rpms
/
libtiff
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libtiff-4.0.9-23.el8

This commit is contained in:
CentOS Sources 2022-11-08 01:48:26 -05:00 committed by Stepan Oksanichenko
parent fee48b4a43
commit 52978dc1ab
33 changed files with 856 additions and 239 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch Normal file
View File

@ -0,0 +1,43 @@
From 686002d8cd9d41f0a4b7915be9866979c25bd5d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 5 May 2022 14:38:04 +0200
Subject: [PATCH] Back off the minimum required automake version to 1.11.
There isn't anything in libtiff currently that actually requires 1.12,
and changing this allows the package to be built on pre-F18 machines for
easier testing. This patch can go away once we no longer care about
testing on pre-F18.
---
Makefile.am | 2 +-
test/Makefile.am | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 418a3b93..fa8bf4c0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -25,7 +25,7 @@
docdir = $(LIBTIFF_DOCDIR)
-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
ACLOCAL_AMFLAGS = -I m4
docfiles = \
diff --git a/test/Makefile.am b/test/Makefile.am
index 2052487c..227f228f 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -23,7 +23,7 @@
# Process this file with automake to produce Makefile.in.
-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
LIBTIFF = $(top_builddir)/libtiff/libtiff.la
--
2.34.1

24
SOURCES/0002-Fix-Makefile.patch Normal file
View File

@ -0,0 +1,24 @@
From 42425abcf2204e46544aff5cd95a129944e15894 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 5 May 2022 14:42:52 +0200
Subject: [PATCH] Fix Makefile
---
html/man/Makefile.am | 1 -
1 file changed, 1 deletion(-)
diff --git a/html/man/Makefile.am b/html/man/Makefile.am
index 3ed00d44..8a64925a 100644
--- a/html/man/Makefile.am
+++ b/html/man/Makefile.am
@@ -90,7 +90,6 @@ docfiles = \
tiffcrop.1.html \
tiffdither.1.html \
tiffdump.1.html \
- tiffgt.1.html \
tiffinfo.1.html \
tiffmedian.1.html \
tiffset.1.html \
--
2.34.1

18
SOURCES/libtiff-CVE-2018-5784.patch → SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch
View File

@ -1,7 +1,7 @@
From 49723b0eb683cca80142b01a48ba1475fed5188a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Fri, 23 Mar 2018 15:35:39 +0100
Subject: [PATCH] Fix for bug 2772
From e5d227c83f487e8a87d336f6cebf39042520d5cd Mon Sep 17 00:00:00 2001
From: Nathan Baker <nathanb@lenovo-chrome.com>
Date: Tue, 6 Feb 2018 10:13:57 -0500
Subject: [PATCH] (CVE-2018-5784) Fix for bug 2772
It is possible to craft a TIFF document where the IFD list is circular,
leading to an infinite loop while traversing the chain. The libtiff
@ -12,6 +12,8 @@ document.
This change fixes the above behavior by breaking out of processing when
a TIFF document has >= 65535 directories and terminating with an error.
(cherry picked from commit 473851d211cf8805a161820337ca74cc9615d6ef)
---
contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
tools/tiff2pdf.c | 10 ++++++++++
@ -19,7 +21,7 @@ a TIFF document has >= 65535 directories and terminating with an error.
3 files changed, 34 insertions(+), 3 deletions(-)
diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
index c61ffbb..03b3573 100644
index c61ffbb8..03b35733 100644
--- a/contrib/addtiffo/tif_overview.c
+++ b/contrib/addtiffo/tif_overview.c
@@ -65,6 +65,8 @@
@ -58,7 +60,7 @@ index c61ffbb..03b3573 100644
nOffset = TIFFCurrentDirOffset( hTIFF );
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 454befb..bdb9126 100644
index 454befbd..bdb91262 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
@ -86,7 +88,7 @@ index 454befb..bdb9126 100644
if(t2p->tiff_pages==NULL){
TIFFError(
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index c69177e..c60cb38 100644
index c69177e0..c60cb389 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
@ -124,5 +126,5 @@ index c69177e..c60cb38 100644
{
dirnum = 0;
--
2.13.6
2.34.1

