From: Yogita Urade Date: Tue, 30 Sep 2025 08:17:48 +0000 (+0530) Subject: tiff: fix CVE-2025-9900 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c1303b8eb4e85a031a175867361876a256bfb763;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git tiff: fix CVE-2025-9900 A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.[EOL][EOL]By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-9900 Upstream patch: https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch new file mode 100644 index 00000000000..97858163e2b --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch @@ -0,0 +1,54 @@ +From 3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Wed, 11 Jun 2025 19:45:19 +0000 +Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster + rows at TIFFReadRGBAImageOriented() + +CVE: CVE-2025-9900 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99] + +Signed-off-by: Yogita Urade +--- + libtiff/tif_getimage.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 3c9fc4f..fc8b22e 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -600,6 +600,22 @@ int TIFFRGBAImageGet(TIFFRGBAImage *img, uint32_t *raster, uint32_t w, + "No \"put\" routine setupl; probably can not handle image format"); + return (0); + } ++ /* Verify raster width and height against image width and height. */ ++ if (h > img->height) ++ { ++ /* Adapt parameters to read only available lines and put image at ++ * the bottom of the raster. */ ++ raster += (size_t)(h - img->height) * w; ++ h = img->height; ++ } ++ if (w > img->width) ++ { ++ TIFFWarningExtR(img->tif, TIFFFileName(img->tif), ++ "Raster width of %d shall not be larger than image " ++ "width of %d -> raster width adapted for reading", ++ w, img->width); ++ w = img->width; ++ } + return (*img->get)(img, raster, w, h); + } + +@@ -617,9 +633,7 @@ int TIFFReadRGBAImageOriented(TIFF *tif, uint32_t rwidth, uint32_t rheight, + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) + { + img.req_orientation = (uint16_t)orientation; +- /* XXX verify rwidth and rheight against width and height */ +- ok = TIFFRGBAImageGet(&img, raster + (rheight - img.height) * rwidth, +- rwidth, img.height); ++ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight); + TIFFRGBAImageEnd(&img); + } + else +-- +2.40.0 diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb index 6bf7010ba28..1d3d08ff9d2 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb @@ -17,6 +17,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-52355-0002.patch \ file://CVE-2023-52356.patch \ file://CVE-2024-7006.patch \ + file://CVE-2025-9900.patch \ " SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"