From 33d4233efd676f7a91b50acecae7b144133a24d9 Mon Sep 17 00:00:00 2001 From: RHEL Packaging Agent Date: Mon, 3 Nov 2025 08:46:29 +0000 Subject: [PATCH] Fix CVE-2025-8176: off-by-one error in tiffdither and tiffmedian Backport upstream fix for CVE-2025-8176 to prevent skipping the first line of input images in tiffdither and tiffmedian tools. The patch corrects loop initialization and scanline writing parameters to ensure all image lines are processed correctly. CVE: CVE-2025-8176 Upstream fix: https://gitlab.com/libtiff/libtiff/-/commit/fe10872e53efba9cc36c66ac4ab3b41a839d5172.patch Resolves: RHEL-120230 This commit was backported by Jotnar, a Red Hat Enterprise Linux software maintenance AI agent. Assisted-by: Jotnar --- RHEL-120230.patch | 70 +++++++++++++++++++++++++++++++++++++++++++++++ libtiff.spec | 10 ++++++- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 RHEL-120230.patch diff --git a/RHEL-120230.patch b/RHEL-120230.patch new file mode 100644 index 0000000..94bb184 --- /dev/null +++ b/RHEL-120230.patch @@ -0,0 +1,70 @@ +From 0117a16f9c0b6e3462b8547fa56ea90f3e198b10 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Mon, 19 May 2025 10:53:30 -0700 +Subject: [PATCH] Don't skip the first line of the input image. Addresses issue + #703 + +--- + tools/tiffdither.c | 4 ++-- + tools/tiffmedian.c | 9 ++++++--- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffdither.c b/tools/tiffdither.c +index 247553c..cc41c51 100644 +--- a/tools/tiffdither.c ++++ b/tools/tiffdither.c +@@ -93,7 +93,7 @@ fsdither(TIFF* in, TIFF* out) + nextptr = nextline; + for (j = 0; j < imagewidth; ++j) + *nextptr++ = *inptr++; +- for (i = 1; i < imagelength; ++i) { ++ for (i = 0; i < imagelength; ++i) { + tmpptr = thisline; + thisline = nextline; + nextline = tmpptr; +@@ -136,7 +136,7 @@ fsdither(TIFF* in, TIFF* out) + nextptr[0] += v / 16; + } + } +- if (TIFFWriteScanline(out, outline, i-1, 0) < 0) ++ if (TIFFWriteScanline(out, outline, i, 0) < 0) + goto skip_on_error; + } + goto exit_label; +diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c +index f0c892e..99fd1f2 100644 +--- a/tools/tiffmedian.c ++++ b/tools/tiffmedian.c +@@ -370,7 +370,10 @@ get_histogram(TIFF* in, Colorbox* box) + } + for (i = 0; i < imagelength; i++) { + if (TIFFReadScanline(in, inputline, i, 0) <= 0) +- break; ++ { ++ fprintf(stderr, "Error reading scanline\n"); ++ exit(EXIT_FAILURE); ++ } + inptr = inputline; + for (j = imagewidth; j-- > 0;) { + red = (*inptr++) & 0xff >> COLOR_SHIFT; +@@ -829,7 +832,7 @@ quant_fsdither(TIFF* in, TIFF* out) + outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out)); + + GetInputLine(in, 0, goto bad); /* get first line */ +- for (i = 1; i <= imagelength; ++i) { ++ for (i = 0; i < imagelength; ++i) { + SWAP(short *, thisline, nextline); + lastline = (i >= imax); + if (i <= imax) +@@ -900,7 +903,7 @@ quant_fsdither(TIFF* in, TIFF* out) + nextptr += 3; + } + } +- if (TIFFWriteScanline(out, outline, i-1, 0) < 0) ++ if (TIFFWriteScanline(out, outline, i, 0) < 0) + break; + } + bad: +-- +2.47.3 + diff --git a/libtiff.spec b/libtiff.spec index c6e1e3b..affd234 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.9 -Release: 35%{?dist} +Release: 36%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -67,6 +67,10 @@ Patch45: libtiff-4.0.9-CVE-2017-17095.patch # CVE-2025-9900 Patch46: RHEL-112533.patch +# Fix skipping first line of input image in tiffdither and tiffmedian, RHEL-120230 +# CVE-2025-8176 +Patch47: RHEL-120230.patch + BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -219,6 +223,10 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Mon Nov 03 2025 RHEL Packaging Agent - 4.0.9-36 +- fix CVE-2025-8176: prevent skipping first line in tiffdither and + tiffmedian tools (RHEL-120230) + * Tue Oct 14 2025 RHEL Packaging Agent - 4.0.9-35 - fix CVE-2025-9900: buffer underflow crash in TIFFReadRGBAImageOriented() (RHEL-112533)