From 503a6cd3294f36f811418b6aa71252bd5599f996 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 7 Nov 2023 11:58:46 +0000 Subject: [PATCH] import UBI libtiff-4.4.0-10.el9 --- ...WDecode-avoid-crash-when-trying-to-r.patch | 36 +++++++ ...iffcrop-Do-not-reuse-input-buffer-fo.patch | 95 +++++++++++++++++++ ...FFClose-avoid-NULL-pointer-dereferen.patch | 55 +++++++++++ ...if_luv-Check-and-correct-for-NaN-dat.patch | 35 +++++++ ...3-3576-Fix-memory-leak-in-tiffcrop.c.patch | 34 +++++++ SPECS/libtiff.spec | 15 ++- 6 files changed, 269 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch create mode 100644 SOURCES/0015-CVE-2023-26965-tiffcrop-Do-not-reuse-input-buffer-fo.patch create mode 100644 SOURCES/0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch create mode 100644 SOURCES/0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch create mode 100644 SOURCES/0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch diff --git a/SOURCES/0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch b/SOURCES/0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch new file mode 100644 index 0000000..3450674 --- /dev/null +++ b/SOURCES/0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch @@ -0,0 +1,36 @@ +From af4ee2276bfb9cfdd1809326604ead5a405735be Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Thu, 8 Jun 2023 14:10:59 +0200 +Subject: [PATCH] (CVE-2023-2731) LZWDecode(): avoid crash when trying to read + again from a strip whith a missing end-of-information marker (fixes #548) + +(cherry picked from commit 9be22b639ea69e102d3847dca4c53ef025e9527b) +--- + libtiff/tif_lzw.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c +index 096824d2..2ba6237e 100644 +--- a/libtiff/tif_lzw.c ++++ b/libtiff/tif_lzw.c +@@ -404,7 +404,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + assert(sp->dec_codetab != NULL); + + if (sp->read_error) { +- return 0; ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "LZWDecode: Scanline %" PRIu32 " cannot be read due to " ++ "previous error", ++ tif->tif_row); ++ return 0; + } + + /* +@@ -705,6 +709,7 @@ after_loop: + return (1); + + no_eoi: ++ sp->read_error = 1; + TIFFErrorExt(tif->tif_clientdata, module, + "LZWDecode: Strip %"PRIu32" not terminated with EOI code", + tif->tif_curstrip); diff --git a/SOURCES/0015-CVE-2023-26965-tiffcrop-Do-not-reuse-input-buffer-fo.patch b/SOURCES/0015-CVE-2023-26965-tiffcrop-Do-not-reuse-input-buffer-fo.patch new file mode 100644 index 0000000..29d6b06 --- /dev/null +++ b/SOURCES/0015-CVE-2023-26965-tiffcrop-Do-not-reuse-input-buffer-fo.patch @@ -0,0 +1,95 @@ +From c7c1a0e3537b692196c15ea764b789f601b15850 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Wed, 28 Jun 2023 14:05:50 +0200 +Subject: [PATCH] (CVE-2023-26965) tiffcrop: Do not reuse input buffer for + subsequent images. Fix issue 527 + +Reuse of read_buff within loadImage() from previous image is quite unsafe, +because other functions (like rotateImage() etc.) reallocate that buffer with +different size without updating the local prev_readsize value. + +Closes #527 + +(cherry picked from commit ec8ef90c1f573c9eb1f17d6a056aa0015f184acf) +--- + tools/tiffcrop.c | 45 ++++++++++++++------------------------------- + 1 file changed, 14 insertions(+), 31 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index c2688883..d9b91e4e 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -6103,9 +6103,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + uint32_t tw = 0, tl = 0; /* Tile width and length */ + tmsize_t tile_rowsize = 0; + unsigned char *read_buff = NULL; +- unsigned char *new_buff = NULL; + int readunit = 0; +- static tmsize_t prev_readsize = 0; + + TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); + TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); +@@ -6404,41 +6402,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + } + } + } +- ++ + read_buff = *read_ptr; +- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ +- /* outside buffer */ +- if (!read_buff) ++ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit ++ * outside buffer */ ++ /* Reuse of read_buff from previous image is quite unsafe, because other ++ * functions (like rotateImage() etc.) reallocate that buffer with different ++ * size without updating the local prev_readsize value. */ ++ if (read_buff) + { +- if( buffsize > 0xFFFFFFFFU - 3 ) +- { +- TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); +- return (-1); +- } +- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); ++ _TIFFfree(read_buff); + } +- else ++ if( buffsize > 0xFFFFFFFFU - 3 ) + { +- if (prev_readsize < buffsize) +- { +- if( buffsize > 0xFFFFFFFFU - 3 ) +- { +- TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); +- return (-1); +- } +- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); +- if (!new_buff) +- { +- free (read_buff); +- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); +- } +- else +- read_buff = new_buff; +- } ++ TIFFError("loadImage", "Required read buffer size too large" ); ++ return (-1); + } ++ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); ++ + if (!read_buff) + { +- TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); ++ TIFFError("loadImage", "Unable to allocate read buffer" ); + return (-1); + } + +@@ -6446,7 +6430,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + read_buff[buffsize+1] = 0; + read_buff[buffsize+2] = 