rpms/compat-libtiff3
7
0
Fork 0
Code Issues Pull Requests Releases Activity

fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159315)

Browse Source 
Resolves: RHEL-159315
This commit is contained in:
Michal Hlavinka 2026-04-22 13:47:37 +02:00
parent 49a2aa4b6c
commit cf89677ea6
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
compat-libtiff3.spec
View File

@ -1,7 +1,7 @@
Summary: Compatibility package for libtiff 3
Name: compat-libtiff3
Version: 3.9.4
Release: 14%{?dist}
Release: 15%{?dist}
License: libtiff
Group: System Environment/Libraries
@ -41,6 +41,9 @@ Patch34: libtiff-coverity.patch
# from upstream, for <= 4.7.0, RHEL-112528
# https://gitlab.com/libtiff/libtiff/-/merge_requests/732.patch
Patch35: libtiff-3.9.4-CVE-2025-9900.patch
# from upstream, for <= 4.7.1, RHEL-159315
# https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c
Patch36: libtiff-CVE-2026-4775.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: zlib-devel libjpeg-devel
@ -88,6 +91,7 @@ to use the current version of libtiff.
%patch -P 33 -p1
%patch -P 34 -p1
%patch -P 35 -p1 -b .CVE-2025-9900
%patch -P 36 -p1 -b .CVE-2026-4775
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
@ -132,6 +136,9 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/libtiffxx.so.*
%changelog
* Wed Apr 22 2026 Michal Hlavinka <mhlavink@redhat.com> - 3.9.4-15
- fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159315)
* Thu Sep 25 2025 Michal Hlavinka <mhlavink@redhat.com> - 3.9.4-14
- fix CVE-2025-9900: Write-What-Where via TIFFReadRGBAImageOriented (RHEL-112528)

39
libtiff-CVE-2026-4775.patch Normal file
View File

@ -0,0 +1,39 @@
diff -up tiff-3.9.4/libtiff/tif_getimage.c.CVE-2026-4775 tiff-3.9.4/libtiff/tif_getimage.c
--- tiff-3.9.4/libtiff/tif_getimage.c.CVE-2026-4775 2026-04-22 13:16:40.507960671 +0200
+++ tiff-3.9.4/libtiff/tif_getimage.c 2026-04-22 13:19:48.732219288 +0200
@@ -1656,7 +1656,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
uint32* cp1 = cp+w+toskew;
uint32* cp2 = cp1+w+toskew;
uint32* cp3 = cp2+w+toskew;
- int32 incr = 3*w+4*toskew;
+ const int64 incr = 3 * (int64)w + 4 * (int64)toskew;
(void) y;
/* adjust fromskew */
@@ -1751,7 +1751,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
{
uint32* cp1 = cp+w+toskew;
- int32 incr = 2*toskew+w;
+ const int64 incr = 2 * (int64)toskew + w;
(void) y;
fromskew = (fromskew * 10) / 4;
@@ -1873,7 +1873,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
{
uint32* cp2;
- int32 incr = 2*toskew+w;
+ const int64 incr = 2 * (int64)toskew + w;
(void) y;
fromskew = (fromskew / 2) * 6;
cp2 = cp+w+toskew;
@@ -1967,7 +1967,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr2
DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
{
uint32* cp2;
- int32 incr = 2*toskew+w;
+ const int64 incr = 2 * (int64)toskew + w;
(void) y;
fromskew = (fromskew / 2) * 4;
cp2 = cp+w+toskew;