From 1d8f0e982d3beff79b63559640b7bd578109ceaf Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Mon, 5 May 2025 17:16:23 +0200 Subject: [PATCH] backport documentation change for CVE-2023-52355 (RHEL-17328) Resolves: RHEL-17328 --- libtiff-4.4.0-cve2023-52355.patch | 596 ++++++++++++++++++++++++++++++ libtiff.spec | 12 +- 2 files changed, 607 insertions(+), 1 deletion(-) create mode 100644 libtiff-4.4.0-cve2023-52355.patch diff --git a/libtiff-4.4.0-cve2023-52355.patch b/libtiff-4.4.0-cve2023-52355.patch new file mode 100644 index 0000000..96fa881 --- /dev/null +++ b/libtiff-4.4.0-cve2023-52355.patch @@ -0,0 +1,596 @@ +diff -up tiff-4.4.0/html/libtiff.html.cvedoc tiff-4.4.0/html/libtiff.html +--- tiff-4.4.0/html/libtiff.html.cvedoc 2022-02-19 16:33:54.000000000 +0100 ++++ tiff-4.4.0/html/libtiff.html 2025-05-05 15:46:15.541350830 +0200 +@@ -127,11 +127,16 @@ +

+

+ To deal with segmented pointer issues libtiff also provides +- _TIFFmemcpy, _TIFFmemset, and _TIFFmemmove ++ _TIFFmemcpy, _TIFFmemset, and _TIFFmemcmp + routines that mimic the equivalent ANSI C routines, but that are + intended for use with memory allocated through _TIFFmalloc + and _TIFFrealloc. +

++

++ With libtiff 4.5 a method was introduced to limit the internal ++ memory allocation that functions are allowed to request per call ++ (see TIFFOpenOptionsSetMaxSingleMemAlloc and TIFFOpenExt). ++

+
+

Error Handling

+

+@@ -143,6 +148,11 @@ + Likewise warning messages are directed to a single handler routine + that can be specified with a call to TIFFSetWarningHandler +

++

++ Further application-specific and per-TIFF handle (re-entrant) error handler ++ and warning handler can be set. Please refer to TIFFError ++ and TIFFOpenOptions. ++

+
+

Basic File Handling

+

+@@ -155,7 +165,7 @@ + main()
+ {
+     TIFF* tif = TIFFOpen("foo.tif", "r");
+-     ... do stuff ...
++     /* ... do stuff ... */
+     TIFFClose(tif);
+ } +

+@@ -196,6 +206,27 @@ + buffered information to a file. Note that if you call TIFFClose + you do not need to call TIFFFlush. +

++

++ ++ ++ ++ ++ ++
In order to prevent out-of-memory issues when opening a TIFF file ++ TIFFOpenExt can be used and then the maximum single memory ++ limit in byte that libtiff internal memory allocation functions ++ are allowed to request per call can be set with ++ TIFFOpenOptionsSetMaxSingleMemAlloc.
++

++Example: ++

++ tmsize_t limit = (256 * 1024 * 1024);
++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
++ TIFF *tif = TIFFOpenExt("foo.tif", "w", opts);
++ TIFFOpenOptionsFree(opts);
++ /* ... go on here ... */
++

