From 44e09a0bb82cd873d2f58e99b232e4c7d926e13f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Mu=C5=BEila?= Date: Thu, 16 May 2024 16:31:19 +0200 Subject: [PATCH] Fix CVE-2023-6228 CVE-2023-52356 CVE-2023-25433 CVE-2018-15209 Resolves: RHEL-30682 RHEL-30520 RHEL-30474 RHEL-5406 --- ...erge-branch-avoid_memory_exhaustion_.patch | 37 ++++ ...erge-branch-tiffcrop_correctly_updat.patch | 172 ++++++++++++++++++ ...356-Merge-branch-fix_622-into-master.patch | 50 +++++ ...rge-branch-fix_606_tiffcp_check_also.patch | 30 +++ libtiff.spec | 11 +- 5 files changed, 298 insertions(+), 2 deletions(-) create mode 100644 0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch create mode 100644 0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch create mode 100644 0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch create mode 100644 0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch diff --git a/0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch b/0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch new file mode 100644 index 0000000..2de6c21 --- /dev/null +++ b/0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch @@ -0,0 +1,37 @@ +From b7bc0d684cee380f7497cb095a115361dbabef71 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 13 Mar 2018 14:39:30 +0000 +Subject: [PATCH] (CVE-2018-15209) Merge branch + 'avoid_memory_exhaustion_in_ChopUpSingleUncompressedStrip' into 'master' + +ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613) + +See merge request libtiff/libtiff!26 + +(cherry picked from commit 0a2e5e98b353a987ea69985d2283bba569a7e063) +--- + libtiff/tif_dirread.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index b72e6a3b..bc1ab083 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5765,6 +5765,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif) + if( nstrips == 0 ) + return; + ++ /* If we are going to allocate a lot of memory, make sure that the */ ++ /* file is as big as needed */ ++ if( tif->tif_mode == O_RDONLY && ++ nstrips > 1000000 && ++ (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) || ++ tif->tif_dir.td_stripbytecount[0] > ++ TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) ) ++ { ++ return; ++ } ++ + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripByteCounts\" array"); + newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), diff --git a/0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch b/0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch new file mode 100644 index 0000000..396dacc --- /dev/null +++ b/0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch @@ -0,0 +1,172 @@ +From 83f6ae4cce52cd4feaebf2bc4fc2d5077a10677c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Thu, 16 May 2024 14:43:44 +0200 +Subject: [PATCH] (CVE-2023-25433) Merge branch + 'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master' + +tiffcrop correctly update buffersize after rotateImage() fix#520 + +Closes #520 + +See merge request libtiff/libtiff!467 + +(cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3) +--- + tools/tiffcrop.c | 72 ++++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 58 insertions(+), 14 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 77923cf3..8b761874 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -529,7 +529,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32, + static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, + uint32, uint32, uint8 *, uint8 *); + static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *, +- unsigned char **); ++ unsigned char **, tsize_t *); + static int mirrorImage(uint16, uint16, uint16, uint32, uint32, + unsigned char *); + static int invertImage(uint16, uint16, uint16, uint32, uint32, +@@ -6358,7 +6358,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b + return (-1); + } + +- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr)) ++ if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL)) + { + TIFFError ("correct_orientation", "Unable to rotate image"); + return (-1); +@@ -7578,16 +7578,20 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { ++ /* rotateImage() set up a new buffer and calculates its size ++ * individually. Therefore, seg_buffs size needs to be updated ++ * accordingly. */ ++ ++ tsize_t rot_buf_size = 0; + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, &crop_buff)) ++ &crop->combined_length, &crop_buff, &rot_buf_size)) + { + TIFFError("processCropSelections", + "Failed to rotate composite regions by %d degrees", crop->rotation); + return (-1); + } + seg_buffs[0].buffer = crop_buff; +- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8) +- * image->spp) * crop->combined_length; ++ seg_buffs[0].size = rot_buf_size; + } + } + else /* Separated Images */ +@@ -7684,8 +7688,18 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { +- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, +- &crop->regionlist[i].length, &crop_buff)) ++ /* rotateImage() changes image->width, ->length, ->xres and ++ * ->yres, what it schouldn't do here, when more than one ++ * section is processed. ToDo: Therefore rotateImage() and its ++ * usage has to be reworked (e.g. like mirrorImage()) !! ++ * Furthermore, rotateImage() set up a new buffer and calculates ++ * its size individually. Therefore, seg_buffs size needs to be ++ * updated accordingly. */ ++ tsize_t rot_buf_size = 0; ++ if (rotateImage( ++ crop->rotation, image, &crop->regionlist[i].width, ++ &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) ++ + { + TIFFError("processCropSelections", + "Failed to rotate crop region by %d degrees", crop->rotation); +@@ -7696,8 +7710,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + crop->combined_width = total_width; + crop->combined_length = total_length; + seg_buffs[i].buffer = crop_buff; +- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8) +- * image->spp) * crop->regionlist[i].length; ++ seg_buffs[i].size = rot_buf_size; + } + } + } +@@ -7813,7 +7826,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, crop_buff_ptr)) ++ &crop->combined_length, crop_buff_ptr, NULL)) + { + TIFFError("createCroppedImage", + "Failed to rotate image or cropped selection by %d degrees", crop->rotation); +@@ -8476,13 +8489,14 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width, + /* Rotate an image by a multiple of 90 degrees clockwise */ + static int + rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, +- uint32 *img_length, unsigned char **ibuff_ptr) ++ uint32 *img_length, unsigned char **ibuff_ptr, tsize_t *rot_buf_size) + { + int shift_width; + uint32 bytes_per_pixel, bytes_per_sample; + uint32 row, rowsize, src_offset, dst_offset; + uint32 i, col, width, length; +- uint32 colsize, buffsize, col_offset, pix_offset; ++ uint32 colsize, col_offset, pix_offset; ++ tmsize_t buffsize; + unsigned char *ibuff; + unsigned char *src; + unsigned char *dst; +@@ -8495,12 +8509,40 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, + spp = image->spp; + bps = image->bps; + ++ if ((spp != 0 && bps != 0 && ++ width > (uint32)((UINT32_MAX - 7) / spp / bps)) || ++ (spp != 0 && bps != 0 && ++ length > (uint32)((UINT32_MAX - 7) / spp / bps))) ++ { ++ TIFFError("rotateImage", "Integer overflow detected."); ++ return (-1); ++ } + rowsize = ((bps * spp * width) + 7) / 8; + colsize = ((bps * spp * length) + 7) / 8; + if ((colsize * width) > (rowsize * length)) +- buffsize = (colsize + 1) * width; ++ { ++ if (((tmsize_t)colsize + 1) != 0 && ++ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - 3) / ++ ((tmsize_t)colsize + 1))) ++ { ++ TIFFError("rotateImage", ++ "Integer overflow when calculating buffer size."); ++ return (-1); ++ } ++ buffsize = ((tmsize_t)colsize + 1) * width; ++ } + else +- buffsize = (rowsize + 1) * length; ++ { ++ if (((tmsize_t)rowsize + 1) != 0 && ++ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - 3) / ++ ((tmsize_t)rowsize + 1))) ++ { ++ TIFFError("rotateImage", ++ "Integer overflow when calculating buffer size."); ++ return (-1); ++ } ++ buffsize = (rowsize + 1) * length; ++ } + + bytes_per_sample = (bps + 7) / 8; + bytes_per_pixel = ((bps * spp) + 7) / 8; +@@ -8526,6 +8568,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, + return (-1); + } + _TIFFmemset(rbuff, '\0', buffsize); ++ if (rot_buf_size != NULL) ++ *rot_buf_size = buffsize; + + ibuff = *ibuff_ptr; + switch (rotation) diff --git a/0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch b/0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch new file mode 100644 index 0000000..70733dd --- /dev/null +++ b/0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch @@ -0,0 +1,50 @@ +From df8410cee20798b1d63c291c1bf106e3a52d59b1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Thu, 16 May 2024 14:54:52 +0200 +Subject: [PATCH] (CVE-2023-52356) Merge branch 'fix_622' into 'master' + +TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of col/row (fixes #622) + +Closes #622 + +See merge request libtiff/libtiff!546 + +(cherry picked from commit dfacff5a84d153d7febdfcbcb341b38c1f03b34e) +--- + libtiff/tif_getimage.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 00cd5510..4f32b3a4 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -2929,6 +2929,14 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 row, uint32 * raster, int stop_on_error) + + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) { + ++ if (row >= img.height) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), ++ "Invalid row passed to TIFFReadRGBAStrip()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } ++ + img.row_offset = row; + img.col_offset = 0; + +@@ -3004,6 +3012,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop + return( 0 ); + } + ++ if (col >= img.width || row >= img.height) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), ++ "Invalid row/col passed to TIFFReadRGBATile()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } ++ + /* + * The TIFFRGBAImageGet() function doesn't allow us to get off the + * edge of the image, even to fill an otherwise valid tile. So we diff --git a/0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch b/0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch new file mode 100644 index 0000000..13de5ed --- /dev/null +++ b/0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch @@ -0,0 +1,30 @@ +From 32346d49db890969d7de19e8eebff00400280926 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 9 Sep 2023 15:11:42 +0000 +Subject: [PATCH] (CVE-2023-6228) Merge branch + 'fix_606_tiffcp_check_also_input_compression_codec' into 'master' + +tiffcp: Fixes #606. Check also codec of input image, not only from output image. + +Closes #606 + +See merge request libtiff/libtiff!533 + +(cherry picked from commit 668d2c1a52fa48658bbf69615924b42b5a059f9e) +--- + tools/tiffcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index fb98bd57..81ec6bbd 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -622,6 +622,8 @@ tiffcp(TIFF* in, TIFF* out) + else + CopyField(TIFFTAG_COMPRESSION, compression); + TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression); ++ if (!TIFFIsCODECConfigured(input_compression)) ++ return FALSE; + TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric); + if (input_compression == COMPRESSION_JPEG) { + /* Force conversion to RGB */ diff --git a/libtiff.spec b/libtiff.spec index 41c05fc..4ce811f 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.9 -Release: 31%{?dist} +Release: 32%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -50,7 +50,10 @@ Patch0036: 0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch Patch0037: 0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch Patch0038: 0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch Patch0039: 0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch - +Patch0040: 0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch +Patch0041: 0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch +Patch0042: 0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch +Patch0043: 0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel @@ -204,6 +207,10 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Thu May 16 2024 Matej Mužila - 4.0.9-32 +- Fix CVE-2023-6228 CVE-2023-52356 CVE-2023-25433 CVE-2018-15209 +- Resolves: RHEL-30682 RHEL-30520 RHEL-30474 RHEL-5406 + * Fri Jan 05 2024 Matej Mužila - 4.0.9-31 - Fix CVE-2022-3599 CVE-2022-4645 - Resolves: RHEL-5399