0; + +- prev_readsize = buffsize; + *read_ptr = read_buff; + + /* N.B. The read functions used copy separate plane data into a buffer as interleaved diff --git a/SOURCES/0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch b/SOURCES/0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch new file mode 100644 index 0000000..30616c9 --- /dev/null +++ b/SOURCES/0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch @@ -0,0 +1,55 @@ +From 9a0ec729ad38af873eac5d896cb38219cb50d49c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Tue, 1 Aug 2023 16:04:17 +0200 +Subject: [PATCH] (CVE-2023-3316) TIFFClose() avoid NULL pointer dereferencing. + fix#515 + +Closes #515 + +(cherry picked from commit f171d7a2cd50e34975036748a395c156d32d9235) +--- + libtiff/tif_close.c | 6 ++++-- + tools/tiffcrop.c | 7 +++++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c +index 04977bc7..6c9f7349 100644 +--- a/libtiff/tif_close.c ++++ b/libtiff/tif_close.c +@@ -125,13 +125,15 @@ TIFFCleanup(TIFF* tif) + void + TIFFClose(TIFF* tif) + { +- TIFFCloseProc closeproc = tif->tif_closeproc; ++ if (tif != NULL) ++ { ++ TIFFCloseProc closeproc = tif->tif_closeproc; + thandle_t fd = tif->tif_clientdata; + + TIFFCleanup(tif); + (void) (*closeproc)(fd); + } +- ++} + /* vim: set ts=8 sts=8 sw=8 noet: */ + + /* +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index d9b91e4e..07fc7ea3 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -2553,9 +2553,12 @@ main(int argc, char* argv[]) + } + } + +- TIFFClose(out); ++ if (out != NULL) ++ { ++ TIFFClose(out); ++ } + +- return (0); ++ return (0); + } /* end main */ + + diff --git a/SOURCES/0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch b/SOURCES/0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch new file mode 100644 index 0000000..4cb5f56 --- /dev/null +++ b/SOURCES/0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch @@ -0,0 +1,35 @@ +From 7d0a920d34e9960b2dd2e3583172826b3a4db570 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Tue, 8 Aug 2023 15:32:42 +0200 +Subject: [PATCH] (CVE-2023-26966) tif_luv: Check and correct for NaN data in + uv_encode(). + +Closes #530 + +See merge request libtiff/libtiff!473 + +(cherry picked from commit d1f658afa5ab5ed21a9e32e0f790f41b01506cd9) +--- + libtiff/tif_luv.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c +index 72ab3668..93c76115 100644 +--- a/libtiff/tif_luv.c ++++ b/libtiff/tif_luv.c +@@ -908,7 +908,14 @@ uv_encode(double u, double v, int em) /* encode (u',v') coordinates */ + { + register int vi, ui; + +- if (v < UV_VSTART) ++ /* check for NaN */ ++ if (u != u || v != v) ++ { ++ u = U_NEU; ++ v = V_NEU; ++ } ++ ++ if (v < UV_VSTART) + return oog_encode(u, v); + vi = tiff_itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em); + if (vi >= UV_NVS) diff --git a/SOURCES/0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch b/SOURCES/0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch new file mode 100644 index 0000000..cd1b550 --- /dev/null +++ b/SOURCES/0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch @@ -0,0 +1,34 @@ +From 186a46ebfe483703e3120e825fc5f3eb26a1c0f5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Tue, 8 Aug 2023 15:42:54 +0200 +Subject: [PATCH] (CVE-2023-3576) Fix memory leak in tiffcrop.c + +See merge request libtiff/libtiff!475 + +(cherry picked from commit 1d5b1181c980090a6518f11e61a18b0e268bf31a) +--- + tools/tiffcrop.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 07fc7ea3..be72ec52 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -7922,9 +7922,14 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + + read_buff = *read_buff_ptr; + +- /* process full image, no crop buffer needed */ +- crop_buff = read_buff; +- *crop_buff_ptr = read_buff; ++ /* Memory is freed before crop_buff_ptr is overwritten */ ++ if (*crop_buff_ptr != NULL ) ++ { ++ _TIFFfree(*crop_buff_ptr); ++ } ++ ++ /* process full image, no crop buffer needed */ ++ *crop_buff_ptr = read_buff; + crop->combined_width = image->width; + crop->combined_length = image->length; + diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec index c0e0908..65bdcf8 100644 --- a/SPECS/libtiff.spec +++ b/SPECS/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.4.0 -Release: 8%{?dist} +Release: 10%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -26,6 +26,11 @@ Patch0011: 0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch Patch0012: 0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch # CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 Patch0013: 0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch +Patch0014: 0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch +Patch0015: 0015-CVE-2023-26965-tiffcrop-Do-not-reuse-input-buffer-fo.patch +Patch0016: 0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch +Patch0017: 0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch +Patch0018: 0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch @@ -180,6 +185,14 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Tue Aug 08 2023 Matej Mužila - 4.4.0-10 +- Fix CVE-2023-26965 CVE-2023-3316 CVE-2023-26966 CVE-2023-3576 +- Resolves: CVE-2023-26965 CVE-2023-3316 CVE-2023-26966 CVE-2023-3576 + +* Thu Jun 08 2023 Matej Mužila - 4.4.0-9 +- Fix CVE-2023-2731 +- Resolves: CVE-2023-2731 + * Tue Mar 21 2023 Matej Mužila - 4.4.0-8 - Fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799