diff options
| author | Patrick Williams <patrick@stwcx.xyz> | 2022-04-21 22:36:50 +0300 |
|---|---|---|
| committer | Patrick Williams <patrick@stwcx.xyz> | 2022-04-21 22:37:46 +0300 |
| commit | a515de07dfa9eda7a303af296666e2572e581df7 (patch) | |
| tree | e2a372f00be0586f0f420f06913c7bba48199dd9 /poky/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch | |
| parent | 5ffb1169cb6b3ed547d1b882cd9340cc7b7b6f07 (diff) | |
| download | openbmc-a515de07dfa9eda7a303af296666e2572e581df7.tar.xz | |
subtree updates
meta-openembedded: c05ae80ba6..9a0caf5b09:
Armin Kuster (1):
pw-am.sh: update to new patcwork system
Changqing Li (1):
zabbix: Fix sereval CVEs
Christian Eggers (2):
ebtables: remove perl from RDEPENDS
graphviz: native: create /usr/lib/graphviz/config6 in populate_sysroot
Jeremy A. Puhlman (1):
cdrkit: remove ${PN} from ${PN}-dev RDEPENDS
Kartikey Rameshbhai Parmar (1):
imagemagick: update SRC_URI branch to main
Martin Jansa (1):
htop: switch branch from master to main
Ovidiu Panait (1):
syslog-ng: adjust control socket location
Peter Kjellerstedt (2):
libsrtp: Switch branch from master to main
net-snmp: Avoid running `make clean` as it may fail
Thomas Perrot (1):
breakpad: fix branch for gtest in SRC_URI
Trevor Gamblin (3):
python3-django: upgrade 2.2.24 -> 2.2.27
python3-django: upgrade 3.2.10 -> 3.2.12
python3-lxml: upgrade 4.6.3 -> 4.6.5
Yi Zhao (1):
apache2: upgrade 2.4.52 -> 2.4.53
poky: e0ab08bb6a..eff78b3802:
Alexander Kanavin (5):
ruby: update 3.0.2 -> 3.0.3
libarchive: upgrade 3.5.1 -> 3.5.2
devtool: explicitly set main or master branches in upgrades when available
util-linux: update 2.37.2 -> 2.37.3
util-linux: upgrade 2.37.3 -> 2.37.4
Anuj Mittal (3):
poky.conf: bump version for 3.4.3 honister release
documentation: prepare for 3.4.3 release
crate-fetch: fix setscene failures
Bill Pittman (1):
wic: Use custom kernel path if provided
Bruce Ashfield (13):
linux-yocto/5.10: update to v5.10.96
linux-yocto/5.10: update to v5.10.99
linux-yocto/5.10: ppc/riscv: fix build with binutils 2.3.8
linux-yocto/5.10: fix dssall build error with binutils 2.3.8
linux-yocto/5.10: features/zram: remove CONFIG_ZRAM_DEF_COMP
linux-yocto/5.10: update to v5.10.101
linux-yocto/5.10: Fix ramoops/ftrace
linux-yocto/5.10: update to v5.10.103
linux-yocto: nohz_full boot arg fix
linux-yocto/5.10: split vtpm for more granular inclusion
linux-yocto/5.10: cfg/debug: add configs for kcsan
linux-yocto-rt/5.10: update to -rt61
linux-yocto/5.10: update to v5.10.107
Chee Yang Lee (3):
ghostscript: fix CVE-2021-3781
go: update to 1.16.15
webkitgtk: update to 2.32.4
Christian Eggers (3):
mc: fix build if ncurses have been configured without wide characters
sdk: fix search for dynamic loader
gcsections: add nativesdk-cairo to exclude list
Daniel Gomez (1):
bitbake: contrib: Fix hash server Dockerfile dependencies
Daniel Müller (1):
scripts/runqemu-ifdown: Don't treat the last iptables command as special
Daniel Wagenknecht (1):
bitbake: fetch2: ssh: username and password are optional
Florian Amstutz (1):
devtool: deploy-target: Remove stripped binaries in pseudo context
Joe Slater (3):
virglrenderer: fix CVE-2022-0135 and -0175
zip: modify when match.S is built
libxml2: fix CVE-2022-23308 regression
Jose Quaresma (13):
gstreamer1.0: 1.18.5 -> 1.18.6
gstreamer1.0-plugins-base: 1.18.5 -> 1.18.6
gstreamer1.0-plugins-good: 1.18.5 -> 1.18.6
gstreamer1.0-plugins-bad: 1.18.5 -> 1.18.6
gstreamer1.0-plugins-ugly: 1.18.5 -> 1.18.6
gstreamer1.0-vaapi: 1.18.5 -> 1.18.6
gstreamer1.0-libav: 1.18.5 -> 1.18.6
gstreamer1.0-omx: 1.18.5 -> 1.18.6
gstreamer1.0-rtsp-server: 1.18.5 -> 1.18.6
gstreamer1.0-python: 1.18.5 -> 1.18.6
gst-devtools: 1.18.5 -> 1.18.6
gst-examples: 1.18.5 -> 1.18.6
sstate: inside the threadedpool don't write to the shared localdata
Justin Bronder (1):
initramfs-framework: unmount automounts before switch_root
