Fix CVE-2025-8176: off-by-one error in tiffdither and tiffmedian

Backport upstream fix for CVE-2025-8176 to prevent skipping the first line of input images in tiffdither and tiffmedian tools. The patch corrects loop initialization and scanline writing parameters to ensure all image lines are processed correctly. CVE: CVE-2025-8176 Upstream fix: fe10872e53.patch Resolves: RHEL-120230 This commit was backported by Jotnar, a Red Hat Enterprise Linux software maintenance AI agent. Assisted-by: Jotnar
2025-11-03 08:46:29 +00:00 · 2025-11-03 08:46:29 +00:00 · 33d4233efd
commit 33d4233efd
parent 321421fc81
2 changed files with 79 additions and 1 deletions
--- a/RHEL-120230.patch
+++ b/RHEL-120230.patch
@ -0,0 +1,70 @@
+From 0117a16f9c0b6e3462b8547fa56ea90f3e198b10 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Mon, 19 May 2025 10:53:30 -0700
+Subject: [PATCH] Don't skip the first line of the input image. Addresses issue
+ #703
+
+---
+ tools/tiffdither.c | 4 ++--
+ tools/tiffmedian.c | 9 ++++++---
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/tools/tiffdither.c b/tools/tiffdither.c
+index 247553c..cc41c51 100644
+--- a/tools/tiffdither.c
+++ b/tools/tiffdither.c
+@@ -93,7 +93,7 @@ fsdither(TIFF* in, TIFF* out)
+ 	nextptr = nextline;
+ 	for (j = 0; j < imagewidth; ++j)
+ 		*nextptr++ = *inptr++;
+-	for (i = 1; i < imagelength; ++i) {
+	for (i = 0; i < imagelength; ++i) {
+ 		tmpptr = thisline;
+ 		thisline = nextline;
+ 		nextline = tmpptr;
+@@ -136,7 +136,7 @@ fsdither(TIFF* in, TIFF* out)
+ 					nextptr[0] += v / 16;
+ 			}
+ 		}
+-		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
+		if (TIFFWriteScanline(out, outline, i, 0) < 0)
+ 			goto skip_on_error;
+ 	}
+ 	goto exit_label;
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index f0c892e..99fd1f2 100644
+--- a/tools/tiffmedian.c
+++ b/tools/tiffmedian.c
+@@ -370,7 +370,10 @@ get_histogram(TIFF* in, Colorbox* box)
+ 	}
+ 	for (i = 0; i < imagelength; i++) {
+ 		if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+-			break;
+		{
+			fprintf(stderr, "Error reading scanline\n");
+			exit(EXIT_FAILURE);
+		}
+ 		inptr = inputline;
+ 		for (j = imagewidth; j-- > 0;) {
+ 			red = (*inptr++) & 0xff >> COLOR_SHIFT;
+@@ -829,7 +832,7 @@ quant_fsdither(TIFF* in, TIFF* out)
+ 	outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out));
+ 
+ 	GetInputLine(in, 0, goto bad);		/* get first line */
+-	for (i = 1; i <= imagelength; ++i) {
+	for (i = 0; i < imagelength; ++i) {
+ 		SWAP(short *, thisline, nextline);
+ 		lastline = (i >= imax);
+ 		if (i <= imax)
+@@ -900,7 +903,7 @@ quant_fsdither(TIFF* in, TIFF* out)
+ 				nextptr += 3;
+ 			}
+ 		}
+-		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
+		if (TIFFWriteScanline(out, outline, i, 0) < 0)
+ 			break;
+ 	}
+ bad:
+-- 
+2.47.3
+
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.9
-Release:       35%{?dist}
+Release:       36%{?dist}
 License:       libtiff
 Group:         System Environment/Libraries
 URL:           http://www.simplesystems.org/libtiff/
@ -67,6 +67,10 @@ Patch45:       libtiff-4.0.9-CVE-2017-17095.patch
 # CVE-2025-9900
 Patch46:       RHEL-112533.patch

+# Fix skipping first line of input image in tiffdither and tiffmedian, RHEL-120230
+# CVE-2025-8176
+Patch47:       RHEL-120230.patch
+
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires: libtool automake autoconf pkgconfig
@ -219,6 +223,10 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Mon Nov 03 2025 RHEL Packaging Agent <jotnar@redhat.com> - 4.0.9-36
+- fix CVE-2025-8176: prevent skipping first line in tiffdither and
+  tiffmedian tools (RHEL-120230)
+
 * Tue Oct 14 2025 RHEL Packaging Agent <jotnar@redhat.com> - 4.0.9-35
 - fix CVE-2025-9900: buffer underflow crash in TIFFReadRGBAImageOriented()
  (RHEL-112533)