tiff: fix CVE-2025-8176

A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the function get_histogram of the file tools/tiffmedian.c. The manipulation leads to use after free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a patch to fix this issue. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-8176 Upstream patches: https://gitlab.com/libtiff/libtiff/-/commit/3994cf3b3bc6b54c32f240ca5a412cffa11633fa https://gitlab.com/libtiff/libtiff/-/commit/ce46f002eca4148497363f80fab33f9396bcbeda https://gitlab.com/libtiff/libtiff/-/commit/ecc4ddbf1f0fed7957d1e20361e37f01907898e0 (From OE-Core rev: 5dbc4ccce8676b016de8c1393c2f0d0f74eb9337) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yogita Urade <yogita.urade@windriver.com> 2025-08-06 17:54:12 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-08-18 13:18:01 -0700
commit: c2581b7811559bd2220b1d06c027ff612e5295e9 (patch)
tree: 22ee564b6b2660178150710717c34414784e23cb
parent: 81ab000fa437ca04f584a3327b076f7a512dc6d0 (diff)
download: poky-c2581b7811559bd2220b1d06c027ff612e5295e9.tar.gz
4 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0001.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0001.patch
new file mode 100644
index 0000000000..83dc695528
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0001.patch
@@ -0,0 +1,61 @@
+From 3994cf3b3bc6b54c32f240ca5a412cffa11633fa Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Mon, 19 May 2025 10:53:30 -0700
+Subject: [PATCH] Don't skip the first line of the input image.  Addresses
+ issue #703
+CVE: CVE-2025-8176
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3994cf3b3bc6b54c32f240ca5a412cffa11633fa]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiffdither.c | 4 ++--
+ tools/tiffmedian.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+diff --git a/tools/tiffdither.c b/tools/tiffdither.c
+index 062fd60..d352554 100644
+--- a/tools/tiffdither.c
+++ b/tools/tiffdither.c
+@@ -95,7 +95,7 @@ fsdither(TIFF* in, TIFF* out)
+        nextptr = nextline;
+        for (j = 0; j < imagewidth; ++j)
+                *nextptr++ = *inptr++;
+-       for (i = 1; i < imagelength; ++i) {
+       for (i = 0; i < imagelength; ++i) {
+                tmpptr = thisline;
+                thisline = nextline;
+                nextline = tmpptr;
+@@ -138,7 +138,7 @@ fsdither(TIFF* in, TIFF* out)
+                                        nextptr[0] += v / 16;
+                        }
+                }
+-               if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
+               if (TIFFWriteScanline(out, outline, i, 0) < 0)
+                        goto skip_on_error;
+        }
+        goto exit_label;
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 93a1741..93e57cf 100644
+--- a/tools/tiffmedian.c
+++ b/tools/tiffmedian.c
+@@ -844,7 +844,7 @@ quant_fsdither(TIFF* in, TIFF* out)
+        outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out));
+        GetInputLine(in, 0, goto bad);          /* get first line */
+-       for (i = 1; i <= imagelength; ++i) {
+       for (i = 0; i <= imagelength; ++i) {
+                SWAP(short *, thisline, nextline);
+                lastline = (i >= imax);
+                if (i <= imax)
+@@ -915,7 +915,7 @@ quant_fsdither(TIFF* in, TIFF* out)
+                                nextptr += 3;
+                        }
+                }
+-               if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
+               if (TIFFWriteScanline(out, outline, i, 0) < 0)
+                        break;
+        }
+ bad:
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0002.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0002.patch
new file mode 100644
index 0000000000..c28969e1d8
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0002.patch
@@ -0,0 +1,31 @@
+From ce46f002eca4148497363f80fab33f9396bcbeda Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:25:16 -0700
+Subject: [PATCH] Fix tiffmedian bug #707
+CVE: CVE-2025-8176
