Compare commits

...

No commits in common. "c8s" and "c8-beta" have entirely different histories.
c8s ... c8-beta

40 changed files with 32 additions and 284 deletions

View File

@ -0,0 +1 @@
a4e32d55afbbcabd0391a9c89995e8e8a19961de SOURCES/tiff-3.9.4.tar.gz

View File

@ -1 +0,0 @@
1

1
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/tiff-3.9.4.tar.gz SOURCES/tiff-3.9.4.tar.gz
/tiff-3.9.4.tar.gz

View File

@ -1,7 +1,7 @@
Summary: Compatibility package for libtiff 3 Summary: Compatibility package for libtiff 3
Name: compat-libtiff3 Name: compat-libtiff3
Version: 3.9.4 Version: 3.9.4
Release: 16%{?dist} Release: 13%{?dist}
License: libtiff License: libtiff
Group: System Environment/Libraries Group: System Environment/Libraries
@ -38,16 +38,6 @@ Patch31: libtiff-CVE-2013-4244.patch
Patch32: libtiff-CVE-2013-4243.patch Patch32: libtiff-CVE-2013-4243.patch
Patch33: libtiff-CVE-2018-7456.patch Patch33: libtiff-CVE-2018-7456.patch
Patch34: libtiff-coverity.patch Patch34: libtiff-coverity.patch
# from upstream, for <= 4.7.0, RHEL-112528
# https://gitlab.com/libtiff/libtiff/-/merge_requests/732.patch
Patch35: libtiff-3.9.4-CVE-2025-9900.patch
# from upstream, for <= 4.7.1, RHEL-159315
# https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c
Patch36: libtiff-CVE-2026-4775.patch
# from upstream, RHEL-189375
# https://gitlab.com/libtiff/libtiff/-/commit/ba2b04b114c5dd945107ccc613cedfcca3af73bb
# https://gitlab.com/libtiff/libtiff/-/commit/f9bda11bf2fc819b971517582666d56f18b1bc3f
Patch37: libtiff-CVE-2026-12912.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: zlib-devel libjpeg-devel BuildRequires: zlib-devel libjpeg-devel
@ -64,39 +54,36 @@ to use the current version of libtiff.
%prep %prep
%setup -q -n tiff-%{version} %setup -q -n tiff-%{version}
%patch -P 1 -p1 %patch1 -p1
%patch -P 2 -p1 %patch2 -p1
%patch -P 3 -p1 %patch3 -p1
%patch -P 4 -p1 %patch4 -p1
%patch -P 5 -p1 %patch5 -p1
%patch -P 6 -p1 %patch6 -p1
%patch -P 7 -p1 %patch7 -p1
%patch -P 8 -p1 %patch8 -p1
%patch -P 9 -p1 %patch9 -p1
%patch -P 10 -p1 %patch10 -p1
%patch -P 11 -p1 %patch11 -p1
%patch -P 12 -p1 %patch12 -p1
%patch -P 13 -p1 %patch13 -p1
%patch -P 14 -p1 %patch14 -p1
%patch -P 15 -p1 %patch15 -p1
%patch -P 16 -p1 %patch16 -p1
%patch -P 17 -p1 %patch17 -p1
%patch -P 18 -p1 %patch18 -p1
%patch -P 19 -p1 %patch19 -p1
%patch -P 20 -p1 %patch20 -p1
%patch -P 21 -p1 %patch21 -p1
%patch -P 22 -p1 %patch22 -p1
%patch -P 27 -p1 %patch27 -p1
%patch -P 28 -p1 %patch28 -p1
%patch -P 29 -p1 %patch29 -p1
%patch -P 30 -p1 %patch30 -p1
%patch -P 31 -p1 %patch31 -p1
%patch -P 32 -p1 %patch32 -p1
%patch -P 33 -p1 %patch33 -p1
%patch -P 34 -p1 %patch34 -p1
%patch -P 35 -p1 -b .CVE-2025-9900
%patch -P 36 -p1 -b .CVE-2026-4775
%patch -P 37 -p1 -b .CVE-2026-12912
# Use build system's libtool.m4, not the one in the package. # Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4 rm -f libtool.m4
@ -141,16 +128,6 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/libtiffxx.so.* %{_libdir}/libtiffxx.so.*
%changelog %changelog
* Sat Jun 27 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 3.9.4-16
- fix CVE-2026-12912: heap-buffer-overflow in PixarLog ABGR decoding
(RHEL-189375)
* Wed Apr 22 2026 Michal Hlavinka <mhlavink@redhat.com> - 3.9.4-15
- fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159315)
* Thu Sep 25 2025 Michal Hlavinka <mhlavink@redhat.com> - 3.9.4-14
- fix CVE-2025-9900: Write-What-Where via TIFFReadRGBAImageOriented (RHEL-112528)
* Wed Jun 12 2019 Nikola Forró <nforro@redhat.com> - 3.9.4-13 * Wed Jun 12 2019 Nikola Forró <nforro@redhat.com> - 3.9.4-13
- Fix important Covscan defects - Fix important Covscan defects
related: #1687584 related: #1687584

