git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	Zheng Qiu <zheng.qiu@windriver.com>
	Fri, 4 Nov 2022 03:00:41 +0000 (17:00 -1000)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Fri, 4 Nov 2022 13:13:27 +0000 (13:13 +0000)
commit	cd94ed01214251027d1076b67cf65c3058f51dad
tree	648161cd20c65356c47d0f2e7fc5a5bd0aa68922	tree
parent	88e1917dbf1e1bce5713c88d97adceb28ac0da05	commit \| diff

tiff: fix CVE-2022-2953

While this does not happen with the tiff 4.3.0 release, it does happen with
the series of patches we have, so backport the two simple changes that
restrict the tiffcrop options to avoid the vulnerability.

CVE-2022-2953.patch was taken from upstream, and a small typo was fixed
for the CVE number. The other patch is included in tiff 4.4.0 but not
4.3.0, so add it as well.

Signed-off-by: Randy MacLeod <randy.macleod@windriver.com>
Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch	[new file with mode: 0644]	blob
meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch	[new file with mode: 0644]	blob
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb		diff \| blob \| blame \| history