fix CVE-2025-9900: Write-What-Where via TIFFReadRGBAImageOriented (RHEL-112528)

Resolves: RHEL-112528

compat-libtiff3.spec

@@ -1,7 +1,7 @@
 Summary: Compatibility package for libtiff 3
 Name: compat-libtiff3
 Version: 3.9.4
-Release: 13%{?dist}
+Release: 14%{?dist}
 
 License: libtiff
 Group: System Environment/Libraries
@@ -38,6 +38,9 @@ Patch31: libtiff-CVE-2013-4244.patch
 Patch32: libtiff-CVE-2013-4243.patch
 Patch33: libtiff-CVE-2018-7456.patch
 Patch34: libtiff-coverity.patch
+# from upstream, for <= 4.7.0, RHEL-112528
+# https://gitlab.com/libtiff/libtiff/-/merge_requests/732.patch
+Patch35: libtiff-3.9.4-CVE-2025-9900.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: zlib-devel libjpeg-devel
@@ -54,36 +57,37 @@ to use the current version of libtiff.
 %prep
 %setup -q -n tiff-%{version}
 
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch27 -p1
-%patch28 -p1
-%patch29 -p1
-%patch30 -p1
-%patch31 -p1
-%patch32 -p1
-%patch33 -p1
-%patch34 -p1
+%patch -P 1 -p1
+%patch -P 2 -p1
+%patch -P 3 -p1
+%patch -P 4 -p1
+%patch -P 5 -p1
+%patch -P 6 -p1
+%patch -P 7 -p1
+%patch -P 8 -p1
+%patch -P 9 -p1
+%patch -P 10 -p1
+%patch -P 11 -p1
+%patch -P 12 -p1
+%patch -P 13 -p1
+%patch -P 14 -p1
+%patch -P 15 -p1
+%patch -P 16 -p1
+%patch -P 17 -p1
+%patch -P 18 -p1
+%patch -P 19 -p1
+%patch -P 20 -p1
+%patch -P 21 -p1
+%patch -P 22 -p1
+%patch -P 27 -p1
+%patch -P 28 -p1
+%patch -P 29 -p1
+%patch -P 30 -p1
+%patch -P 31 -p1
+%patch -P 32 -p1
+%patch -P 33 -p1
+%patch -P 34 -p1
+%patch -P 35 -p1 -b .CVE-2025-9900
 
 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@@ -128,6 +132,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libtiffxx.so.*
 
 %changelog
+* Thu Sep 25 2025 Michal Hlavinka <mhlavink@redhat.com> - 3.9.4-14
+- fix CVE-2025-9900: Write-What-Where via TIFFReadRGBAImageOriented (RHEL-112528)
+
 * Wed Jun 12 2019 Nikola Forró <nforro@redhat.com> - 3.9.4-13
 - Fix important Covscan defects
   related: #1687584

libtiff-3.9.4-CVE-2025-9900.patch

@@ -0,0 +1,36 @@
+diff -up tiff-3.9.4/libtiff/tif_getimage.c.CVE-2025-9900 tiff-3.9.4/libtiff/tif_getimage.c
+--- tiff-3.9.4/libtiff/tif_getimage.c.CVE-2025-9900	2025-09-25 11:57:46.726133686 +0200
++++ tiff-3.9.4/libtiff/tif_getimage.c	2025-09-25 12:03:23.139263767 +0200
+@@ -458,6 +458,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uin
+ 		"No \"put\" routine setupl; probably can not handle image format");
+ 		return (0);
+     }
++    /* Verify raster width and height against image width and height. */
++    if (h > img->height)
++    {
++        /* Adapt parameters to read only available lines and put image at
++         * the bottom of the raster. */
++		raster += (size_t)(h - img->height) * w;
++		h = img->height;
++    }
++    if (w > img->width)
++    {
++        TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif),
++                        "Raster width of %d shall not be larger than image "
++                        "width of %d -> raster width adapted for reading",
++                        w, img->width);
++        w = img->width;
++    }
+     return (*img->get)(img, raster, w, h);
+ }
+ 
+@@ -477,8 +493,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
+ 	if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
+ 		img.req_orientation = orientation;
+ 		/* XXX verify rwidth and rheight against width and height */
+-		ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
+-			rwidth, img.height);
++		ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
+ 		TIFFRGBAImageEnd(&img);
+ 	} else {
+ 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);