On Wed, Oct 19, 2022 at 11:07 AM Randy MacLeod <randy.macl...@windriver.com> wrote: > > On 2022-10-19 15:32, Qiu, Zheng wrote: > > kirkstone now has tiff version 4.3.0. > > > > As described in https://nvd.nist.gov/vuln/detail/CVE-2022-2953, this issue > > is reported here: https://gitlab.com/libtiff/libtiff/-/issues/414 > > > > Tested with libtiff source code on version 4.3.0 by using " /libtiff$ git > > checkout v3.3.0", and follow the step listed in the bug report, cannot > > reproduce the bug. > > > > Use " /libtiff$ git checkout b51bb157", is able to reproduce the problem > > following step listed above. That confirms the issue occurred after v3.3.0, > > and the commit that brings the bug is not on kirkstone, which means the > > issue/fix is not applicable for kirkstone. > > Hold on... > > We also checked, because I'm paranoid, by doing: > > $ cd .../poky-contrib.git > $ git checkout stable/kirkstone-nut > $ git pull > $ cd ... > $ . ../poky-contrib.git/tiff-patches > $ bitbake -c patch tiff > > $ mkdir cp-tiff-patch-by-bb-kirkstone-nut > $ cp -a tmp/work/core2-64-poky-linux/tiff/4.3.0-r0 > cp-tiff-patch-by-bb-kirkstone-nut/ > $ cd cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0 > $ ./autogen.sh > $ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g > -fsanitize=address -fno-omit-frame-pointer" ./configure > --prefix=$PWD/build_asan --disable-shared > $ make -j; make install; make clean > $ wget > https://gitlab.com/libtiff/libtiff/uploads/54e5139c4d9d6b740f537c691aad2b03/poc > $ ./build_asan/bin/tiffcrop -Z 1:4,3:3 -R 90 -H 300 -S 2:2 -i poc /tmp/foo > > and a very similar issue still occurs. > > See log below. We'll investigate more and send a patch as needed.
Thanks Randy. I'm pretty sure I didn't take the referenced patch because it was for a version of tiff not in kirkstone. But I don't see an email from me explaining why, so my bad :-( I usually try to give feedback when a patch isn't taken. Steve > > We will enable the address sanitizer and check if the issue > is reproducible in qemux86-64. > > ../Randy > > > ... > > loadImage: Image lacks Photometric interpretation tag. > TIFFFillStrip: Read error on strip 0; got 672 bytes, expected 1142418. > ================================================================= > ==269609==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x7fd1864ff695 at pc 0x55de6ca63f9a bp 0x7ffe727049a0 sp 0x7ffe72704990 > READ of size 1 at 0x7fd1864ff695 thread T0 > #0 0x55de6ca63f99 in extractImageSection > /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6897 > #1 0x55de6ca6515a in writeImageSections > /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:7085 > #2 0x55de6ca4abe9 in main > /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:2453 > #3 0x7fd189b39d8f in __libc_start_call_main > ../sysdeps/nptl/libc_start_call_main.h:58 > #4 0x7fd189b39e3f in __libc_start_main_impl ../csu/libc-start.c:392 > #5 0x55de6ca413a4 in _start > (/media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/build_asan/bin/tiffcrop+0x2a3a4) > > 0x7fd1864ff695 is located 0 bytes to the right of 1142421-byte region > [0x7fd1863e8800,0x7fd1864ff695) > allocated by thread T0 here: > #0 0x7fd18a0a1867 in __interceptor_malloc > ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 > #1 0x55de6cadcd83 in _TIFFmalloc > /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/libtiff/tif_unix.c:314 > #2 0x55de6ca41543 in limitMalloc > /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:627 > #3 0x55de6ca61299 in loadImage > /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6212 > #4 0x55de6ca4a4a1 in main > /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:2376 > #5 0x7fd189b39d8f in __libc_start_call_main > ../sysdeps/nptl/libc_start_call_main.h:58 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > /media/rmacleod/gitter/rmacleod/src/distro/yocto/b/tiff-patches/cp-tiff-patch-by-bb-kirkstone-nut/4.3.0-r0/tiff-4.3.0/tools/tiffcrop.c:6897 > in extractImageSection > Shadow bytes around the buggy address: > 0x0ffab0c97e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ffab0c97e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ffab0c97ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ffab0c97eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0ffab0c97ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x0ffab0c97ed0: 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0ffab0c97ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0ffab0c97ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0ffab0c97f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0ffab0c97f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0ffab0c97f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > Shadow gap: cc > ==269609==ABORTING > > > > Zheng Qiu > > Linux Developer > > _______________ > > Wind River > > M/ (437) 341-1849 > > > >> -----Original Message----- > >> From: openembedded-core@lists.openembedded.org <openembedded- > >> c...@lists.openembedded.org> On Behalf Of Teoh, Jay Shen > >> Sent: Thursday, September 29, 2022 4:33 AM > >> To: openembedded-core@lists.openembedded.org > >> Subject: [OE-core][kirkstone][PATCH 2/2] tiff: backport fix for > >> CVE-2022-2953 > >> > >> [Please note: This e-mail is from an EXTERNAL e-mail address] > >> > >> From: Teoh Jay Shen <jay.shen.t...@intel.com> > >> > >> Link for the patch : https://gitlab.com/libtiff/libtiff/- > >> /commit/48d6ece8389b01129e7d357f0985c8f938ce3da3 > >> > >> Signed-off-by: Teoh Jay Shen <jay.shen.t...