2 files changed, 163 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0795_0796_0797_0798_0799.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0795_0796_0797_0798_0799.patch
new file mode 100644
index 0000000000..498d5ec8ab
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0795_0796_0797_0798_0799.patch
@@ -0,0 +1,162 @@
+From 7808740e100ba30ffb791044f3b14dec3e85ed6f Mon Sep 17 00:00:00 2001
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 21 Feb 2023 14:26:43 +0100
+Subject: [PATCH] CVE-2023-0795
+This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798,
+CVE-2023-0799.
+Bug-Debian: https://bugs.debian.org/1031632
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
+CVE: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++--------------------
+ 1 file changed, 30 insertions(+), 21 deletions(-)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index adf0f84..deba170 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -269,7 +269,6 @@ struct  region {
+   uint32_t width;     /* width in pixels */
+   uint32_t length;    /* length in pixels */
+   uint32_t buffsize;  /* size of buffer needed to hold the cropped region */
+-  unsigned char *buffptr; /* address of start of the region */
+ };
+ 
+ /* Cropping parameters from command line and image data 
+@@ -524,7 +523,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
+ static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
+                                      uint32_t, uint32_t, uint8_t *, uint8_t *);
+ static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
+-                       unsigned char **);
+                       unsigned char **, int);
+ static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
+                        unsigned char *);
+ static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
+@@ -5219,7 +5218,6 @@ initCropMasks (struct crop_mask *cps)
+      cps->regionlist[i].width = 0;
+      cps->regionlist[i].length = 0;
+      cps->regionlist[i].buffsize = 0;
+-     cps->regionlist[i].buffptr = NULL;
+      cps->zonelist[i].position = 0;
+      cps->zonelist[i].total = 0;
+      }
+@@ -6511,8 +6509,13 @@ static int  correct_orientation(struct image_data *image, unsigned char **work_b
+                  (uint16_t) (image->adjustments & ROTATE_ANY));
+       return (-1);
+       }
+- 
+-    if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
+
+      /* Dummy variable in order not to switch two times the
+       * image->width,->length within rotateImage(),
+       * but switch xres, yres there. */
+      uint32_t width = image->width;
+      uint32_t length = image->length;
+      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
+       {
+       TIFFError ("correct_orientation", "Unable to rotate image");
+       return (-1);
+@@ -6580,7 +6583,6 @@ extractCompositeRegions(struct image_data *image,  struct crop_mask *crop,
+     /* These should not be needed for composite images */
+     crop->regionlist[i].width = crop_width;
+     crop->regionlist[i].length = crop_length;
+-    crop->regionlist[i].buffptr = crop_buff;
+ 
+     src_rowsize = ((img_width * bps * spp) + 7) / 8;
+     dst_rowsize = (((crop_width * bps * count) + 7) / 8);
+@@ -6817,7 +6819,6 @@ extractSeparateRegion(struct image_data *image,  struct crop_mask *crop,
+ 
+   crop->regionlist[region].width = crop_width;
+   crop->regionlist[region].length = crop_length;
+-  crop->regionlist[region].buffptr = crop_buff;
+ 
+   src = read_buff;
+   dst = crop_buff;
+@@ -7695,7 +7696,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+     if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+       {
+       if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                      &crop->combined_length, &crop_buff))
+                      &crop->combined_length, &crop_buff, FALSE))
+         {
+         TIFFError("processCropSelections", 
+                   "Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
+@@ -7805,7 +7806,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+            * ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !!
