rpms/libtiff
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI libtiff-4.4.0-10.el9

Browse Source
This commit is contained in:
eabdullin 2023-11-07 11:58:46 +00:00
parent a5c51d73b8
commit 503a6cd329
6 changed files with 269 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
SOURCES/0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch Normal file
View File

@ -0,0 +1,36 @@
From af4ee2276bfb9cfdd1809326604ead5a405735be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 8 Jun 2023 14:10:59 +0200
Subject: [PATCH] (CVE-2023-2731) LZWDecode(): avoid crash when trying to read
again from a strip whith a missing end-of-information marker (fixes #548)
(cherry picked from commit 9be22b639ea69e102d3847dca4c53ef025e9527b)
---
libtiff/tif_lzw.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index 096824d2..2ba6237e 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -404,7 +404,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
assert(sp->dec_codetab != NULL);
if (sp->read_error) {
- return 0;
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
+ "previous error",
+ tif->tif_row);
+ return 0;
}
/*
@@ -705,6 +709,7 @@ after_loop:
return (1);
no_eoi:
+ sp->read_error = 1;
TIFFErrorExt(tif->tif_clientdata, module,
"LZWDecode: Strip %"PRIu32" not terminated with EOI code",
tif->tif_curstrip);

95
SOURCES/0015-CVE-2023-26965-tiffcrop-Do-not-reuse-input-buffer-fo.patch Normal file
View File

@ -0,0 +1,95 @@
From c7c1a0e3537b692196c15ea764b789f601b15850 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Wed, 28 Jun 2023 14:05:50 +0200
Subject: [PATCH] (CVE-2023-26965) tiffcrop: Do not reuse input buffer for
subsequent images. Fix issue 527
Reuse of read_buff within loadImage() from previous image is quite unsafe,
because other functions (like rotateImage() etc.) reallocate that buffer with
different size without updating the local prev_readsize value.
Closes #527
(cherry picked from commit ec8ef90c1f573c9eb1f17d6a056aa0015f184acf)
---
tools/tiffcrop.c | 45 ++++++++++++++-------------------------------
1 file changed, 14 insertions(+), 31 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index c2688883..d9b91e4e 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -6103,9 +6103,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
uint32_t tw = 0, tl = 0; /* Tile width and length */
tmsize_t tile_rowsize = 0;
unsigned char *read_buff = NULL;
- unsigned char *new_buff = NULL;
int readunit = 0;
- static tmsize_t prev_readsize = 0;
TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -6404,41 +6402,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
}
}
}
-
+
read_buff = *read_ptr;
- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
- /* outside buffer */
- if (!read_buff)
+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
+ * outside buffer */
+ /* Reuse of read_buff from previous image is quite unsafe, because other
+ * functions (like rotateImage() etc.) reallocate that buffer with different
+ * size without updating the local prev_readsize value. */
+ if (read_buff)
{
- if( buffsize > 0xFFFFFFFFU - 3 )
- {
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ _TIFFfree(read_buff);
}
- else
+ if( buffsize > 0xFFFFFFFFU - 3 )
{
- if (prev_readsize < buffsize)
- {
- if( buffsize > 0xFFFFFFFFU - 3 )
- {
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
- if (!new_buff)
- {
- free (read_buff);
- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
- }
- else
- read_buff = new_buff;
- }
+ TIFFError("loadImage", "Required read buffer size too large" );
+ return (-1);
}
+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+
if (!read_buff)
{
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ TIFFError("loadImage", "Unable to allocate read buffer" );
return (-1);
}
@@ -6446,7 +6430,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
read_buff[buffsize+1] = 0;
read_buff[buffsize+2] = 0;
- prev_readsize = buffsize;
*read_ptr = read_buff;
/* N.B. The read functions used copy separate plane data into a buffer as interleaved