Lee Chee Yang (2):
libarchive : update to 3.5.3
ghostscript: fix CVE-2021-45949
Michael Halstead (3):
releases: update to include 3.4.2
uninative: Upgrade to 3.5
releases: update to include 3.3.5
Michael Opdenacker (3):
documentation: conf.py: update for 3.4.2
docs: fix hardcoded link warning messages
conf/machine: fix QEMU x86 sound options
Minjae Kim (2):
gnu-config: update SRC_URI
virglrenderer: update SRC_URI
Oleksandr Ocheretnyi (1):
kernel-devsrc: do not copy Module.symvers file during install
Oleksandr Suvorov (1):
depmodwrapper-cross: add config directory option
Pavel Zhukov (1):
patch.py: Prevent git repo reinitialization
Peter Kjellerstedt (2):
selftest: recipetool: Correct the URI for socat
oe-pkgdata-util: Adapt to the new variable override syntax
Ralph Siemsen (2):
libxml2: move to gitlab.gnome.org
libxml2: update to 2.9.13
Richard Purdie (26):
bitbake: tests/fetch: Handle upstream master -> main branch change
vim: Upgrade 4269 -> 4134
binutils: Add fix for CVE-2021-45078
default-distrovars.inc: Switch connectivity check to a yoctoproject.org page
oeqa/buildtools: Switch to our webserver instead of example.com
expat: Upgrade 2.4.4 -> 2.4.5
vim: Upgrade 8.2.4314 -> 8.2.4424
tiff: Add backports for two CVEs from upstream
expat: Upgrade 2.4.5 -> 2.4.6
perl: Improve and update module RPDEPENDS
libxml-parser-perl: Add missing RDEPENDS
expat: Upgrade 2.4.6 -> 2.4.7
bitbake: data_smart: Fix overrides file/line message additions
bitbake: cooker: Improve parsing failure from handled exception usability
bitbake: utils: Ensure shell function failure in python logging is correct
vim: Update to 8.2.4524 for further CVE fixes
build-appliance-image: Update to honister head revision
bitbake: build: Tweak exception handling for setscene tasks
build-appliance-image: Update to honister head revision
toaster: Fix broken overrides usage
bitbake: server/xmlrpcserver: Add missing xmlrpcclient import
bitbake: toaster: Fix IMAGE_INSTALL issues with _append vs :append
pseudo: Add patch to workaround paths with crazy lengths
sanity: Add warning for local hasheqiv server with remote sstate mirrors
bitbake: server/process: Disable gc around critical section
conf.py/poky.yaml: Move version information to poky.yaml and read in conf.py
Robert Yang (2):
quilt: Disable external sendmail for deterministic build
cups: Add --with-dbusdir to EXTRA_OECONF for deterministic build
Ross Burton (9):
coreutils: remove obsolete ignored CVE list
cve-check: get_cve_info should open the database read-only
Revert "cve-check: add lockfile to task"
asciidoc: update git repository
devupstream: fix handling of SRC_URI
tiff: backport CVE fixes:
grub: ignore CVE-2021-46705
oeqa/selftest/devtool: ensure Git username is set before upgrade tests
zlib: backport the fix for CVE-2018-25032
Sakib Sajal (1):
go: upgrade 1.16.13 -> 1.16.14
Saul Wold (1):
recipetool: Fix circular reference in SRC_URI
Sean Anderson (1):
libpcap: Disable DPDK explicitly
Stefan Herbrechtsmeier (2):
cve-check: create directory of CVE_CHECK_MANIFEST before copy
gcc-target: fix glob to remove gcc-<version> binary
Tamizharasan Kumar (1):
linux-yocto/5.10: update genericx86* machines to v5.10.99
Tean Cunningham (1):
rootfs-postcommands: amend systemd_create_users add user to group check
Tim Orling (1):
bitbake: toaster: fixtures replace gatesgarth
Zoltán Böszörményi (1):
qemuboot: Fix build error if UNINATIVE_LOADER is unset
pgowda (1):
gcc : Fix CVE-2021-46195
wangmy (4):
linux-firmware: upgrade 20211216 -> 20220209
harfbuzz: upgrade 2.9.0 -> 2.9.1
wireless-regdb: upgrade 2021.08.28 -> 2022.02.18
linux-firmware: upgrade 20220209 -> 20220310
meta-raspberrypi: 1584bddcf3..378d4b6e7b:
Devendra Tewari (1):
linux-raspberrypi: Upgrade to 5.10.83
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I7e76d58ee794d7a2965816d096a757b6f7ddbc74
