package/tiff: fix CVE-2022-22844

LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 7ec5f99b3a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-11-23 13:33:28 +08:00 · 2022-02-05 15:14:48 +01:00 · 2022-02-05 15:14:48 +01:00 · 1e25ae6943
commit 1e25ae6943
parent 257b355bba
2 changed files with 47 additions and 0 deletions
--- a/package/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags.patch
+++ b/package/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags.patch
@ -0,0 +1,43 @@
+From 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 25 Jan 2022 16:25:28 +0000
+Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
+ count is required (fixes #355)
+
+[Retrieved from:
+https://gitlab.com/libtiff/libtiff/-/commit/03047a26952a82daaa0792957ce211e0aa51bc64]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ tools/tiffset.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiffset.c b/tools/tiffset.c
+index 8c9e23c5..e7a88c09 100644
+--- a/tools/tiffset.c
+++ b/tools/tiffset.c
+@@ -146,9 +146,19 @@ main(int argc, char* argv[])
+ 
+             arg_index++;
+             if (TIFFFieldDataType(fip) == TIFF_ASCII) {
+-                if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
+-                    fprintf( stderr, "Failed to set %s=%s\n",
+-                             TIFFFieldName(fip), argv[arg_index] );
+                if(TIFFFieldPassCount( fip )) {
+                    size_t len;
+                    len = strlen(argv[arg_index]) + 1;
+                    if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
+                            (uint16_t)len, argv[arg_index]) != 1)
+                        fprintf( stderr, "Failed to set %s=%s\n",
+                            TIFFFieldName(fip), argv[arg_index] );
+                } else {
+                    if (TIFFSetField(tiff, TIFFFieldTag(fip),
+                            argv[arg_index]) != 1)
+                        fprintf( stderr, "Failed to set %s=%s\n",
+                            TIFFFieldName(fip), argv[arg_index] );
+                }
+             } else if (TIFFFieldWriteCount(fip) > 0
+ 		       || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
+                 int     ret = 1;
+-- 
+GitLab
+
--- a/package/tiff/tiff.mk
+++ b/package/tiff/tiff.mk
@ -11,6 +11,10 @@ TIFF_LICENSE_FILES = COPYRIGHT
 TIFF_CPE_ID_VENDOR = libtiff
 TIFF_CPE_ID_PRODUCT = libtiff
 TIFF_INSTALL_STAGING = YES
+
+# 0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags.patch
+TIFF_IGNORE_CVES += CVE-2022-22844
+
 TIFF_CONF_OPTS = \
 	--disable-cxx \
 	--without-x