View File

@ -1,6 +0,0 @@
--- !Policy
product_versions:
- rhel-8
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

View File

@ -1,36 +0,0 @@
diff -up tiff-3.9.4/libtiff/tif_getimage.c.CVE-2025-9900 tiff-3.9.4/libtiff/tif_getimage.c
--- tiff-3.9.4/libtiff/tif_getimage.c.CVE-2025-9900 2025-09-25 11:57:46.726133686 +0200
+++ tiff-3.9.4/libtiff/tif_getimage.c 2025-09-25 12:03:23.139263767 +0200
@@ -458,6 +458,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uin
"No \"put\" routine setupl; probably can not handle image format");
return (0);
}
+ /* Verify raster width and height against image width and height. */
+ if (h > img->height)
+ {
+ /* Adapt parameters to read only available lines and put image at
+ * the bottom of the raster. */
+ raster += (size_t)(h - img->height) * w;
+ h = img->height;
+ }
+ if (w > img->width)
+ {
+ TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif),
+ "Raster width of %d shall not be larger than image "
+ "width of %d -> raster width adapted for reading",
+ w, img->width);
+ w = img->width;
+ }
return (*img->get)(img, raster, w, h);
}
@@ -477,8 +493,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
img.req_orientation = orientation;
/* XXX verify rwidth and rheight against width and height */
- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
- rwidth, img.height);
+ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
TIFFRGBAImageEnd(&img);
} else {
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);

View File

@ -1,107 +0,0 @@
From 3bddf1548c274f4efaf113af871d87688dd605ab Mon Sep 17 00:00:00 2001
From: waugustus <wangdw.augustus@qq.com>
Date: Thu, 23 Apr 2026 17:05:53 +0800
Subject: [PATCH 1/2] pixarlog: fix heap-buffer-overflow in 8BITABGR decode
with stride 3 (#824)
---
libtiff/tif_pixarlog.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index a4c932cb..447244d3 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -746,6 +746,19 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
llen = sp->stride * td->td_imagewidth;
+ /* Fix: ABGR with stride=3 expands 3 samples to 4 output bytes per pixel */
+ if (sp->user_datafmt == PIXARLOGDATAFMT_8BITABGR && sp->stride == 3)
+ {
+ tsize_t required = (tsize_t)td->td_imagewidth * 4;
+ if (occ < required)
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Output buffer too small for PixarLog ABGR data");
+ memset(op, 0, (size_t)occ);
+ return (0);
+ }
+ }
+
(void) s;
assert(sp != NULL);
sp->stream.next_out = (unsigned char *) sp->tbuf;
@@ -825,7 +838,10 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
case PIXARLOGDATAFMT_8BITABGR:
horizontalAccumulate8abgr(up, llen, sp->stride,
(unsigned char *)op, sp->ToLinear8);
- op += llen * sizeof(unsigned char);
+ if (sp->stride == 3)
+ op += td->td_imagewidth * 4;
+ else
+ op += llen * sizeof(unsigned char);
break;
default:
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
--
2.52.0
From c29a602200eb255f69587a35ef0c5a9f68c0ad8e Mon Sep 17 00:00:00 2001
From: waugustus <wangdw.augustus@qq.com>
Date: Thu, 7 May 2026 12:48:42 +0800
Subject: [PATCH 2/2] pixarlog: complete ABGR bounds check for multi-row strip
decoding
---
libtiff/tif_pixarlog.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index 447244d3..993e1f33 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -750,6 +750,12 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
if (sp->user_datafmt == PIXARLOGDATAFMT_8BITABGR && sp->stride == 3)
{
tsize_t required = (tsize_t)td->td_imagewidth * 4;
+ tsize_t max_rows;
+ tsize_t max_nsamples;
+
+ /*
+ * Ensure at least one expanded output row fits.
+ */
if (occ < required)
{
TIFFErrorExt(tif->tif_clientdata, module,
@@ -757,6 +763,26 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
memset(op, 0, (size_t)occ);
return (0);
}
+
+ /*
+ * PixarLogDecode() may process multiple rows per call
+ * (e.g. strip decoding). Limit nsamples so the total
+ * output written by the loop below never exceeds occ.
+ */
+ max_rows = occ / required;
+ max_nsamples = max_rows * llen;
+
+ /*
+ * Truncate excess rows to preserve as much decoded data
+ * as possible while avoiding output buffer overflow.
+ */
+ if (nsamples > max_nsamples)
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "PixarLog ABGR decode truncated to avoid "
+ "output buffer overflow");
+ nsamples = max_nsamples;
+ }
}
(void) s;
--
2.52.0