55
SOURCES/0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch Normal file
View File

@ -0,0 +1,55 @@
From 9a0ec729ad38af873eac5d896cb38219cb50d49c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 1 Aug 2023 16:04:17 +0200
Subject: [PATCH] (CVE-2023-3316) TIFFClose() avoid NULL pointer dereferencing.
fix#515
Closes #515
(cherry picked from commit f171d7a2cd50e34975036748a395c156d32d9235)
---
libtiff/tif_close.c | 6 ++++--
tools/tiffcrop.c | 7 +++++--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
index 04977bc7..6c9f7349 100644
--- a/libtiff/tif_close.c
+++ b/libtiff/tif_close.c
@@ -125,13 +125,15 @@ TIFFCleanup(TIFF* tif)
void
TIFFClose(TIFF* tif)
{
- TIFFCloseProc closeproc = tif->tif_closeproc;
+ if (tif != NULL)
+ {
+ TIFFCloseProc closeproc = tif->tif_closeproc;
thandle_t fd = tif->tif_clientdata;
TIFFCleanup(tif);
(void) (*closeproc)(fd);
}
-
+}
/* vim: set ts=8 sts=8 sw=8 noet: */
/*
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index d9b91e4e..07fc7ea3 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2553,9 +2553,12 @@ main(int argc, char* argv[])
}
}
- TIFFClose(out);
+ if (out != NULL)
+ {
+ TIFFClose(out);
+ }
- return (0);
+ return (0);
} /* end main */

35
SOURCES/0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch Normal file
View File

@ -0,0 +1,35 @@
From 7d0a920d34e9960b2dd2e3583172826b3a4db570 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 8 Aug 2023 15:32:42 +0200
Subject: [PATCH] (CVE-2023-26966) tif_luv: Check and correct for NaN data in
uv_encode().
Closes #530
See merge request libtiff/libtiff!473
(cherry picked from commit d1f658afa5ab5ed21a9e32e0f790f41b01506cd9)
---
libtiff/tif_luv.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index 72ab3668..93c76115 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -908,7 +908,14 @@ uv_encode(double u, double v, int em) /* encode (u',v') coordinates */
{
register int vi, ui;
- if (v < UV_VSTART)
+ /* check for NaN */
+ if (u != u || v != v)
+ {
+ u = U_NEU;
+ v = V_NEU;
+ }
+
+ if (v < UV_VSTART)
return oog_encode(u, v);
vi = tiff_itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em);
if (vi >= UV_NVS)

34
SOURCES/0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch Normal file
View File

@ -0,0 +1,34 @@
From 186a46ebfe483703e3120e825fc5f3eb26a1c0f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 8 Aug 2023 15:42:54 +0200
Subject: [PATCH] (CVE-2023-3576) Fix memory leak in tiffcrop.c
See merge request libtiff/libtiff!475
(cherry picked from commit 1d5b1181c980090a6518f11e61a18b0e268bf31a)
---
tools/tiffcrop.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 07fc7ea3..be72ec52 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7922,9 +7922,14 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
read_buff = *read_buff_ptr;
- /* process full image, no crop buffer needed */
- crop_buff = read_buff;
- *crop_buff_ptr = read_buff;
+ /* Memory is freed before crop_buff_ptr is overwritten */
+ if (*crop_buff_ptr != NULL )
+ {
+ _TIFFfree(*crop_buff_ptr);
+ }
+
+ /* process full image, no crop buffer needed */
+ *crop_buff_ptr = read_buff;
crop->combined_width = image->width;
crop->combined_length = image->length;

15
SPECS/libtiff.spec
View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.4.0
Release: 8%{?dist}
Release: 10%{?dist}
License: libtiff
URL: http://www.simplesystems.org/libtiff/
@ -26,6 +26,11 @@ Patch0011: 0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
Patch0012: 0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch
# CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
Patch0013: 0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch
Patch0014: 0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch
Patch0015: 0015-CVE-2023-26965-tiffcrop-Do-not-reuse-input-buffer-fo.patch
Patch0016: 0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch
Patch0017: 0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch
Patch0018: 0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch
@ -180,6 +185,14 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
* Tue Aug 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-10
- Fix CVE-2023-26965 CVE-2023-3316 CVE-2023-26966 CVE-2023-3576
- Resolves: CVE-2023-26965 CVE-2023-3316 CVE-2023-26966 CVE-2023-3576
* Thu Jun 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-9
- Fix CVE-2023-2731
- Resolves: CVE-2023-2731
* Tue Mar 21 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-8
- Fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799