+            */
+        if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, 
+-                       &crop->regionlist[i].length, &crop_buff))
+                       &crop->regionlist[i].length, &crop_buff, FALSE))
+           {
+           TIFFError("processCropSelections", 
+                     "Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
+@@ -7937,7 +7938,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+     {
+     if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                    &crop->combined_length, crop_buff_ptr))
+                    &crop->combined_length, crop_buff_ptr, TRUE))
+       {
+       TIFFError("createCroppedImage", 
+                 "Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
+@@ -8600,7 +8601,7 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
+ /* Rotate an image by a multiple of 90 degrees clockwise */
+ static int
+ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
+-            uint32_t *img_length, unsigned char **ibuff_ptr)
+            uint32_t *img_length, unsigned char **ibuff_ptr, int rot_image_params)
+   {
+   int      shift_width;
+   uint32_t   bytes_per_pixel, bytes_per_sample;
+@@ -8791,11 +8792,15 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
+ 
+               *img_width = length;
+               *img_length = width;
+-              image->width = length;
+-              image->length = width;
+-              res_temp = image->xres;
+-              image->xres = image->yres;
+-              image->yres = res_temp;
+            /* Only toggle image parameters if whole input image is rotated. */
+            if (rot_image_params)
+            {
+                image->width = length;
+                image->length = width;
+                res_temp = image->xres;
+                image->xres = image->yres;
+                image->yres = res_temp;
+            }
+              break;
+ 
+     case 270: if ((bps % 8) == 0) /* byte aligned data */
+@@ -8868,11 +8873,15 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
+ 
+               *img_width = length;
+               *img_length = width;
+-              image->width = length;
+-              image->length = width;
+-              res_temp = image->xres;
+-              image->xres = image->yres;
+-              image->yres = res_temp;
+            /* Only toggle image parameters if whole input image is rotated. */
+            if (rot_image_params)
+            {
+                image->width = length;
+                image->length = width;
+                res_temp = image->xres;
+                image->xres = image->yres;
+                image->yres = res_temp;
+            }
+               break;
+     default:
+               break;
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 4bd485a10a..2be25756bc 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \
           file://CVE-2022-48281.patch \
           file://CVE-2023-0800_0801_0802_0803_0804.patch \
+           file://CVE-2023-0795_0796_0797_0798_0799.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0795_0796_0797_0798_0799.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0795_0796_0797_0798_0799.patch new file mode 100644 index 0000000000..498d5ec8ab --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0795_0796_0797_0798_0799.patch
@@ -0,0 +1,162 @@
		1	From 7808740e100ba30ffb791044f3b14dec3e85ed6f Mon Sep 17 00:00:00 2001
		2	From: Markus Koschany <apo@debian.org>
		3	Date: Tue, 21 Feb 2023 14:26:43 +0100
		4	Subject: [PATCH] CVE-2023-0795
		5
		6	This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798,
		7	CVE-2023-0799.
		8
		9	Bug-Debian: https://bugs.debian.org/1031632
		10	Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68
		11
		12	Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
		13	CVE: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
		14	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		15
		16	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		17	---
		18	tools/tiffcrop.c \| 51 ++++++++++++++++++++++++++++--------------------
		19	1 file changed, 30 insertions(+), 21 deletions(-)
		20
		21	diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
		22	index adf0f84..deba170 100644
		23	--- a/tools/tiffcrop.c
		24	+++ b/tools/tiffcrop.c
		25	@@ -269,7 +269,6 @@ struct region {
		26	uint32_t width; /* width in pixels */
		27	uint32_t length; /* length in pixels */
		28	uint32_t buffsize; /* size of buffer needed to hold the cropped region */
		29	- unsigned char buffptr; / address of start of the region */
		30	};
		31
		32	/* Cropping parameters from command line and image data
		33	@@ -524,7 +523,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
		34	static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
		35	uint32_t, uint32_t, uint8_t , uint8_t );
		36	static int rotateImage(uint16_t, struct image_data , uint32_t , uint32_t *,
		37	- unsigned char **);
		38	+ unsigned char **, int);
		39	static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
		40	unsigned char *);
		41	static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
		42	@@ -5219,7 +5218,6 @@ initCropMasks (struct crop_mask *cps)
		43	cps->regionlist[i].width = 0;
		44	cps->regionlist[i].length = 0;
		45	cps->regionlist[i].buffsize = 0;
		46	- cps->regionlist[i].buffptr = NULL;
		47	cps->zonelist[i].position = 0;
		48	cps->zonelist[i].total = 0;
		49	}
		50	@@ -6511,8 +6509,13 @@ static int correct_orientation(struct image_data image, unsigned char *work_b
		51	(uint16_t) (image->adjustments & ROTATE_ANY));
		52	return (-1);
		53	}
		54	-
		55	- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
		56	+
		57	+ /* Dummy variable in order not to switch two times the
		58	+ * image->width,->length within rotateImage(),
		59	+ * but switch xres, yres there. */
		60	+ uint32_t width = image->width;
		61	+ uint32_t length = image->length;
		62	+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
		63	{
		64	TIFFError ("correct_orientation", "Unable to rotate image");
		65	return (-1);
		66	@@ -6580,7 +6583,6 @@ extractCompositeRegions(struct image_data image, struct crop_mask crop,
		67	/* These should not be needed for composite images */
		68	crop->regionlist[i].width = crop_width;
		69	crop->regionlist[i].length = crop_length;
		70	- crop->regionlist[i].buffptr = crop_buff;
		71
		72	src_rowsize = ((img_width * bps * spp) + 7) / 8;
		73	dst_rowsize = (((crop_width * bps * count) + 7) / 8);
		74	@@ -6817,7 +6819,6 @@ extractSeparateRegion(struct image_data image, struct crop_mask crop,
		75
		76	crop->regionlist[region].width = crop_width;
		77	crop->regionlist[region].length = crop_length;
		78	- crop->regionlist[region].buffptr = crop_buff;
		79
		80	src = read_buff;
		81	dst = crop_buff;
		82	@@ -7695,7 +7696,7 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		83	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
		84	{
		85	if (rotateImage(crop->rotation, image, &crop->combined_width,
		86	- &crop->combined_length, &crop_buff))
		87	+ &crop->combined_length, &crop_buff, FALSE))
		88	{
		89	TIFFError("processCropSelections",
		90	"Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
		91	@@ -7805,7 +7806,7 @@ processCropSelections(struct image_data image, struct crop_mask crop,
		92	* ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !!
