Fix CVE-2023-6228 CVE-2023-52356 CVE-2023-25433 CVE-2018-15209

Resolves: RHEL-30682 RHEL-30520 RHEL-30474 RHEL-5406

0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch

@@ -0,0 +1,37 @@
+From b7bc0d684cee380f7497cb095a115361dbabef71 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@mines-paris.org>
+Date: Tue, 13 Mar 2018 14:39:30 +0000
+Subject: [PATCH] (CVE-2018-15209) Merge branch
+ 'avoid_memory_exhaustion_in_ChopUpSingleUncompressedStrip' into 'master'
+
+ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)
+
+See merge request libtiff/libtiff!26
+
+(cherry picked from commit 0a2e5e98b353a987ea69985d2283bba569a7e063)
+---
+ libtiff/tif_dirread.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index b72e6a3b..bc1ab083 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -5765,6 +5765,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+         if( nstrips == 0 )
+             return;
+ 
++        /* If we are going to allocate a lot of memory, make sure that the */
++        /* file is as big as needed */
++        if( tif->tif_mode == O_RDONLY &&
++            nstrips > 1000000 &&
++            (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||
++             tif->tif_dir.td_stripbytecount[0] >
++                    TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )
++        {
++            return;
++        }
++
+ 	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ 				"for chopped \"StripByteCounts\" array");
+ 	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),

0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch

@@ -0,0 +1,172 @@
+From 83f6ae4cce52cd4feaebf2bc4fc2d5077a10677c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
+Date: Thu, 16 May 2024 14:43:44 +0200
+Subject: [PATCH] (CVE-2023-25433) Merge branch
+ 'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master'
+
+tiffcrop correctly update buffersize after rotateImage() fix#520
+
+Closes #520
+
+See merge request libtiff/libtiff!467
+
+(cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3)
+---
+ tools/tiffcrop.c | 72 ++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 58 insertions(+), 14 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 77923cf3..8b761874 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -529,7 +529,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
+ static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, 
+                                      uint32,   uint32, uint8 *, uint8 *);
+ static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
+- 		       unsigned char **);
++ 		       unsigned char **, tsize_t *);
+ static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
+ 		       unsigned char *);
+ static int invertImage(uint16, uint16, uint16, uint32, uint32,
+@@ -6358,7 +6358,7 @@ static int  correct_orientation(struct image_data *image, unsigned char **work_b
+       return (-1);
+       }
+  
+-    if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
++    if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
+       {
+       TIFFError ("correct_orientation", "Unable to rotate image");
+       return (-1);
+@@ -7578,16 +7578,20 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ 
+     if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+       {
++      /* rotateImage() set up a new buffer and calculates its size
++       * individually. Therefore, seg_buffs size  needs to be updated
++       * accordingly. */
++
++      tsize_t rot_buf_size = 0;
+       if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                      &crop->combined_length, &crop_buff))
++                      &crop->combined_length, &crop_buff, &rot_buf_size))
+         {
+         TIFFError("processCropSelections", 
+                   "Failed to rotate composite regions by %d degrees", crop->rotation);
+         return (-1);
+         }
+       seg_buffs[0].buffer = crop_buff;
+-      seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
+-                            * image->spp) * crop->combined_length; 
++      seg_buffs[0].size = rot_buf_size;
+       }
+     }
+   else  /* Separated Images */
+@@ -7684,8 +7688,18 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ 
+       if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+         {
+-	if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, 
+-			&crop->regionlist[i].length, &crop_buff))
++        /* rotateImage() changes image->width, ->length, ->xres and
++         * ->yres, what it schouldn't do here, when more than one
++         * section is processed. ToDo: Therefore rotateImage() and its
++         * usage has to be reworked (e.g. like mirrorImage()) !!
++         * Furthermore, rotateImage() set up a new buffer and calculates
++         * its size individually. Therefore, seg_buffs size  needs to be
++         * updated accordingly. */
++          tsize_t rot_buf_size = 0;
++          if (rotateImage(
++                      crop->rotation, image, &crop->regionlist[i].width,
++                      &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
++
+           {
+           TIFFError("processCropSelections", 
+                     "Failed to rotate crop region by %d degrees", crop->rotation);
+@@ -7696,8 +7710,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+         crop->combined_width = total_width;
+         crop->combined_length = total_length;
+         seg_buffs[i].buffer = crop_buff;
+-        seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
+-                               * image->spp) * crop->regionlist[i].length; 
++        seg_buffs[i].size = rot_buf_size;
+         }
+       }
+     }
+@@ -7813,7 +7826,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+     {
+     if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                    &crop->combined_length, crop_buff_ptr))
++                    &crop->combined_length, crop_buff_ptr, NULL))
+       {
+       TIFFError("createCroppedImage", 
+                 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
+@@ -8476,13 +8489,14 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
+ /* Rotate an image by a multiple of 90 degrees clockwise */
+ static int
+ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, 
+-            uint32 *img_length, unsigned char **ibuff_ptr)
++            uint32 *img_length, unsigned char **ibuff_ptr, tsize_t *rot_buf_size)
+   {
+   int      shift_width;
+   uint32   bytes_per_pixel, bytes_per_sample;
+   uint32   row, rowsize, src_offset, dst_offset;
+   uint32   i, col, width, length;
+-  uint32   colsize, buffsize, col_offset, pix_offset;
++  uint32   colsize,  col_offset, pix_offset;
++  tmsize_t buffsize;
+   unsigned char *ibuff;
+   unsigned char *src;
+   unsigned char *dst;
+@@ -8495,12 +8509,40 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+   spp = image->spp;
+   bps = image->bps;
+ 
++  if ((spp != 0 && bps != 0 &&
++       width > (uint32)((UINT32_MAX - 7) / spp / bps)) ||
++      (spp != 0 && bps != 0 &&
++       length > (uint32)((UINT32_MAX - 7) / spp / bps)))
++  {
++      TIFFError("rotateImage", "Integer overflow detected.");
++      return (-1);
++  }
+   rowsize = ((bps * spp * width) + 7) / 8;
+   colsize = ((bps * spp * length) + 7) / 8;
+   if ((colsize * width) > (rowsize * length))
+-    buffsize = (colsize + 1) * width;
++  {
++      if (((tmsize_t)colsize + 1) != 0 &&
++          (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - 3) /
++                             ((tmsize_t)colsize + 1)))
++      {
++          TIFFError("rotateImage",
++                    "Integer overflow when calculating buffer size.");
++          return (-1);
++      }
++      buffsize = ((tmsize_t)colsize + 1) * width;
++  }
+   else
+-    buffsize = (rowsize + 1) * length;
++  {
++      if (((tmsize_t)rowsize + 1) != 0 &&
++          (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - 3) /
++                              ((tmsize_t)rowsize + 1)))
++      {
++          TIFFError("rotateImage",
++                    "Integer overflow when calculating buffer size.");
++          return (-1);
++      }
++      buffsize = (rowsize + 1) * length;
++  }
+ 
+   bytes_per_sample = (bps + 7) / 8;
+   bytes_per_pixel  = ((bps * spp) + 7) / 8;
+@@ -8526,6 +8568,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+     return (-1);
+     }
+   _TIFFmemset(rbuff, '\0', buffsize);
++  if (rot_buf_size != NULL)
++      *rot_buf_size = buffsize;
+ 
+   ibuff = *ibuff_ptr;
+   switch (rotation)

