diff --git a/compat-libtiff3.spec b/compat-libtiff3.spec index 206dcfb..2b9f196 100644 --- a/compat-libtiff3.spec +++ b/compat-libtiff3.spec @@ -1,7 +1,7 @@ Summary: Compatibility package for libtiff 3 Name: compat-libtiff3 Version: 3.9.4 -Release: 15%{?dist} +Release: 16%{?dist} License: libtiff Group: System Environment/Libraries @@ -44,6 +44,10 @@ Patch35: libtiff-3.9.4-CVE-2025-9900.patch # from upstream, for <= 4.7.1, RHEL-159315 # https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c Patch36: libtiff-CVE-2026-4775.patch +# from upstream, RHEL-189375 +# https://gitlab.com/libtiff/libtiff/-/commit/ba2b04b114c5dd945107ccc613cedfcca3af73bb +# https://gitlab.com/libtiff/libtiff/-/commit/f9bda11bf2fc819b971517582666d56f18b1bc3f +Patch37: libtiff-CVE-2026-12912.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: zlib-devel libjpeg-devel @@ -92,6 +96,7 @@ to use the current version of libtiff. %patch -P 34 -p1 %patch -P 35 -p1 -b .CVE-2025-9900 %patch -P 36 -p1 -b .CVE-2026-4775 +%patch -P 37 -p1 -b .CVE-2026-12912 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -136,6 +141,10 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libtiffxx.so.* %changelog +* Sat Jun 27 2026 RHEL Packaging Agent - 3.9.4-16 +- fix CVE-2026-12912: heap-buffer-overflow in PixarLog ABGR decoding + (RHEL-189375) + * Wed Apr 22 2026 Michal Hlavinka - 3.9.4-15 - fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159315) diff --git a/libtiff-CVE-2026-12912.patch b/libtiff-CVE-2026-12912.patch new file mode 100644 index 0000000..5785808 --- /dev/null +++ b/libtiff-CVE-2026-12912.patch @@ -0,0 +1,107 @@ +From 3bddf1548c274f4efaf113af871d87688dd605ab Mon Sep 17 00:00:00 2001 +From: waugustus +Date: Thu, 23 Apr 2026 17:05:53 +0800 +Subject: [PATCH 1/2] pixarlog: fix heap-buffer-overflow in 8BITABGR decode + with stride 3 (#824) + +--- + libtiff/tif_pixarlog.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index a4c932cb..447244d3 100644 +--- a/libtiff/tif_pixarlog.c ++++ b/libtiff/tif_pixarlog.c +@@ -746,6 +746,19 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s) + + llen = sp->stride * td->td_imagewidth; + ++ /* Fix: ABGR with stride=3 expands 3 samples to 4 output bytes per pixel */ ++ if (sp->user_datafmt == PIXARLOGDATAFMT_8BITABGR && sp->stride == 3) ++ { ++ tsize_t required = (tsize_t)td->td_imagewidth * 4; ++ if (occ < required) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Output buffer too small for PixarLog ABGR data"); ++ memset(op, 0, (size_t)occ); ++ return (0); ++ } ++ } ++ + (void) s; + assert(sp != NULL); + sp->stream.next_out = (unsigned char *) sp->tbuf; +@@ -825,7 +838,10 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s) + case PIXARLOGDATAFMT_8BITABGR: + horizontalAccumulate8abgr(up, llen, sp->stride, + (unsigned char *)op, sp->ToLinear8); +- op += llen * sizeof(unsigned char); ++ if (sp->stride == 3) ++ op += td->td_imagewidth * 4; ++ else ++ op += llen * sizeof(unsigned char); + break; + default: + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, +-- +2.52.0 + + +From c29a602200eb255f69587a35ef0c5a9f68c0ad8e Mon Sep 17 00:00:00 2001 +From: waugustus +Date: Thu, 7 May 2026 12:48:42 +0800 +Subject: [PATCH 2/2] pixarlog: complete ABGR bounds check for multi-row strip + decoding + +--- + libtiff/tif_pixarlog.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index 447244d3..993e1f33 100644 +--- a/libtiff/tif_pixarlog.c ++++ b/libtiff/tif_pixarlog.c +@@ -750,6 +750,12 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s) + if (sp->user_datafmt == PIXARLOGDATAFMT_8BITABGR && sp->stride == 3) + { + tsize_t required = (tsize_t)td->td_imagewidth * 4; ++ tsize_t max_rows; ++ tsize_t max_nsamples; ++ ++ /* ++ * Ensure at least one expanded output row fits. ++ */ + if (occ < required) + { + TIFFErrorExt(tif->tif_clientdata, module, +@@ -757,6 +763,26 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s) + memset(op, 0, (size_t)occ); + return (0); + } ++ ++ /* ++ * PixarLogDecode() may process multiple rows per call ++ * (e.g. strip decoding). Limit nsamples so the total ++ * output written by the loop below never exceeds occ. ++ */ ++ max_rows = occ / required; ++ max_nsamples = max_rows * llen; ++ ++ /* ++ * Truncate excess rows to preserve as much decoded data ++ * as possible while avoiding output buffer overflow. ++ */ ++ if (nsamples > max_nsamples) ++ { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "PixarLog ABGR decode truncated to avoid " ++ "output buffer overflow"); ++ nsamples = max_nsamples; ++ } + } + + (void) s; +-- +2.52.0 +