		93	*/
		94	if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
		95	- &crop->regionlist[i].length, &crop_buff))
		96	+ &crop->regionlist[i].length, &crop_buff, FALSE))
		97	{
		98	TIFFError("processCropSelections",
		99	"Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
		100	@@ -7937,7 +7938,7 @@ createCroppedImage(struct image_data image, struct crop_mask crop,
		101	if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
		102	{
		103	if (rotateImage(crop->rotation, image, &crop->combined_width,
		104	- &crop->combined_length, crop_buff_ptr))
		105	+ &crop->combined_length, crop_buff_ptr, TRUE))
		106	{
		107	TIFFError("createCroppedImage",
		108	"Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
		109	@@ -8600,7 +8601,7 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
		110	/* Rotate an image by a multiple of 90 degrees clockwise */
		111	static int
		112	rotateImage(uint16_t rotation, struct image_data image, uint32_t img_width,
		113	- uint32_t img_length, unsigned char *ibuff_ptr)
		114	+ uint32_t img_length, unsigned char *ibuff_ptr, int rot_image_params)
		115	{
		116	int shift_width;
		117	uint32_t bytes_per_pixel, bytes_per_sample;
		118	@@ -8791,11 +8792,15 @@ rotateImage(uint16_t rotation, struct image_data image, uint32_t img_width,
		119
		120	*img_width = length;
		121	*img_length = width;
		122	- image->width = length;
		123	- image->length = width;
		124	- res_temp = image->xres;
		125	- image->xres = image->yres;
		126	- image->yres = res_temp;
		127	+ /* Only toggle image parameters if whole input image is rotated. */
		128	+ if (rot_image_params)
		129	+ {
		130	+ image->width = length;
		131	+ image->length = width;
		132	+ res_temp = image->xres;
		133	+ image->xres = image->yres;
		134	+ image->yres = res_temp;
		135	+ }
		136	break;
		137
		138	case 270: if ((bps % 8) == 0) /* byte aligned data */
		139	@@ -8868,11 +8873,15 @@ rotateImage(uint16_t rotation, struct image_data image, uint32_t img_width,
		140
		141	*img_width = length;
		142	*img_length = width;
		143	- image->width = length;
		144	- image->length = width;
		145	- res_temp = image->xres;
		146	- image->xres = image->yres;
		147	- image->yres = res_temp;
		148	+ /* Only toggle image parameters if whole input image is rotated. */
		149	+ if (rot_image_params)
		150	+ {
		151	+ image->width = length;
		152	+ image->length = width;
		153	+ res_temp = image->xres;
		154	+ image->xres = image->yres;
		155	+ image->yres = res_temp;
		156	+ }
		157	break;
		158	default:
		159	break;
		160	--
		161	2.25.1
		162


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 4bd485a10a..2be25756bc 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
34	file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \	34	file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \
35	file://CVE-2022-48281.patch \	35	file://CVE-2022-48281.patch \
36	file://CVE-2023-0800_0801_0802_0803_0804.patch \	36	file://CVE-2023-0800_0801_0802_0803_0804.patch \
		37	file://CVE-2023-0795_0796_0797_0798_0799.patch \
37	"	38	"
38		39
39	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	40	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"