0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch

@@ -0,0 +1,50 @@
+From df8410cee20798b1d63c291c1bf106e3a52d59b1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
+Date: Thu, 16 May 2024 14:54:52 +0200
+Subject: [PATCH] (CVE-2023-52356) Merge branch 'fix_622' into 'master'
+
+TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of col/row (fixes #622)
+
+Closes #622
+
+See merge request libtiff/libtiff!546
+
+(cherry picked from commit dfacff5a84d153d7febdfcbcb341b38c1f03b34e)
+---
+ libtiff/tif_getimage.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 00cd5510..4f32b3a4 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -2929,6 +2929,14 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 row, uint32 * raster, int stop_on_error)
+ 
+     if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
+ 
++        if (row >= img.height)
++        {
++            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++                          "Invalid row passed to TIFFReadRGBAStrip().");
++            TIFFRGBAImageEnd(&img);
++            return (0);
++        }
++
+         img.row_offset = row;
+         img.col_offset = 0;
+ 
+@@ -3004,6 +3012,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
+ 	    return( 0 );
+     }
+ 
++    if (col >= img.width || row >= img.height)
++    {
++        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++                      "Invalid row/col passed to TIFFReadRGBATile().");
++        TIFFRGBAImageEnd(&img);
++        return (0);
++    }
++
+     /*
+      * The TIFFRGBAImageGet() function doesn't allow us to get off the
+      * edge of the image, even to fill an otherwise valid tile.  So we

0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch

@@ -0,0 +1,30 @@
+From 32346d49db890969d7de19e8eebff00400280926 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 9 Sep 2023 15:11:42 +0000
+Subject: [PATCH] (CVE-2023-6228) Merge branch
+ 'fix_606_tiffcp_check_also_input_compression_codec' into 'master'
+
+tiffcp: Fixes #606. Check also codec of input image, not only from output image.
+
+Closes #606
+
+See merge request libtiff/libtiff!533
+
+(cherry picked from commit 668d2c1a52fa48658bbf69615924b42b5a059f9e)
+---
+ tools/tiffcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index fb98bd57..81ec6bbd 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -622,6 +622,8 @@ tiffcp(TIFF* in, TIFF* out)
+ 	else
+ 		CopyField(TIFFTAG_COMPRESSION, compression);
+ 	TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
++    if (!TIFFIsCODECConfigured(input_compression))
++        return FALSE;
+ 	TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
+ 	if (input_compression == COMPRESSION_JPEG) {
+ 		/* Force conversion to RGB */

libtiff.spec

@@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.9
-Release:       31%{?dist}
+Release:       32%{?dist}
 License:       libtiff
 Group:         System Environment/Libraries
 URL:           http://www.simplesystems.org/libtiff/
@@ -50,7 +50,10 @@ Patch0036: 0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
 Patch0037: 0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch
 Patch0038: 0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
 Patch0039: 0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch
-
+Patch0040: 0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch
+Patch0041: 0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch
+Patch0042: 0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch
+Patch0043: 0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
 
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@@ -204,6 +207,10 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*
 
 %changelog
+* Thu May 16 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-32
+- Fix CVE-2023-6228 CVE-2023-52356 CVE-2023-25433 CVE-2018-15209
+- Resolves: RHEL-30682 RHEL-30520 RHEL-30474 RHEL-5406
+
 * Fri Jan 05 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-31
 - Fix CVE-2022-3599 CVE-2022-4645
 - Resolves: RHEL-5399