A vulnerability was found in LibTIFF up to 4.7.0. It has
been declared as critical. This vulnerability affects the
function get_histogram of the file tools/tiffmedian.c. The
manipulation leads to use after free. The attack needs to
be approached locally. The exploit has been disclosed to
the public and may be used. The patch is identified as
fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended
to apply a patch to fix this issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-8176
Upstream patches:
https://gitlab.com/libtiff/libtiff/-/commit/
3994cf3b3bc6b54c32f240ca5a412cffa11633fa
https://gitlab.com/libtiff/libtiff/-/commit/
ce46f002eca4148497363f80fab33f9396bcbeda
https://gitlab.com/libtiff/libtiff/-/commit/
ecc4ddbf1f0fed7957d1e20361e37f01907898e0
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
--- /dev/null
+From 3994cf3b3bc6b54c32f240ca5a412cffa11633fa Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Mon, 19 May 2025 10:53:30 -0700
+Subject: [PATCH] Don't skip the first line of the input image. Addresses
+ issue #703
+
+CVE: CVE-2025-8176
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3994cf3b3bc6b54c32f240ca5a412cffa11633fa]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiffdither.c | 4 ++--
+ tools/tiffmedian.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiffdither.c b/tools/tiffdither.c
+index 062fd60..d352554 100644
+--- a/tools/tiffdither.c
++++ b/tools/tiffdither.c
+@@ -95,7 +95,7 @@ fsdither(TIFF* in, TIFF* out)
+ nextptr = nextline;
+ for (j = 0; j < imagewidth; ++j)
+ *nextptr++ = *inptr++;
+- for (i = 1; i < imagelength; ++i) {
++ for (i = 0; i < imagelength; ++i) {
+ tmpptr = thisline;
+ thisline = nextline;
+ nextline = tmpptr;
+@@ -138,7 +138,7 @@ fsdither(TIFF* in, TIFF* out)
+ nextptr[0] += v / 16;
+ }
+ }
+- if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
++ if (TIFFWriteScanline(out, outline, i, 0) < 0)
+ goto skip_on_error;
+ }
+ goto exit_label;
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 93a1741..93e57cf 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -844,7 +844,7 @@ quant_fsdither(TIFF* in, TIFF* out)
+ outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out));
+
+ GetInputLine(in, 0, goto bad); /* get first line */
+- for (i = 1; i <= imagelength; ++i) {
++ for (i = 0; i <= imagelength; ++i) {
+ SWAP(short *, thisline, nextline);
+ lastline = (i >= imax);
+ if (i <= imax)
+@@ -915,7 +915,7 @@ quant_fsdither(TIFF* in, TIFF* out)
+ nextptr += 3;
+ }
+ }
+- if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
++ if (TIFFWriteScanline(out, outline, i, 0) < 0)
+ break;
+ }
+ bad:
+--
+2.40.0
--- /dev/null
+From ce46f002eca4148497363f80fab33f9396bcbeda Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:25:16 -0700
+Subject: [PATCH] Fix tiffmedian bug #707
+
+CVE: CVE-2025-8176
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ce46f002eca4148497363f80fab33f9396bcbeda]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiffmedian.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 93e57cf..a0b4b5d 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -385,7 +385,10 @@ get_histogram(TIFF* in, Colorbox* box)
+ }
+ for (i = 0; i < imagelength; i++) {
+ if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+- break;
++ {
++ fprintf(stderr, "Error reading scanline\n");
++ exit(EXIT_FAILURE);
++ }
+ inptr = inputline;
+ for (j = imagewidth; j-- > 0;) {
+ red = (*inptr++) & 0xff >> COLOR_SHIFT;
+--
+2.40.0
--- /dev/null
+From ecc4ddbf1f0fed7957d1e20361e37f01907898e0 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:38:09 -0700
+Subject: [PATCH] conflict resolution
+
+CVE: CVE-2025-8176
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ecc4ddbf1f0fed7957d1e20361e37f01907898e0]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ tools/tiffmedian.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index a0b4b5d..ca1c51f 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -847,7 +847,7 @@ quant_fsdither(TIFF* in, TIFF* out)
+ outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out));
+
+ GetInputLine(in, 0, goto bad); /* get first line */
+- for (i = 0; i <= imagelength; ++i) {
++ for (i = 0; i < imagelength; ++i) {
+ SWAP(short *, thisline, nextline);
+ lastline = (i >= imax);
+ if (i <= imax)
+--
+2.40.0
file://CVE-2023-6277-4.patch \
file://CVE-2024-7006.patch \
file://CVE-2023-3164.patch \
+ file://CVE-2025-8176-0001.patch \
+ file://CVE-2025-8176-0002.patch \
+ file://CVE-2025-8176-0003.patch \
"
SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