+
+

TIFF Directories

+

+diff -up tiff-4.4.0/html/man/Makefile.am.cvedoc tiff-4.4.0/html/man/Makefile.am +--- tiff-4.4.0/html/man/Makefile.am.cvedoc 2025-05-05 15:46:15.492346180 +0200 ++++ tiff-4.4.0/html/man/Makefile.am 2025-05-05 15:49:32.759368119 +0200 +@@ -38,6 +38,7 @@ docfiles = \ + TIFFcodec.3tiff.html \ + TIFFcolor.3tiff.html \ + TIFFDataWidth.3tiff.html \ ++ TIFFDeferStrileArrayWriting.3tiff.html \ + TIFFError.3tiff.html \ + TIFFFieldDataType.3tiff.html \ + TIFFFieldName.3tiff.html \ +@@ -49,6 +50,7 @@ docfiles = \ + TIFFGetField.3tiff.html \ + TIFFmemory.3tiff.html \ + TIFFOpen.3tiff.html \ ++ TIFFOpenOptions.3tiff.html \ + TIFFPrintDirectory.3tiff.html \ + TIFFquery.3tiff.html \ + TIFFReadDirectory.3tiff.html \ +@@ -66,6 +68,7 @@ docfiles = \ + TIFFSetField.3tiff.html \ + TIFFsize.3tiff.html \ + TIFFstrip.3tiff.html \ ++ TIFFStrileQuery.3tiff.html \ + TIFFswab.3tiff.html \ + TIFFtile.3tiff.html \ + TIFFWarning.3tiff.html \ +diff -up tiff-4.4.0/man/Makefile.am.cvedoc tiff-4.4.0/man/Makefile.am +--- tiff-4.4.0/man/Makefile.am.cvedoc 2025-05-05 15:46:42.027712039 +0200 ++++ tiff-4.4.0/man/Makefile.am 2025-05-05 15:48:31.730675076 +0200 +@@ -51,6 +51,7 @@ dist_man3_MANS = \ + TIFFcodec.3tiff \ + TIFFcolor.3tiff \ + TIFFDataWidth.3tiff \ ++ TIFFDeferStrileArrayWriting.3tiff \ + TIFFError.3tiff \ + TIFFFieldDataType.3tiff \ + TIFFFieldName.3tiff \ +@@ -62,6 +63,7 @@ dist_man3_MANS = \ + TIFFGetField.3tiff \ + TIFFmemory.3tiff \ + TIFFOpen.3tiff \ ++ TIFFOpenOptions.3tiff \ + TIFFPrintDirectory.3tiff \ + TIFFquery.3tiff \ + TIFFReadDirectory.3tiff \ +@@ -79,6 +81,7 @@ dist_man3_MANS = \ + TIFFSetField.3tiff \ + TIFFsize.3tiff \ + TIFFstrip.3tiff \ ++ TIFFStrileQuery.3tiff \ + TIFFswab.3tiff \ + TIFFtile.3tiff \ + TIFFWarning.3tiff \ +diff -up tiff-4.4.0/man/TIFFDeferStrileArrayWriting.3tiff.cvedoc tiff-4.4.0/man/TIFFDeferStrileArrayWriting.3tiff +--- tiff-4.4.0/man/TIFFDeferStrileArrayWriting.3tiff.cvedoc 2025-05-05 15:46:15.541666402 +0200 ++++ tiff-4.4.0/man/TIFFDeferStrileArrayWriting.3tiff 2025-05-05 15:46:15.541666402 +0200 +@@ -0,0 +1,108 @@ ++.\" Man page generated from reStructuredText. ++. ++. ++.nr rst2man-indent-level 0 ++. ++.de1 rstReportMargin ++\\$1 \\n[an-margin] ++level \\n[rst2man-indent-level] ++level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] ++- ++\\n[rst2man-indent0] ++\\n[rst2man-indent1] ++\\n[rst2man-indent2] ++.. ++.de1 INDENT ++.\" .rstReportMargin pre: ++. RS \\$1 ++. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] ++. nr rst2man-indent-level +1 ++.\" .rstReportMargin post: ++.. ++.de UNINDENT ++. RE ++.\" indent \\n[an-margin] ++.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.nr rst2man-indent-level -1 ++.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.in \\n[rst2man-indent\\n[rst2man-indent-level]]u ++.. ++.TH "TIFFDEFERSTRILEARRAYWRITING" "3tiff" "Apr 30, 2025" "4.7" "LibTIFF" ++.SH NAME ++TIFFDeferStrileArrayWriting \- defer strile array writing ++.SH SYNOPSIS ++.INDENT 0.0 ++.INDENT 3.5 ++.sp ++.nf ++.ft C ++#include ++.ft P ++.fi ++.UNINDENT ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B int TIFFDeferStrileArrayWriting(TIFF *tif) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B int TIFFForceStrileArrayWriting(TIFF *tif) ++.UNINDENT ++.SH DESCRIPTION ++.sp ++\fI\%TIFFDeferStrileArrayWriting()\fP is an advanced writing function ++that must be used in a particular sequence, and generally together ++with \fI\%TIFFForceStrileArrayWriting()\fP, to achieve its intended ++effect. Their aim is to control when and where the ++\fBStripOffsets\fP / \fBStripByteCounts\fP or \fBTileOffsets\fP / \fBTileByteCounts\fP ++arrays are written into the file. ++.sp ++The purpose of this is to generate \(aqcloud\-optimized geotiff\(aq files where ++the first KB of the file only contain the IFD entries without the potentially ++large strile arrays. Those are written afterwards. ++.sp ++More precisely, when TIFFWriteCheck() is called, the tag entries for ++those arrays will be written with type = count = offset = 0 as a temporary value. ++.sp ++Its effect is only valid for the current directory, and before ++TIFFWriteDirectory() is first called, and will be reset ++when changing directory. ++.sp ++The typical sequence of calls is: ++.INDENT 0.0 ++.INDENT 3.5 ++.sp ++.nf ++.ft C ++TIFFOpen() ++/* or TIFFCreateDirectory(tif) */ ++/* Set fields with calls to TIFFSetField(tif, ...) */ ++TIFFDeferStrileArrayWriting(tif) ++TIFFWriteCheck(tif, ...) ++TIFFWriteDirectory(tif) ++/* ... potentially create other directories and come back to the above directory */ ++TIFFForceStrileArrayWriting(tif) /* emit the arrays at the end of file */ ++.ft P ++.fi ++.UNINDENT ++.UNINDENT ++.SH RETURNS ++.sp ++1 in case of success, 0 otherwise. ++.SH DIAGNOSTICS ++.sp ++All error messages are directed to the TIFFErrorExtR() routine. ++Likewise, warning messages are directed to the TIFFWarningExtR() routine. ++.SH NOTE ++.sp ++This functionality was introduced with libtiff 4.1. ++.SH SEE ALSO ++.sp ++\fI\%libtiff\fP (3tiff) ++.SH AUTHOR ++LibTIFF contributors ++.SH COPYRIGHT ++1988-2025, LibTIFF contributors ++.\" Generated by docutils manpage writer. ++. +diff -up tiff-4.4.0/man/TIFFError.3tiff.cvedoc tiff-4.4.0/man/TIFFError.3tiff +--- tiff-4.4.0/man/TIFFError.3tiff.cvedoc 2022-02-19 16:33:55.000000000 +0100 ++++ tiff-4.4.0/man/TIFFError.3tiff 2025-05-05 15:46:15.541755008 +0200 +@@ -56,6 +56,11 @@ to override the default error handler. + A + .SM NULL + (0) error handling function may be installed to suppress error messages. ++.PP ++Please refer to ++.IR TIFFOpenOptions ++for how to setup the ++application-specific handler introduced with libtiff 4.5. + .SH "RETURN VALUES" + .IR TIFFSetErrorHandler + returns a reference to the previous error handling function. +diff -up tiff-4.4.0/man/TIFFOpen.3tiff.cvedoc tiff-4.4.0/man/TIFFOpen.3tiff +--- tiff-4.4.0/man/TIFFOpen.3tiff.cvedoc 2022-02-19 16:33:55.000000000 +0100 ++++ tiff-4.4.0/man/TIFFOpen.3tiff 2025-05-05 15:46:15.541863922 +0200 +@@ -94,6 +94,27 @@ To alter these values, or to define valu + .IR TIFFSetField (3TIFF) + must be used. + .PP ++.IR TIFFOpenExt ++(added in libtiff 4.5) is like ++.IR TIFFOpen ++, but options, such as re-entrant error and warning handlers and a limit in byte ++that libtiff internal memory allocation functions are allowed to request per call ++may be passed with the opts argument. The opts argument may be NULL. ++Refer to ++.IR TIFFOpenOptions ++for