Re: [OE-core][scarthgap][PATCH 3/3] tiff: ignore CVE-2025-61143, CVE-2025-61144 and CVE-2025-61145

Wed, 18 Mar 2026 06:42:34 -0700 

On Sat Mar 7, 2026 at 7:45 AM CET, Ankur Tyagi via lists.openembedded.org wrote:
> From: Ankur Tyagi <[email protected]>
>
> These CVEs are for tools which were removed in v4.6.0[1]
>
> [1]https://gitlab.com/libtiff/libtiff/-/commit/eab89a627f0a65e9a1a47c4b30b4802c80b1ac45
>
> Details:
> https://nvd.nist.gov/vuln/detail/CVE-2025-61143

This CVE: "libtiff up to v4.7.1 was discovered to contain a NULL pointer
dereference via the component libtiff/tif_open.c."

Despite tools being removed in the commit you mentionned
libtiff/tif_open.c was not touched and the patch linked by NVD apply to
files outside of "archive/" were the removed tools are...

Are you sure we can ignore this CVE?

FYI, Peter patched it on kirkstone:
[OE-core][kirkstone 07/17] tiff: patch CVE-2025-61143 - Yoann Congal
https://lore.kernel.org/openembedded-core/944f481d214bebeaf51769d77fe16cd93cbff351.1773652940.git.yoann.con...@smile.fr/

Regards,

> https://nvd.nist.gov/vuln/detail/CVE-2025-61144
> https://nvd.nist.gov/vuln/detail/CVE-2025-61145
>
> Signed-off-by: Ankur Tyagi <[email protected]>
> ---
>  meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb 
> b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
> index 777783d7cc..07540692fc 100644
> --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
> +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
> @@ -29,7 +29,7 @@ CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with 
> check from https://secur
>  CVE_STATUS[CVE-2023-3164] = "cpe-incorrect: Issue only affects the tiffcrop 
> tool not compiled by default since 4.6.0"
>  
>  CVE_STATUS_GROUPS += "CVE_STATUS_REMOVED_TOOLS"
> -CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE-2025-8177 
> CVE-2025-8534 CVE-2025-8851 CVE-2025-8961"
> +CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE-2025-8177 
> CVE-2025-8534 CVE-2025-8851 CVE-2025-8961 CVE-2025-61143 CVE-2025-61144 
> CVE-2025-61145"
>  CVE_STATUS_REMOVED_TOOLS[status] = "cpe-incorrect: tools affected by these 
> CVEs are not present in this release"
>  
>  inherit autotools multilib_header


-- 
Yoann Congal
Smile ECS


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#233389): 
https://lists.openembedded.org/g/openembedded-core/message/233389
Mute This Topic: https://lists.openembedded.org/mt/118185149/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to