17
SOURCES/libtiff-CVE-2018-7456.patch → SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch
View File

@ -1,7 +1,8 @@
From de5385cd882a5ff0970f63f4d93da0cbc87230c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Tue, 17 Apr 2018 18:42:09 +0200
Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
From 688dc47dfcbbc4e54dc617c9701cf46a03f8e069 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Sun, 8 Apr 2018 14:07:08 -0400
Subject: [PATCH] (CVE-2018-7456) Fix NULL pointer dereference in
TIFFPrintDirectory
The TIFFPrintDirectory function relies on the following assumptions,
supposed to be guaranteed by the specification:
@ -53,13 +54,15 @@ TIFFReadDirectory function by making sure any non-color channel is
counted in ExtraSamples.
This commit addresses CVE-2018-7456.
(cherry picked from commit be4c85b16e8801a16eec25e80eb9f3dd6a96731b)
---
libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++
libtiff/tif_print.c | 2 +-
2 files changed, 63 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 5e62e81..80aaf8d 100644
index 5e62e813..80aaf8d1 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
@ -153,7 +156,7 @@ index 5e62e81..80aaf8d 100644
* Verify Palette image has a Colormap.
*/
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 24d4b98..10a588e 100644
index 24d4b98a..10a588ea 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
@ -166,5 +169,5 @@ index 24d4b98..10a588e 100644
td->td_transferfunction[i][l]);
fputc('\n', fd);
--
2.17.0
2.34.1

39
SOURCES/libtiff-CVE-2017-9935.patch → SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch
View File

@ -1,7 +1,7 @@
From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001
From 5b984e1b9296c4a3b80c5650f17cb4db575250e4 Mon Sep 17 00:00:00 2001
From: Brian May <brian@linuxpenguins.xyz>
Date: Thu, 7 Dec 2017 07:46:47 +1100
Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935
Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix CVE-2017-9935
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
@ -37,13 +37,15 @@ function is the same for every page. If this changes, we abort with an
error. In theory, we should perhaps check that the transfer function
itself is identical for every page, however we don't do that due to the
confusion of the type of the data in the transfer function.
(cherry picked from commit 3dd8f6a357981a4090f126ab9025056c938b6940)
---
libtiff/tif_dir.c | 3 +++
tools/tiff2pdf.c | 69 +++++++++++++++++++++++++++++++----------------
2 files changed, 49 insertions(+), 23 deletions(-)
tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++---------------
2 files changed, 47 insertions(+), 21 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index f00f808..c36a5f3 100644
index f00f8080..c36a5f3f 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
@ -57,24 +59,15 @@ index f00f808..c36a5f3 100644
break;
case TIFFTAG_REFERENCEBLACKWHITE:
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index bdb9126..bd23c9e 100644
index bdb91262..ef5d6a01 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -239,7 +239,7 @@ typedef struct {
float tiff_whitechromaticities[2];
float tiff_primarychromaticities[6];
float tiff_referenceblackwhite[2];
- float* tiff_transferfunction[3];
+ uint16* tiff_transferfunction[3];
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
1 : interpolate */
uint16 tiff_transferfunctioncount;
@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16 pagen=0;
uint16 paged=0;
uint16 xuint16=0;
+ uint16 tiff_transferfunctioncount=0;
+ uint16* tiff_transferfunction[3];
+ float* tiff_transferfunction[3];
directorycount=TIFFNumberOfDirectories(input);
if(directorycount > TIFF_DIR_MAX) {
@ -103,8 +96,8 @@ index bdb9126..bd23c9e 100644
+ &(tiff_transferfunction[1]),
+ &(tiff_transferfunction[2]))) {
+
+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
+ (tiff_transferfunction[2] != (uint16*) NULL)
+ if((tiff_transferfunction[1] != (float*) NULL) &&
+ (tiff_transferfunction[2] != (float*) NULL)
+ ) {
+ tiff_transferfunctioncount=3;
+ } else {
@ -145,20 +138,18 @@ index bdb9126..bd23c9e 100644
if( TIFFGetField(
input,
TIFFTAG_ICCPROFILE,
@@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
&(t2p->tiff_transferfunction[0]),
@@ -1838,9 +1862,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
&(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) {
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
- (t2p->tiff_transferfunction[1] !=
- t2p->tiff_transferfunction[0])) {
+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
+ (t2p->tiff_transferfunction[2] != (float*) NULL)
+ ) {
t2p->tiff_transferfunctioncount=3;
} else {
t2p->tiff_transferfunctioncount=1;
--
2.17.0
2.34.1