allocating and filling the opts argument ++parameters. The allocated memory for ++.IR TIFFOpenOptions ++can be released straight after successful execution of the related ++"TIFFOpenExt" functions. ++.PP ++.IR TIFFFdOpenExt ++(added in libtiff 4.5) is like ++.IR TIFFFdOpen ++, but options argument opts like for ++.IR TIFFOpenExt ++can be passed. ++.PP + .IR TIFFFdOpen + is like + .IR TIFFOpen +diff -up tiff-4.4.0/man/TIFFOpenOptions.3tiff.cvedoc tiff-4.4.0/man/TIFFOpenOptions.3tiff +--- tiff-4.4.0/man/TIFFOpenOptions.3tiff.cvedoc 2025-05-05 15:46:15.541984178 +0200 ++++ tiff-4.4.0/man/TIFFOpenOptions.3tiff 2025-05-05 15:46:15.541984178 +0200 +@@ -0,0 +1,189 @@ ++.\" Man page generated from reStructuredText. ++. ++. ++.nr rst2man-indent-level 0 ++. ++.de1 rstReportMargin ++\\$1 \\n[an-margin] ++level \\n[rst2man-indent-level] ++level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] ++- ++\\n[rst2man-indent0] ++\\n[rst2man-indent1] ++\\n[rst2man-indent2] ++.. ++.de1 INDENT ++.\" .rstReportMargin pre: ++. RS \\$1 ++. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] ++. nr rst2man-indent-level +1 ++.\" .rstReportMargin post: ++.. ++.de UNINDENT ++. RE ++.\" indent \\n[an-margin] ++.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.nr rst2man-indent-level -1 ++.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.in \\n[rst2man-indent\\n[rst2man-indent-level]]u ++.. ++.TH "TIFFOPENOPTIONS" "3tiff" "Apr 30, 2025" "4.7" "LibTIFF" ++.SH NAME ++TIFFOpenOptions \- open a TIFF file for reading or writing ++.SH SYNOPSIS ++.INDENT 0.0 ++.INDENT 3.5 ++.sp ++.nf ++.ft C ++#include ++.ft P ++.fi ++.UNINDENT ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B typedef \fI\%TIFFOpenOptions\fP TIFFOpenOptions ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B \fI\%TIFFOpenOptions\fP *TIFFOpenOptionsAlloc(void) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B void TIFFOpenOptionsFree(\fI\%TIFFOpenOptions\fP*) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B void TIFFOpenOptionsSetMaxSingleMemAlloc(\fI\%TIFFOpenOptions\fP *opts, tmsize_t max_single_mem_alloc) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B void TIFFOpenOptionsSetMaxCumulatedMemAlloc(\fI\%TIFFOpenOptions\fP *opts, tmsize_t max_cumulated_mem_alloc) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B void TIFFOpenOptionsSetErrorHandlerExtR(\fI\%TIFFOpenOptions\fP *opts, \X'tty: link #c.TIFFErrorHandlerExtR'\fI\%TIFFErrorHandlerExtR\fP\X'tty: link' handler, void *errorhandler_user_data) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B void TIFFOpenOptionsSetWarningHandlerExtR(\fI\%TIFFOpenOptions\fP *opts, \X'tty: link #c.TIFFErrorHandlerExtR'\fI\%TIFFErrorHandlerExtR\fP\X'tty: link' handler, void *warnhandler_user_data) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B void TIFFOpenOptionsSetWarnAboutUnknownTags(\fI\%TIFFOpenOptions\fP *opts, int warn_about_unknown_tags) ++.UNINDENT ++.SH DESCRIPTION ++.sp ++\fI\%TIFFOpenOptions\fP is an opaque structure which can be passed ++to the TIFF open\(dqExt\(dq functions to define some \fBlibtiff\fP internal settings. ++The settings are the maximum single memory allocation limit and ++per\-TIFF handle (re\-entrant) error handler and warning handler