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ce46f002eca4148497363f80fab33f9396bcbeda]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiffmedian.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 93e57cf..a0b4b5d 100644
+--- a/tools/tiffmedian.c
+++ b/tools/tiffmedian.c
+@@ -385,7 +385,10 @@ get_histogram(TIFF* in, Colorbox* box)
+        }
+        for (i = 0; i < imagelength; i++) {
+                if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+-                       break;
+                {
+                    fprintf(stderr, "Error reading scanline\n");
+                    exit(EXIT_FAILURE);
+                }
+                inptr = inputline;
+                for (j = imagewidth; j-- > 0;) {
+                        red = (*inptr++) & 0xff >> COLOR_SHIFT;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0003.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0003.patch
new file mode 100644
index 0000000000..b5ee36c5b8
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0003.patch
@@ -0,0 +1,28 @@
+From ecc4ddbf1f0fed7957d1e20361e37f01907898e0 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:38:09 -0700
+Subject: [PATCH] conflict resolution
+CVE: CVE-2025-8176
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ecc4ddbf1f0fed7957d1e20361e37f01907898e0]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiffmedian.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index a0b4b5d..ca1c51f 100644
+--- a/tools/tiffmedian.c
+++ b/tools/tiffmedian.c
+@@ -847,7 +847,7 @@ quant_fsdither(TIFF* in, TIFF* out)
+        outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out));
+        GetInputLine(in, 0, goto bad);          /* get first line */
+-       for (i = 0; i <= imagelength; ++i) {
+       for (i = 0; i < imagelength; ++i) {
+                SWAP(short *, thisline, nextline);
+                lastline = (i >= imax);
+                if (i <= imax)
+--
+2.40.0
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 5ec7b20e61..6ff31bd0bb 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -55,6 +55,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2023-6277-4.patch \
           file://CVE-2024-7006.patch \
           file://CVE-2023-3164.patch \
+           file://CVE-2025-8176-0001.patch \
+           file://CVE-2025-8176-0002.patch \
+           file://CVE-2025-8176-0003.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
author	Yogita Urade <yogita.urade@windriver.com>	2025-08-06 17:54:12 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-08-18 13:18:01 -0700
commit	c2581b7811559bd2220b1d06c027ff612e5295e9 (patch)
tree	22ee564b6b2660178150710717c34414784e23cb
parent	81ab000fa437ca04f584a3327b076f7a512dc6d0 (diff)
download	poky-c2581b7811559bd2220b1d06c027ff612e5295e9.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0001.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0001.patch new file mode 100644 index 0000000000..83dc695528 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0001.patch
@@ -0,0 +1,61 @@
		1	From 3994cf3b3bc6b54c32f240ca5a412cffa11633fa Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Mon, 19 May 2025 10:53:30 -0700
		4	Subject: [PATCH] Don't skip the first line of the input image. Addresses
		5	issue #703
		6
		7	CVE: CVE-2025-8176
		8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3994cf3b3bc6b54c32f240ca5a412cffa11633fa]
		9
		10	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		11	---
		12	tools/tiffdither.c \| 4 ++--
		13	tools/tiffmedian.c \| 4 ++--
		14	2 files changed, 4 insertions(+), 4 deletions(-)
		15
		16	diff --git a/tools/tiffdither.c b/tools/tiffdither.c
		17	index 062fd60..d352554 100644
		18	--- a/tools/tiffdither.c
		19	+++ b/tools/tiffdither.c
		20	@@ -95,7 +95,7 @@ fsdither(TIFF* in, TIFF* out)
		21	nextptr = nextline;
		22	for (j = 0; j < imagewidth; ++j)
		23	nextptr++ = inptr++;
		24	- for (i = 1; i < imagelength; ++i) {
		25	+ for (i = 0; i < imagelength; ++i) {
		26	tmpptr = thisline;
		27	thisline = nextline;
		28	nextline = tmpptr;
		29	@@ -138,7 +138,7 @@ fsdither(TIFF* in, TIFF* out)
		30	nextptr[0] += v / 16;
		31	}
		32	}
		33	- if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