61
SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch Normal file
View File

@ -0,0 +1,61 @@
From 8e3772f232bf8f8c1959f229b5d922dd33a1e558 Mon Sep 17 00:00:00 2001
From: Brian May <brian@linuxpenguins.xyz>
Date: Thu, 7 Dec 2017 07:49:20 +1100
Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix apparent incorrect type for
transfer table
The standard says the transfer table contains unsigned 16 bit values,
I have no idea why we refer to them as floats.
(cherry picked from commit d4f213636b6f950498a1386083199bd7f65676b9)
---
tools/tiff2pdf.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index ef5d6a01..bd23c9e5 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -239,7 +239,7 @@ typedef struct {
float tiff_whitechromaticities[2];
float tiff_primarychromaticities[6];
float tiff_referenceblackwhite[2];
- float* tiff_transferfunction[3];
+ uint16* tiff_transferfunction[3];
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
1 : interpolate */
uint16 tiff_transferfunctioncount;
@@ -1050,7 +1050,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16 paged=0;
uint16 xuint16=0;
uint16 tiff_transferfunctioncount=0;
- float* tiff_transferfunction[3];
+ uint16* tiff_transferfunction[3];
directorycount=TIFFNumberOfDirectories(input);
if(directorycount > TIFF_DIR_MAX) {
@@ -1163,8 +1163,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
&(tiff_transferfunction[1]),
&(tiff_transferfunction[2]))) {
- if((tiff_transferfunction[1] != (float*) NULL) &&
- (tiff_transferfunction[2] != (float*) NULL)
+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
+ (tiff_transferfunction[2] != (uint16*) NULL)
) {
tiff_transferfunctioncount=3;
} else {
@@ -1861,8 +1861,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
&(t2p->tiff_transferfunction[0]),
&(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) {
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL)
+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
) {
t2p->tiff_transferfunctioncount=3;
} else {
--
2.34.1

13
SOURCES/libtiff-CVE-2017-18013.patch → SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch
View File

@ -1,16 +1,17 @@
From b1997b9c3ac0d6bac5effd7558141986487217a9 Mon Sep 17 00:00:00 2001
From 4d6c37328f38636d5002a6f1b584ad8e6031c61c Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 31 Dec 2017 15:09:41 +0100
Subject: [PATCH 2/4] libtiff/tif_print.c: TIFFPrintDirectory(): fix null
pointer dereference on corrupted file. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2770 / CVE-2017-18013
Subject: [PATCH] (CVE-2017-18013) libtiff/tif_print.c: TIFFPrintDirectory():
fix null pointer dereference on corrupted file. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2770
(cherry picked from commit c6f41df7b581402dfba3c19a1e3df4454c551a01)
---
libtiff/tif_print.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 10a588e..b9b53a0 100644
index 10a588ea..b9b53a0f 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
@ -32,5 +33,5 @@ index 10a588e..b9b53a0 100644
}
}
--
2.17.0
2.34.1

14
SOURCES/libtiff-CVE-2018-8905.patch → SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch
View File

@ -1,18 +1,20 @@
From 1c127eb3cb7653bd61b61f9c3cfeb36fd10edab1 Mon Sep 17 00:00:00 2001
From 54972f69399628fd2105753cbcddb36ede510507 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 12 May 2018 15:32:31 +0200
Subject: [PATCH 3/4] LZWDecodeCompat(): fix potential index-out-of-bounds
write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 /
CVE-2018-8905
Subject: [PATCH] (CVE-2018-8905) LZWDecodeCompat(): fix potential
index-out-of-bounds write. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
The fix consists in using the similar code LZWDecode() to validate we
don't write outside of the output buffer.
(cherry picked from commit 58a898cb4459055bb488ca815c23b880c242a27d)
---
libtiff/tif_lzw.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index bc8f9c8..186ea3c 100644
index bc8f9c84..186ea3ca 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
@ -49,5 +51,5 @@ index bc8f9c8..186ea3c 100644
*op++ = (char)code;
occ--;
--
2.17.0
2.34.1

11
SOURCES/libtiff-CVE-2018-10963.patch → SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch
View File

@ -1,15 +1,16 @@
From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001
From 142912f9f5bce169d9d0b16a687c00f9edec5825 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 12 May 2018 14:24:15 +0200
Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
Subject: [PATCH] (CVE-2018-10963) TIFFWriteDirectorySec: avoid assertion.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
(cherry picked from commit de144fd228e4be8aa484c3caf3d814b6fa88c6d9)
---
libtiff/tif_dirwrite.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index c68d6d2..5d0a669 100644
index c68d6d21..5d0a6699 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
@ -27,5 +28,5 @@ index c68d6d2..5d0a669 100644
}
}
--
2.17.0
2.34.1