functions. ++For those handler a pointer to a \fBcustom defined data structure\fP \fIuser_data\fP ++can be given along. ++.sp ++\fI\%TIFFOpenOptionsAlloc()\fP allocates memory for the \fI\%TIFFOpenOptions\fP ++opaque structure and returns a \fI\%TIFFOpenOptions\fP pointer. ++.sp ++\fI\%TIFFOpenOptionsFree()\fP releases the allocated memory for ++\fI\%TIFFOpenOptions\fP\&. The allocated memory for \fI\%TIFFOpenOptions\fP ++can be released straight after successful execution of the related ++TIFFOpen\(dqExt\(dq functions like \X'tty: link #c.TIFFOpenExt'\fI\%TIFFOpenExt()\fP\X'tty: link'\&. ++.sp ++\fI\%TIFFOpenOptionsSetMaxSingleMemAlloc()\fP (added in libtiff 4.5.0) sets ++the value for the maximum single memory limit in byte that \fBlibtiff\fP internal ++memory allocation functions are allowed to request per call. ++.sp ++\fBNOTE:\fP ++.INDENT 0.0 ++.INDENT 3.5 ++However, the \fBlibtiff\fP external functions \X'tty: link #c._TIFFmalloc'\fI\%_TIFFmalloc()\fP\X'tty: link' ++and \X'tty: link #c._TIFFrealloc'\fI\%_TIFFrealloc()\fP\X'tty: link' \fBdo not apply\fP this internal memory ++allocation limit set by \fI\%TIFFOpenOptionsSetMaxSingleMemAlloc()\fP! ++.UNINDENT ++.UNINDENT ++.sp ++\fI\%TIFFOpenOptionsSetMaxCumulatedMemAlloc()\fP (added in libtiff 4.6.1) sets ++the maximum cumulated memory allocations in byte, for a given TIFF handle, ++that \fBlibtiff\fP internal memory allocation functions are allowed. ++.sp ++\fBNOTE:\fP ++.INDENT 0.0 ++.INDENT 3.5 ++However, the \fBlibtiff\fP external functions \X'tty: link #c._TIFFmalloc'\fI\%_TIFFmalloc()\fP\X'tty: link' ++and \X'tty: link #c._TIFFrealloc'\fI\%_TIFFrealloc()\fP\X'tty: link' \fBdo not apply\fP this internal memory ++allocation limit set by \fI\%TIFFOpenOptionsSetMaxCumulatedMemAlloc()\fP! ++.UNINDENT ++.UNINDENT ++.sp ++\fI\%TIFFOpenOptionsSetErrorHandlerExtR()\fP sets the function pointer to ++an application\-specific and per\-TIFF handle (re\-entrant) error handler. ++Furthermore, a pointer to a \fBcustom defined data structure\fP \fIerrorhandler_user_data\fP ++can be passed. This error handler is invoked through \X'tty: link #c.TIFFErrorExtR'\fI\%TIFFErrorExtR()\fP\X'tty: link' ++and the \fIerrorhandler_user_data\fP pointer is given along. ++The \fIerrorhandler_user_data\fP argument may be NULL. ++.sp ++\fI\%TIFFOpenOptionsSetWarningHandlerExtR()\fP works like ++\fI\%TIFFOpenOptionsSetErrorHandlerExtR()\fP but for the warning handler, ++which is invoked through \X'tty: link #c.TIFFWarningExtR'\fI\%TIFFWarningExtR()\fP\X'tty: link' ++.sp ++\fI\%TIFFOpenOptionsSetWarnAboutUnknownTags()\fP sets whether libtiff should ++emit a warning when encountering a unknown tag. This function has been added in ++libtiff 4.7.1 and the default value is FALSE (change of behaviour compared to ++earlier versions). ++.SH EXAMPLE ++.INDENT 0.0 ++.INDENT 3.5 ++.sp ++.nf ++.ft C ++#include \(dqtiffio.h\(dq ++ ++typedef struct MyErrorHandlerUserDataStruct ++{ ++ /* ... any user data structure ... */ ++} MyErrorHandlerUserDataStruct; ++ ++static int myErrorHandler(TIFF *tiff, void *user_data, const char *module, ++ const char *fmt, va_list ap) ++{ ++ MyErrorHandlerUserDataStruct *errorhandler_user_data = ++ (MyErrorHandlerUserDataStruct *)user_data; ++ /*... code of myErrorHandler ...