Diffstat (limited to 'poky/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch')
| -rw-r--r-- | poky/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch | 218 |
1 files changed, 218 insertions, 0 deletions
diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch new file mode 100644 index 0000000000..d31e9650d1 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch @@ -0,0 +1,218 @@ +CVE: CVE-2022-0891 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From e46b49e60fddb2e924302fb1751f79eb9cfb2253 Mon Sep 17 00:00:00 2001 +From: Su Laus <sulau@freenet.de> +Date: Tue, 8 Mar 2022 17:02:44 +0000 +Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in + extractImageSection + +--- + tools/tiffcrop.c | 92 +++++++++++++++++++----------------------------- + 1 file changed, 36 insertions(+), 56 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index b85c2ce7..302a7e91 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -105,8 +105,8 @@ + * of messages to monitor progress without enabling dump logs. + */ + +-static char tiffcrop_version_id[] = "2.4"; +-static char tiffcrop_rev_date[] = "12-13-2010"; ++static char tiffcrop_version_id[] = "2.4.1"; ++static char tiffcrop_rev_date[] = "03-03-2010"; + + #include "tif_config.h" + #include "libport.h" +@@ -6710,10 +6710,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + uint32_t img_length; + #endif +- uint32_t j, shift1, shift2, trailing_bits; ++ uint32_t j, shift1, trailing_bits; + uint32_t row, first_row, last_row, first_col, last_col; + uint32_t src_offset, dst_offset, row_offset, col_offset; +- uint32_t offset1, offset2, full_bytes; ++ uint32_t offset1, full_bytes; + uint32_t sect_width; + #ifdef DEVELMODE + uint32_t sect_length; +@@ -6723,7 +6723,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + int k; + unsigned char bitset; +- static char *bitarray = NULL; + #endif + + img_width = image->width; +@@ -6741,17 +6740,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + dst_offset = 0; + + #ifdef DEVELMODE +- if (bitarray == NULL) +- { +- if ((bitarray = (char *)malloc(img_width)) == NULL) +- { +- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); +- return (-1); +- } +- } ++ char bitarray[39]; + #endif + +- /* rows, columns, width, length are expressed in pixels */ ++ /* rows, columns, width, length are expressed in pixels ++ * first_row, last_row, .. are index into image array starting at 0 to width-1, ++ * last_col shall be also extracted. */ + first_row = section->y1; + last_row = section->y2; + first_col = section->x1; +@@ -6761,9 +6755,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + sect_length = last_row - first_row + 1; + #endif +- img_rowsize = ((img_width * bps + 7) / 8) * spp; +- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ +- trailing_bits = (sect_width * bps) % 8; ++ /* The read function loadImage() used copy separate plane data into a buffer as interleaved ++ * samples rather than separate planes so the same logic works to extract regions ++ * regardless of the way the data are organized in the input file. ++ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 ++ */ ++ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ ++ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ ++ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ + + #ifdef DEVELMODE + TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n", +@@ -6776,10 +6775,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, + + if ((bps % 8) == 0) + { +- col_offset = first_col * spp * bps / 8; ++ col_offset = (first_col * spp * bps) / 8; + for (row = first_row; row <= last_row; row++) + { +- /* row_offset = row * img_width * spp * bps / 8; */ + row_offset = row * img_rowsize; + src_offset = row_offset + col_offset; + +@@ -6792,14 +6790,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + } + else + { /* bps != 8 */ +- shift1 = spp * ((first_col * bps) % 8); +- shift2 = spp * ((last_col * bps) % 8); ++ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ + for (row = first_row; row <= last_row; row++) + { + /* pull out the first byte */ + row_offset = row * img_rowsize; +- offset1 = row_offset + (first_col * bps / 8); +- offset2 = row_offset + (last_col * bps / 8); ++ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ + + #ifdef DEVELMODE + for (j = 0, k = 7; j < 8; j++, k--) +@@ -6811,12 +6807,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + sprintf(&bitarray[9], " "); + for (j = 10, k = 7; j < 18; j++, k--) + { +- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; ++ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; + sprintf(&bitarray[j], (bitset) ? "1" : "0"); + } + bitarray[18] = '\0'; +- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n", +- row, offset1, shift1, offset2, shift2); ++ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n", ++ row, offset1, shift1, offset1+full_bytes, trailing_bits); + #endif + + bytebuff1 = bytebuff2 = 0; +@@ -6840,11 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + + if (trailing_bits != 0) + { +- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); ++ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ ++ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); + sect_buff[dst_offset] = bytebuff2; + #ifdef DEVELMODE + TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", +- offset2, dst_offset); ++ offset1 + full_bytes, dst_offset); + for (j = 30, k = 7; j < 38; j++, k--) + { + bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; +@@ -6863,8 +6860,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #endif + for (j = 0; j <= full_bytes; j++) + { +- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); +- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); ++ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ ++ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ ++ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); ++ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); + sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); + } + #ifdef DEVELMODE +@@ -6880,36 +6879,17 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #endif + dst_offset += full_bytes; + ++ /* Copy the trailing_bits for the last byte in the destination buffer. ++ Could come from one ore two bytes of the source buffer. */ + if (trailing_bits != 0) + { + #ifdef DEVELMODE +- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset); +-#endif +- if (shift2 > shift1) +- { +- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); +- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); +- sect_buff[dst_offset] = bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 > Shift1\n"); ++ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset); + #endif ++ /* More than necessary bits are already copied into last destination buffer, ++ * only masking of last byte in destination buffer is necessary.*/ ++ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); + } +- else +- { +- if (shift2 < shift1) +- { +- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); +- sect_buff[dst_offset] &= bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 < Shift1\n"); +-#endif +- } +-#ifdef DEVELMODE +- else +- TIFFError ("", " Shift2 == Shift1\n"); +-#endif +- } +- } + #ifdef DEVELMODE + sprintf(&bitarray[28], " "); + sprintf(&bitarray[29], " "); +@@ -7062,7 +7042,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, + width = sections[i].x2 - sections[i].x1 + 1; + length = sections[i].y2 - sections[i].y1 + 1; + sectsize = (uint32_t) +- ceil((width * image->bps + 7) / (double)8) * image->spp * length; ++ ceil((width * image->bps * image->spp + 7) / (double)8) * length; + /* allocate a buffer if we don't have one already */ + if (createImageSection(sectsize, sect_buff_ptr)) + { +-- +2.25.1 + |