10
SOURCES/libtiff-CVE-2018-17100.patch → SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch
View File

@ -1,14 +1,16 @@
From 491e3acc55d7a54e2588de476733e93c4c7ffea0 Mon Sep 17 00:00:00 2001
From a04b4c4aec3bbfbbde9602ddb4e00809a1a4f92c Mon Sep 17 00:00:00 2001
From: Young_X <YangX92@hotmail.com>
Date: Sat, 8 Sep 2018 14:46:27 +0800
Subject: [PATCH] avoid potential int32 overflows in multiply_ms()
Subject: [PATCH] (CVE-2018-17100) avoid potential int32 overflows in
multiply_ms()
(cherry picked from commit 6da1fb3f64d43be37e640efbec60400d1f1ac39e)
---
tools/ppm2tiff.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
index 91415e9..81ffa3d 100644
index 91415e96..81ffa3db 100644
--- a/tools/ppm2tiff.c
+++ b/tools/ppm2tiff.c
@@ -72,15 +72,16 @@ BadPPM(char* file)
@ -35,5 +37,5 @@ index 91415e9..81ffa3d 100644
int
--
2.17.2
2.34.1

13
SOURCES/libtiff-CVE-2018-18557.patch → SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch
View File

@ -1,7 +1,8 @@
From 2683f6c21aefc760d2f7e56dac6b4383841886d6 Mon Sep 17 00:00:00 2001
From dfd5030637f8643990161311eb6b47f3292ab076 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 14 Oct 2018 16:38:29 +0200
Subject: [PATCH 2/2] JBIG: fix potential out-of-bounds write in JBIGDecode()
Subject: [PATCH] (CVE-2018-18557) JBIG: fix potential out-of-bounds write in
JBIGDecode()
JBIGDecode doesn't check if the user provided buffer is large enough
to store the JBIG decoded image, which can potentially cause out-of-bounds
@ -13,13 +14,15 @@ tif->tif_rawsize > tif->tif_rawcc
And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
that whole strip data is provided to JBIGDecode()
(cherry picked from commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66)
---
libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------
libtiff/tif_read.c | 6 ++++++
2 files changed, 32 insertions(+), 6 deletions(-)
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
index 7a14dd9..8136c77 100644
index 7a14dd9a..8136c77b 100644
--- a/libtiff/tif_jbig.c
+++ b/libtiff/tif_jbig.c
@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
@ -86,7 +89,7 @@ index 7a14dd9..8136c77 100644
}
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index 2ba985a..04100f4 100644
index 2ba985a7..04100f4d 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
@ -103,5 +106,5 @@ index 2ba985a..04100f4 100644
whole_strip = 1;
#endif
--
2.17.2
2.34.1

17
SOURCES/libtiff-CVE-2018-18661.patch → SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch
View File

@ -1,10 +1,11 @@
From 20dbecdf69cf0209ad0246707aaf142bb1fee96e Mon Sep 17 00:00:00 2001
From 44ef4d3a8e92171f7470620649e8911a8056297c Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 30 Oct 2018 18:50:27 +0100
Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of
memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 /
CVE-2018-18661
Subject: [PATCH] (CVE-2018-18661) tiff2bw: avoid null pointer dereference in
case of out of memory situation. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661
(cherry picked from commit 99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f)
---
libtiff/tiffiop.h | 1 +
tools/tiff2bw.c | 30 ++++++++++++++++++++++++++----
@ -12,7 +13,7 @@ Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of
3 files changed, 27 insertions(+), 9 deletions(-)
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index daa291c..08e5dc4 100644
index daa291c0..08e5dc44 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
@ -24,7 +25,7 @@ index daa291c..08e5dc4 100644
#ifndef TRUE
#define TRUE 1
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
index dad54af..1f3bb2c 100644
index dad54afa..1f3bb2cd 100644
--- a/tools/tiff2bw.c
+++ b/tools/tiff2bw.c
@@ -40,9 +40,7 @@
@ -101,7 +102,7 @@ index dad54af..1f3bb2c 100644
#undef pack
if (inbuf)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index c60cb38..3862b1c 100644
index c60cb389..3862b1ca 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
@ -117,5 +118,5 @@ index c60cb38..3862b1c 100644
#define FALSE 0
--
2.17.2
2.34.1