View File

@ -1,39 +0,0 @@
diff -up tiff-3.9.4/libtiff/tif_getimage.c.CVE-2026-4775 tiff-3.9.4/libtiff/tif_getimage.c
--- tiff-3.9.4/libtiff/tif_getimage.c.CVE-2026-4775 2026-04-22 13:16:40.507960671 +0200
+++ tiff-3.9.4/libtiff/tif_getimage.c 2026-04-22 13:19:48.732219288 +0200
@@ -1656,7 +1656,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
uint32* cp1 = cp+w+toskew;
uint32* cp2 = cp1+w+toskew;
uint32* cp3 = cp2+w+toskew;
- int32 incr = 3*w+4*toskew;
+ const int64 incr = 3 * (int64)w + 4 * (int64)toskew;
(void) y;
/* adjust fromskew */
@@ -1751,7 +1751,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
{
uint32* cp1 = cp+w+toskew;
- int32 incr = 2*toskew+w;
+ const int64 incr = 2 * (int64)toskew + w;
(void) y;
fromskew = (fromskew * 10) / 4;
@@ -1873,7 +1873,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
{
uint32* cp2;
- int32 incr = 2*toskew+w;
+ const int64 incr = 2 * (int64)toskew + w;
(void) y;
fromskew = (fromskew / 2) * 6;
cp2 = cp+w+toskew;
@@ -1967,7 +1967,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr2
DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
{
uint32* cp2;
- int32 incr = 2*toskew+w;
+ const int64 incr = 2 * (int64)toskew + w;
(void) y;
fromskew = (fromskew / 2) * 4;
cp2 = cp+w+toskew;

View File

@ -1,39 +0,0 @@
---
summary: Tier1 plan for compat-libtiff3
discover:
how: fmf
url: https://pkgs.devel.redhat.com/git/tests/compat-libtiff3
ref: master
filter: tier:1
prepare:
- how: shell
script: |
set -euxo pipefail
ENABLE_REPO_CMD="yum-config-manager --enable"
if command -v dnf >/dev/null 2>&1; then
ENABLE_REPO_CMD="dnf config-manager --set-enabled"
fi
${ENABLE_REPO_CMD} beaker-tasks || :
- how: shell
script: |
set -exuo pipefail
if [[ -f /etc/os-release ]]; then
. /etc/os-release
if [[ "${ID:-}" == "rhel" && "${VERSION_ID%%.*}" -ge 8 ]]; then
dnf config-manager --enable rhel-CRB
fi
fi
execute:
how: tmt
adjust:
enabled: false
when: distro == centos-stream or distro == fedora

View File

@ -1 +0,0 @@
SHA512 (tiff-3.9.4.tar.gz) = 928502edaf67a6565b0cc451d5105e4de17978f35aed6b95d21765c2a47102560ca38cd2f91f475e1073141172a0aa616e17000e78e14eb79a8ef9ba4a55b756