,0x7fd1864ff695)
allocated by thread T0 here:
#0 0x7fd18a0a1867 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55de6cadcd83 in _TIFFmalloc
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/libtiff/tif_unix.c:314
#2 0x55de6ca41543 in limitMalloc
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:627
#3 0x55de6ca61299 in loadImage
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6212
#4 0x55de6ca4a4a1 in main
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:2376
#5 0x7fd189b39d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow
/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6897
in extractImageSection
Shadow bytes around the buggy address:
0x0ffab0c97e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffab0c97e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffab0c97ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffab0c97eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffab0c97ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffab0c97ed0: 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffab0c97f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==269609==ABORTING


Zheng Qiu
Linux Developer
_______________
Wind River
M/ (437) 341-1849

-----Original Message-----
From: openembedded-core@... <openembedded-
core@...> On Behalf Of Teoh, Jay Shen
Sent: Thursday, September 29, 2022 4:33 AM
To: openembedded-core@...
Subject: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for CVE-2022-2953

[Please note: This e-mail is from an EXTERNAL e-mail address]

From: Teoh Jay Shen <jay.shen.teoh@...>

Link for the patch : https://gitlab.com/libtiff/libtiff/-
/commit/48d6ece8389b01129e7d357f0985c8f938ce3da3

Signed-off-by: Teoh Jay Shen <jay.shen.teoh@...>
---
.../libtiff/tiff/CVE-2022-2953.patch | 86 +++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.4.0.bb | 1 +
2 files changed, 87 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-
2953.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
new file mode 100644
index 0000000000..2122b46566
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch
@@ -0,0 +1,86 @@
+CVE: CVE-2022-2953
+Upstream-Status: Backport
+Signed-off-by: Teoh Jay Shen <jay.shen.teoh@...>
+
+From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00
2001
+From: Su_Laus <sulau@...>
+Date: Mon, 15 Aug 2022 22:11:03 +0200
+Subject: [PATCH]
+=?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?=
+
+=?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20
+ti?=
+=?UTF-8?q?ffcrop=20option=20=E2=80=9E-
S=E2=80=9C=20is=20also=20mutually
+?=
+=?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|-
Y),=2
+0-?=
+ =?UTF-8?q?Z=20and=20-z.?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is now checked and ends tiffcrop if those arguments are not mutually
exclusive.
+
+This MR will fix the following tiffcrop issues: #349, #414, #422, #423,
+#424
+---
+ tools/tiffcrop.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index
+90286a5e..c3b758ec 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
+ #define ROTATECW_270 32
+ #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
+
+-#define CROP_NONE 0
+-#define CROP_MARGINS 1
+-#define CROP_WIDTH 2
+-#define CROP_LENGTH 4
+-#define CROP_ZONES 8
+-#define CROP_REGIONS 16
++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page-
rows/->cols != 0 */
++#define CROP_MARGINS 1 /* "-m" */
++#define CROP_WIDTH 2 /* "-X" */
++#define CROP_LENGTH 4 /* "-Y" */
++#define CROP_ZONES 8 /* "-Z" */
++#define CROP_REGIONS 16 /* "-z" */
+ #define CROP_ROTATE 32
+ #define CROP_MIRROR 64
+ #define CROP_INVERT 128
+@@ -316,7 +316,7 @@ struct crop_mask {
+ #define PAGE_MODE_RESOLUTION 1
+ #define PAGE_MODE_PAPERSIZE 2
+ #define PAGE_MODE_MARGINS 4
+-#define PAGE_MODE_ROWSCOLS 8
++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
+
+ #define INVERT_DATA_ONLY 10
+ #define INVERT_DATA_AND_TAG 11
+@@ -781,7 +781,7 @@ static const char usage_info[] =
+ " The four debug/dump options are independent, though it makes
little sense to\n"
+ " specify a dump file without specifying a detail level.\n"
+ "\n"
+-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
+ " In no case should the options be applied to a given selection
successively.\n"
+ "\n"
+ ;
+@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char
*argv[], char *mp, char *mode, uint32
+ /*NOTREACHED*/
+ }
+ }
+- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are
mutually exclusive) --*/
+- char XY, Z, R;
++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are
mutually exclusive) --*/
++ char XY, Z, R, S;
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data-
crop_mode & CROP_LENGTH));
+ Z = (crop_data->crop_mode & CROP_ZONES);
+ R = (crop_data->crop_mode & CROP_REGIONS);
+- if ((XY && Z) || (XY && R) || (Z && R)) {
+- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are
mutually exclusive.->Exit");
++ S = (page->mode & PAGE_MODE_ROWSCOLS);
++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S))
{
++ TIFFError("tiffcrop input error", "The crop options(-X|-Y),
++ -Z, -z and -S are mutually exclusive.->Exit");
+ exit(EXIT_FAILURE);
+ }
+ } /* end process_command_opts */
+--
+2.34.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-
multimedia/libtiff/tiff_4.4.0.bb
index e30df0b3e9..caf6f60479 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
@@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff"
SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
file://CVE-2022-34526.patch \
+ file://CVE-2022-2953.patch \
"

SRC_URI[sha256sum] =
"917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed
"
--
2.37.3

--
# Randy MacLeod
# Wind River Linux