43
SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch Normal file
View File

@ -0,0 +1,43 @@
From 14212e5d19b47d02a4989aa31b9a326c1b131460 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Wed, 31 Oct 2018 11:50:48 +0100
Subject: [PATCH] (bz1602597) Fix two resource leaks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Nikola Forró <nforro@redhat.com>
(cherry picked from commit 2f694198f1931e144e0a07a7fb50546b5b70e3ef)
---
tools/ppm2tiff.c | 2 ++
tools/tiff2pdf.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
index 81ffa3db..a02e865a 100644
--- a/tools/ppm2tiff.c
+++ b/tools/ppm2tiff.c
@@ -285,6 +285,8 @@ main(int argc, char* argv[])
if (TIFFWriteScanline(out, buf, row, 0) < 0)
break;
}
+ if (in != stdin)
+ fclose(in);
(void) TIFFClose(out);
if (buf)
_TIFFfree(buf);
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index bd23c9e5..ff7b9c22 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
"for t2p_readwrite_pdf_image_tile, %s",
(unsigned long) t2p->tiff_datasize,
TIFFFileName(input));
+ _TIFFfree(buffer);
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
--
2.34.1

11
SOURCES/libtiff-CVE-2018-12900.patch → SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch
View File

@ -1,15 +1,18 @@
From 775b0d85eab499ccf577e72ec202eb4c6fb37197 Mon Sep 17 00:00:00 2001
From 98e37a5c822bdfed2343e6ab9d03680e85783aef Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Mon, 11 Feb 2019 10:05:33 +0100
Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow
Subject: [PATCH] (CVE-2018-12900) check that (Tile Width)*(Samples/Pixel) do
no overflow
fixes bug 2833
(cherry picked from commit 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d)
---
tools/tiffcp.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 489459a..0c66229 100644
index 489459a7..96f14728 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -43,6 +43,7 @@
@ -43,5 +46,5 @@ index 489459a..0c66229 100644
if (tilebuf == 0)
return 0;
--
2.21.0
2.34.1

26
SOURCES/libtiff-CVE-2019-14973.patch → SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch
View File

@ -1,8 +1,8 @@
From 218c3753fba788c78a9b5e515e884043f6e2ba28 Mon Sep 17 00:00:00 2001
From 00aeede6bdba3cb74943932b24accc7ba61d2cb0 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 10 Aug 2019 18:25:03 +0200
Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other
implementation-defined behaviour (CVE-2019-14973)
Subject: [PATCH] (CVE-2019-14973) Fix integer overflow in _TIFFCheckMalloc()
and other implementation-defined behaviour (CVE-2019-14973)
_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
@ -16,6 +16,8 @@ builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
at that time exploits, but are better to fix in a more bullet-proof way.
Or similarly use of (int64)uint64_var <= 0.
(cherry picked from commit 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773)
---
libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++-----
libtiff/tif_getimage.c | 6 ++----
@ -28,7 +30,7 @@ Or similarly use of (int64)uint64_var <= 0.
8 files changed, 71 insertions(+), 106 deletions(-)
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
index 10b8d00..38a98b6 100644
index 10b8d00c..38a98b67 100644
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -59,18 +59,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
@ -95,7 +97,7 @@ index 10b8d00..38a98b6 100644
if (cp == NULL) {
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index fc554cc..ec09fea 100644
index fc554cca..ec09feaf 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -757,9 +757,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
@ -121,7 +123,7 @@ index fc554cc..ec09fea 100644
}
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index 4b25244..c4cb73a 100644
index 4b25244b..c4cb73a3 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
@ -143,7 +145,7 @@ index 4b25244..c4cb73a 100644
static int
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index 979858d..8e9eaa1 100644
index 979858da..8e9eaa1d 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -636,15 +636,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
@ -164,7 +166,7 @@ index 979858d..8e9eaa1 100644
static tmsize_t
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index 04100f4..9a0e6e9 100644
index 04100f4d..9a0e6e95 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -31,9 +31,6 @@
@ -262,7 +264,7 @@ index 04100f4..9a0e6e9 100644
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFWarningExt(tif->tif_clientdata, module,
diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
index 6e9f2ef..321ad6b 100644
index 6e9f2ef6..321ad6b9 100644
--- a/libtiff/tif_strip.c
+++ b/libtiff/tif_strip.c
@@ -131,15 +131,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
@ -333,7 +335,7 @@ index 6e9f2ef..321ad6b 100644
/* vim: set ts=8 sts=8 sw=8 noet: */
diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
index 388e168..7d05750 100644
index 388e168a..7d057509 100644
--- a/libtiff/tif_tile.c
+++ b/libtiff/tif_tile.c
@@ -183,15 +183,8 @@ TIFFTileRowSize(TIFF* tif)
@ -388,7 +390,7 @@ index 388e168..7d05750 100644
/*
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index 08e5dc4..d4b8631 100644
index 08e5dc44..d4b86314 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -79,6 +79,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
@ -420,5 +422,5 @@ index 08e5dc4..d4b8631 100644
extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
--
2.21.0
2.34.1

