tiff: patch CVE-2025-8961

Pick commit mentioned in [1].

[1] https://security-tracker.debian.org/tracker/CVE-2025-8961

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch
new file mode 100644 (file)
index 0000000..90207da
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-8961.patch
@@ -0,0 +1,73 @@
+From 0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Fri, 5 Sep 2025 21:42:35 +0000
+Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue
+ #721
+
+CVE: CVE-2025-8961
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tools/tiffcrop.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ae414efc..be250cc9 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -1072,6 +1072,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                           "Unable to extract row %" PRIu32
+                                           " from tile %" PRIu32,
+                                           row, TIFFCurrentTile(in));
++                                _TIFFfree(tilebuf);
+                                 return 1;
+                             }
+                             break;
+@@ -1086,6 +1087,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                               "Unable to extract row %" PRIu32
+                                               " from tile %" PRIu32,
+                                               row, TIFFCurrentTile(in));
++                                    _TIFFfree(tilebuf);
+                                     return 1;
+                                 }
+                                 break;
+@@ -1098,6 +1100,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                           "Unable to extract row %" PRIu32
+                                           " from tile %" PRIu32,
+                                           row, TIFFCurrentTile(in));
++                                _TIFFfree(tilebuf);
+                                 return 1;
+                             }
+                             break;
+@@ -1110,6 +1113,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                           "Unable to extract row %" PRIu32
+                                           " from tile %" PRIu32,
+                                           row, TIFFCurrentTile(in));
++                                _TIFFfree(tilebuf);
+                                 return 1;
+                             }
+                             break;
+@@ -1124,12 +1128,14 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
+                                           "Unable to extract row %" PRIu32
+                                           " from tile %" PRIu32,
+                                           row, TIFFCurrentTile(in));
++                                _TIFFfree(tilebuf);
+                                 return 1;
+                             }
+                             break;
+                         default:
+                             TIFFError("readContigTilesIntoBuffer",
+                                       "Unsupported bit depth %" PRIu16, bps);
++                            _TIFFfree(tilebuf);
+                             return 1;
+                     }
+                 }
+@@ -2901,7 +2907,7 @@ int main(int argc, char *argv[])
+     }
+ 
+     /* If we did not use the read buffer as the crop buffer */
+-    if (read_buff)
++    if (read_buff && read_buff != crop_buff)
+         _TIFFfree(read_buff);
+ 
+     if (crop_buff)

diff --git a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
index 405edabe6f477afe206c968650c0f0e3c813b699..91e7bfbe1726c5ab6a6f2e09ae4445a7a32b35b2 100644 (file)
--- a/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.7.0.bb
@@ -18,6 +18,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2025-8177_2.patch \
            file://CVE-2025-8534.patch \
            file://CVE-2025-9165.patch \
+           file://CVE-2025-8961.patch \
           "
 
 SRC_URI[sha256sum] = "67160e3457365ab96c5b3286a0903aa6e78bdc44c4bc737d2e486bcecb6ba976"