		34	+ if (TIFFWriteScanline(out, outline, i, 0) < 0)
		35	goto skip_on_error;
		36	}
		37	goto exit_label;
		38	diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
		39	index 93a1741..93e57cf 100644
		40	--- a/tools/tiffmedian.c
		41	+++ b/tools/tiffmedian.c
		42	@@ -844,7 +844,7 @@ quant_fsdither(TIFF* in, TIFF* out)
		43	outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out));
		44
		45	GetInputLine(in, 0, goto bad); /* get first line */
		46	- for (i = 1; i <= imagelength; ++i) {
		47	+ for (i = 0; i <= imagelength; ++i) {
		48	SWAP(short *, thisline, nextline);
		49	lastline = (i >= imax);
		50	if (i <= imax)
		51	@@ -915,7 +915,7 @@ quant_fsdither(TIFF* in, TIFF* out)
		52	nextptr += 3;
		53	}
		54	}
		55	- if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
		56	+ if (TIFFWriteScanline(out, outline, i, 0) < 0)
		57	break;
		58	}
		59	bad:
		60	--
		61	2.40.0


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0002.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0002.patch new file mode 100644 index 0000000000..c28969e1d8 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0002.patch
@@ -0,0 +1,31 @@
		1	From ce46f002eca4148497363f80fab33f9396bcbeda Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Sat, 24 May 2025 21:25:16 -0700
		4	Subject: [PATCH] Fix tiffmedian bug #707
		5
		6	CVE: CVE-2025-8176
		7	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ce46f002eca4148497363f80fab33f9396bcbeda]
		8
		9	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		10	---
		11	tools/tiffmedian.c \| 5 ++++-
		12	1 file changed, 4 insertions(+), 1 deletion(-)
		13
		14	diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
		15	index 93e57cf..a0b4b5d 100644
		16	--- a/tools/tiffmedian.c
		17	+++ b/tools/tiffmedian.c
		18	@@ -385,7 +385,10 @@ get_histogram(TIFF* in, Colorbox* box)
		19	}
		20	for (i = 0; i < imagelength; i++) {
		21	if (TIFFReadScanline(in, inputline, i, 0) <= 0)
		22	- break;
		23	+ {
		24	+ fprintf(stderr, "Error reading scanline\n");
		25	+ exit(EXIT_FAILURE);
		26	+ }
		27	inptr = inputline;
		28	for (j = imagewidth; j-- > 0;) {
		29	red = (*inptr++) & 0xff >> COLOR_SHIFT;
		30	--
		31	2.40.0


diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0003.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0003.patch new file mode 100644 index 0000000000..b5ee36c5b8 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0003.patch
@@ -0,0 +1,28 @@
		1	From ecc4ddbf1f0fed7957d1e20361e37f01907898e0 Mon Sep 17 00:00:00 2001
		2	From: Lee Howard <faxguy@howardsilvan.com>
		3	Date: Sat, 24 May 2025 21:38:09 -0700
		4	Subject: [PATCH] conflict resolution
		5
		6	CVE: CVE-2025-8176
		7	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ecc4ddbf1f0fed7957d1e20361e37f01907898e0]
		8
		9	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		10	---
		11	tools/tiffmedian.c \| 2 +-
		12	1 file changed, 1 insertion(+), 1 deletion(-)
		13
		14	diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
		15	index a0b4b5d..ca1c51f 100644
		16	--- a/tools/tiffmedian.c
		17	+++ b/tools/tiffmedian.c
		18	@@ -847,7 +847,7 @@ quant_fsdither(TIFF* in, TIFF* out)
		19	outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out));
		20
		21	GetInputLine(in, 0, goto bad); /* get first line */
		22	- for (i = 0; i <= imagelength; ++i) {
		23	+ for (i = 0; i < imagelength; ++i) {
		24	SWAP(short *, thisline, nextline);
		25	lastline = (i >= imax);
		26	if (i <= imax)
		27	--
		28	2.40.0


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 5ec7b20e61..6ff31bd0bb 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -55,6 +55,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
55	file://CVE-2023-6277-4.patch \	55	file://CVE-2023-6277-4.patch \
56	file://CVE-2024-7006.patch \	56	file://CVE-2024-7006.patch \
57	file://CVE-2023-3164.patch \	57	file://CVE-2023-3164.patch \
		58	file://CVE-2025-8176-0001.patch \
		59	file://CVE-2025-8176-0002.patch \
		60	file://CVE-2025-8176-0003.patch \
58	"	61	"
59		62
60	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	63	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"