@intel.com> > >> --- > >> .../libtiff/tiff/CVE-2022-2953.patch | 86 +++++++++++++++++++ > >> meta/recipes-multimedia/libtiff/tiff_4.4.0.bb | 1 + > >> 2 files changed, 87 insertions(+) > >> create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022- > >> 2953.patch > >> > >> diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch > >> b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch > >> new file mode 100644 > >> index 0000000000..2122b46566 > >> --- /dev/null > >> +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch > >> @@ -0,0 +1,86 @@ > >> +CVE: CVE-2022-2953 > >> +Upstream-Status: Backport > >> +Signed-off-by: Teoh Jay Shen <jay.shen.t...@intel.com> > >> + > >> +From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00 > >> 2001 > >> +From: Su_Laus <su...@freenet.de> > >> +Date: Mon, 15 Aug 2022 22:11:03 +0200 > >> +Subject: [PATCH] > >> +=?UTF-8?q?According=20to=20Richard=20Nolde=20https://gitl?= > >> + > >> +=?UTF-8?q?ab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the=20 > >> +ti?= > >> +=?UTF-8?q?ffcrop=20option=20=E2=80=9E- > >> S=E2=80=9C=20is=20also=20mutually > >> +?= > >> +=?UTF-8?q?=20exclusive=20to=20the=20other=20crop=20options=20(-X|- > >> Y),=2 > >> +0-?= > >> + =?UTF-8?q?Z=20and=20-z.?= > >> +MIME-Version: 1.0 > >> +Content-Type: text/plain; charset=UTF-8 > >> +Content-Transfer-Encoding: 8bit > >> + > >> +This is now checked and ends tiffcrop if those arguments are not mutually > >> exclusive. > >> + > >> +This MR will fix the following tiffcrop issues: #349, #414, #422, #423, > >> +#424 > >> +--- > >> + tools/tiffcrop.c | 31 ++++++++++++++++--------------- > >> + 1 file changed, 16 insertions(+), 15 deletions(-) > >> + > >> +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index > >> +90286a5e..c3b758ec 100644 > >> +--- a/tools/tiffcrop.c > >> ++++ b/tools/tiffcrop.c > >> +@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022"; > >> + #define ROTATECW_270 32 > >> + #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270) > >> + > >> +-#define CROP_NONE 0 > >> +-#define CROP_MARGINS 1 > >> +-#define CROP_WIDTH 2 > >> +-#define CROP_LENGTH 4 > >> +-#define CROP_ZONES 8 > >> +-#define CROP_REGIONS 16 > >> ++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page- > >>> rows/->cols != 0 */ > >> ++#define CROP_MARGINS 1 /* "-m" */ > >> ++#define CROP_WIDTH 2 /* "-X" */ > >> ++#define CROP_LENGTH 4 /* "-Y" */ > >> ++#define CROP_ZONES 8 /* "-Z" */ > >> ++#define CROP_REGIONS 16 /* "-z" */ > >> + #define CROP_ROTATE 32 > >> + #define CROP_MIRROR 64 > >> + #define CROP_INVERT 128 > >> +@@ -316,7 +316,7 @@ struct crop_mask { > >> + #define PAGE_MODE_RESOLUTION 1 > >> + #define PAGE_MODE_PAPERSIZE 2 > >> + #define PAGE_MODE_MARGINS 4 > >> +-#define PAGE_MODE_ROWSCOLS 8 > >> ++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */ > >> + > >> + #define INVERT_DATA_ONLY 10 > >> + #define INVERT_DATA_AND_TAG 11 > >> +@@ -781,7 +781,7 @@ static const char usage_info[] = > >> + " The four debug/dump options are independent, though it > >> makes > >> little sense to\n" > >> + " specify a dump file without specifying a detail level.\n" > >> + "\n" > >> +-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n" > >> ++"Note: The (-X|-Y), -Z, -z and -S options are mutually > >> exclusive.\n" > >> + " In no case should the options be applied to a given > >> selection > >> successively.\n" > >> + "\n" > >> + ; > >> +@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char > >> *argv[], char *mp, char *mode, uint32 > >> + /*NOTREACHED*/ > >> + } > >> + } > >> +- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z > >> are > >> mutually exclusive) --*/ > >> +- char XY, Z, R; > >> ++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and > >> -S are > >> mutually exclusive) --*/ > >> ++ char XY, Z, R, S; > >> + XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data- > >>> crop_mode & CROP_LENGTH)); > >> + Z = (crop_data->crop_mode & CROP_ZONES); > >> + R = (crop_data->crop_mode & CROP_REGIONS); > >> +- if ((XY && Z) || (XY && R) || (Z && R)) { > >> +- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z > >> and -z are > >> mutually exclusive.->Exit"); > >> ++ S = (page->mode & PAGE_MODE_ROWSCOLS); > >> ++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || > >> (R && S)) > >> { > >> ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), > >> ++ -Z, -z and -S are mutually exclusive.->Exit"); > >> + exit(EXIT_FAILURE); > >> + } > >> + } /* end process_command_opts */ > >> +-- > >> +2.34.1 > >> + > >> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes- > >> multimedia/libtiff/tiff_4.4.0.bb > >> index e30df0b3e9..caf6f60479 100644 > >> --- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb > >> +++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb > >> @@ -11,6 +11,7 @@ CVE_PRODUCT = "libtiff" > >> SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ > >> file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \ > >> file://CVE-2022-34526.patch \ > >> + file://CVE-2022-2953.patch \ > >> " > >> > >> SRC_URI[sha256sum] = > >> "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed > >> " > >> -- > >> 2.37.3 > > > > > > > > -- > # Randy MacLeod > # Wind River Linux > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#171985): https://lists.openembedded.org/g/openembedded-core/message/171985 Mute This Topic: https://lists.openembedded.org/mt/93990330/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-