*/ ++ return 1; ++} ++ ++ ++main() ++{ ++ tmsize_t limit = (256 * 1024 * 1024); ++ MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */}; ++ ++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc(); ++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit); ++ TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data); ++ TIFF *tif = TIFFOpenExt(\(dqfoo.tif\(dq, \(dqr\(dq, opts); ++ TIFFOpenOptionsFree(opts); ++ /* ... go on here ... */ ++ ++ TIFFClose(tif); ++} ++.ft P ++.fi ++.UNINDENT ++.UNINDENT ++.SH NOTE ++.sp ++This functionality was introduced with libtiff 4.5. ++.SH SEE ALSO ++.sp ++\fI\%libtiff\fP (3tiff), ++\fI\%TIFFOpen\fP (3tiff), ++\fI\%TIFFError\fP (3tiff), ++\fI\%TIFFWarning\fP (3tiff) ++.SH AUTHOR ++LibTIFF contributors ++.SH COPYRIGHT ++1988-2025, LibTIFF contributors ++.\" Generated by docutils manpage writer. ++. +diff -up tiff-4.4.0/man/TIFFStrileQuery.3tiff.cvedoc tiff-4.4.0/man/TIFFStrileQuery.3tiff +--- tiff-4.4.0/man/TIFFStrileQuery.3tiff.cvedoc 2025-05-05 15:46:15.542083764 +0200 ++++ tiff-4.4.0/man/TIFFStrileQuery.3tiff 2025-05-05 15:46:15.542083764 +0200 +@@ -0,0 +1,117 @@ ++.\" Man page generated from reStructuredText. ++. ++. ++.nr rst2man-indent-level 0 ++. ++.de1 rstReportMargin ++\\$1 \\n[an-margin] ++level \\n[rst2man-indent-level] ++level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] ++- ++\\n[rst2man-indent0] ++\\n[rst2man-indent1] ++\\n[rst2man-indent2] ++.. ++.de1 INDENT ++.\" .rstReportMargin pre: ++. RS \\$1 ++. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] ++. nr rst2man-indent-level +1 ++.\" .rstReportMargin post: ++.. ++.de UNINDENT ++. RE ++.\" indent \\n[an-margin] ++.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.nr rst2man-indent-level -1 ++.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.in \\n[rst2man-indent\\n[rst2man-indent-level]]u ++.. ++.TH "TIFFSTRILEQUERY" "3tiff" "Apr 30, 2025" "4.7" "LibTIFF" ++.SH NAME ++TIFFStrileQuery \- get strile byte count and offset ++.SH SYNOPSIS ++.INDENT 0.0 ++.INDENT 3.5 ++.sp ++.nf ++.ft C ++#include ++.ft P ++.fi ++.UNINDENT ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B uint64_t TIFFGetStrileByteCount(TIFF *tif, uint32_t strile); ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B uint64_t TIFFGetStrileOffset(TIFF *tif, uint32_t strile); ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B uint64_t TIFFGetStrileByteCountWithErr(TIFF *tif, uint32_t strile, int *pbErr); ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B uint64_t TIFFGetStrileOffsetWithErr(TIFF *tif, uint32_t strile, int *pbErr); ++.UNINDENT ++.SH DESCRIPTION ++.sp ++Make defer strile offset/bytecount loading available at runtime ++and add per\-strile offset/bytecount loading capabilities. Part of ++this commit makes the behaviour that was previously met when \fBlibtiff\fP ++was compiled with \fB\-DDEFER_STRILE_LOAD\fP available for default builds. ++.sp ++When specifying the new \fBD\fP (Deferred) \X'tty: link #c.TIFFOpen'\fI\%TIFFOpen()\fP\X'tty: link' flag, ++the loading of strile offset/bytecount is defered. ++In that mode, the \fBStripOffsets\fP / \fBStripByteCounts\fP or ++\fBTileOffsets\fP / \fBTileByteCounts\fP arrays are only loaded when first ++accessed. This can speed\-up the opening of files stored on the network ++when just metadata retrieval is needed. ++.sp ++Another addition is the capability of loading only the values of ++the offset/bytecount of the strile of interest instead of the ++whole array. This is enabled with the new \fBO\fP (Ondemand) flag of ++\X'tty: link #c.TIFFOpen'\fI\%TIFFOpen()\fP\X'tty: link' (which implies \fBD\fP). ++.sp ++The public \fI\%TIFFGetStrileOffset()\fP, \fI\%TIFFGetStrileOffsetWithErr()\fP, ++\fI\%TIFFGetStrileByteCount()\fP and \fI\%TIFFGetStrileByteCountWithErr()\fP ++functions have been added to API. ++They are of particular interest when using sparse files (with ++\fBoffset == bytecount == 0\fP) and you want to detect if a strile is ++present or not without decompressing the data, or updating an ++existing sparse file. ++.sp ++\fI\%TIFFGetStrileByteCount()\fP returns the value of the TileByteCounts / ++StripByteCounts array for the specified tile/strile. ++.sp ++\fI\%TIFFGetStrileByteCountWithErr()\fP additionally provides \fIpbErr\fP ++as an \fIint\fP pointer to an error return variable, ++which is set to \(dq0\(dq for successful return or to \(dq1\(dq for an error return. ++.sp ++\fI\%TIFFGetStrileOffset()\fP returns the value of the TileOffsets / ++StripOffsets array for the specified tile/strile. ++.sp ++\fI\%TIFFGetStrileOffsetWithErr()\fP additionally provides \fIpbErr\fP ++as an \fIint\fP pointer to an error return variable, ++which is set to \(dq0\(dq for successful return or to \(dq1\(dq for an error return. ++.SH DIAGNOSTICS ++.sp ++All error messages are directed to the \X'tty: link #c.TIFFErrorExtR'\fI\%TIFFErrorExtR()\fP\X'tty: link' routine. ++Likewise, warning messages are directed to the \X'tty: link #c.TIFFWarningExtR'\fI\%TIFFWarningExtR()\fP\X'tty: link' routine. ++.SH NOTE ++.sp ++This functionality was introduced with libtiff 4.1. ++.SH SEE ALSO ++.sp ++\fI\%libtiff\fP (3tiff), ++\fI\%TIFFOpen\fP (3tiff), ++\fI\%TIFFDeferStrileArrayWriting\fP (3tiff) ++.SH AUTHOR ++LibTIFF contributors ++.SH COPYRIGHT ++1988-2025, LibTIFF contributors ++.\" Generated by docutils manpage writer. ++. diff --git a/libtiff.spec b/libtiff.spec index d314974..d2eb1c5 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.4.0 -Release: 14%{?dist} +Release: 15%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -42,6 +42,7 @@ Patch23: libtiff-4.6.0-CVE-2024-7006.patch # from upstream, for <=4.6.0, RHEL-17337 # https://gitlab.com/libtiff/libtiff/-/merge_requests/546.patch Patch24: libtiff-4.4.0-CVE-2023-52356.patch +Patch25: libtiff-4.4.0-cve2023-52355.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel @@ -103,6 +104,12 @@ autoheader %build export CFLAGS="%{optflags} -fno-strict-aliasing" %configure --enable-ld-version-script + +# have to regenerate missing/patched htmldoc before calling make +pushd html/man +make htmldoc +popd + %make_build %install @@ -194,6 +201,9 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Mon May 05 2025 Michal Hlavinka - 4.4.0-15 +- backport documentation change for CVE-2023-52355 (RHEL-17328) + * Tue Apr 22 2025 Michal Hlavinka - 4.4.0-14 - fix CVE-2023-52356: libtiff could crash in TIFFReadRGBATileExt when parsing crafted tiff file (RHEL-17337)