15
SOURCES/libtiff-CVE-2019-17546.patch → SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch
View File

@ -1,17 +1,18 @@
From 3d451e3f95cbb67dd771a986991b5b6107140c4e Mon Sep 17 00:00:00 2001
From a1c493aa4f22f9d1a4757c05a60addc877519cea Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 15 Aug 2019 15:05:28 +0200
Subject: [PATCH] RGBA interface: fix integer overflow potentially causing
write heap buffer overflow, especially on 32 bit builds. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS
Fuzz
Subject: [PATCH] (CVE-2019-17546) RGBA interface: fix integer overflow
potentially causing write heap buffer overflow, especially on 32 bit builds.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to
OSS Fuzz
(cherry picked from commit 4bb584a35f87af42d6cf09d15e9ce8909a839145)
---
libtiff/tif_getimage.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index ec09fea..c6edd27 100644
index ec09feaf..c6edd27c 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
@ -100,5 +101,5 @@ index ec09fea..c6edd27 100644
{
ret = 0;
--
2.21.1
2.34.1

11
SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch → SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch
View File

@ -1,16 +1,19 @@
From 1205e9800a359b4bb4f35b2a7ff5821986e74f19 Mon Sep 17 00:00:00 2001
From 8f70b086e6553b4d41aaff2c5fb4266859436626 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Sun, 15 Nov 2020 17:02:51 +0100
Subject: [PATCH 1/3] enforce (configurable) memory limit in tiff2rgba
Subject: [PATCH] (CVE-2020-35521 CVE-2020-35522) enforce (configurable) memory
limit in tiff2rgba
fixes #207
fixes #209
(cherry picked from commit 98a254f5b92cea22f5436555ff7fceb12afee84d)
---
tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
index 4de96ae..e6de220 100644
index 4de96aec..e6de2209 100644
--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
@ -82,5 +85,5 @@ index 4de96ae..e6de220 100644
};
--
2.31.1
2.34.1

11
SOURCES/libtiff-CVE-2020-35523.patch → SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch
View File

@ -1,15 +1,18 @@
From 058e0d9c5822a912fe75ab3bd2d24b3350f4e44d Mon Sep 17 00:00:00 2001
From a7786e10d1bab22f34322e6e711b93b377d6155e Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Tue, 10 Nov 2020 01:54:30 +0100
Subject: [PATCH 2/3] gtTileContig(): check Tile width for overflow
Subject: [PATCH] (CVE-2020-35523) gtTileContig(): check Tile width for
overflow
fixes #211
(cherry picked from commit c8d613ef497058fe653c467fc84c70a62a4a71b2)
---
libtiff/tif_getimage.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index c6edd27..b1f7cc9 100644
index c6edd27c..b1f7cc95 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -31,6 +31,7 @@
@ -46,5 +49,5 @@ index c6edd27..b1f7cc9 100644
/*
--
2.31.1
2.34.1

12
SOURCES/libtiff-CVE-2020-35524.patch → SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch
View File

@ -1,16 +1,18 @@
From f74e26a36dd32050774f1c4a9256147fb25ae595 Mon Sep 17 00:00:00 2001
From 55cd158269c43c83c23636dc9197816b3b359aa4 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Sat, 14 Nov 2020 12:53:01 +0000
Subject: [PATCH 3/3] tiff2pdf.c: properly calculate datasize when saving to
JPEG YCbCr
Subject: [PATCH] (CVE-2020-35524) tiff2pdf.c: properly calculate datasize when
saving to JPEG YCbCr
fixes #220
(cherry picked from commit 7be2e452ddcf6d7abca88f41d3761e6edab72b22)
---
tools/tiff2pdf.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index a15a3ef..db380ec 100644
index ff7b9c22..a5db1f64 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
@ -35,5 +37,5 @@ index a15a3ef..db380ec 100644
if (k == 0) {
/* Assume we had overflow inside TIFFScanlineSize */
--
2.31.1
2.34.1

11
SOURCES/libtiff-CVE-2020-19131.patch → SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch
View File

@ -1,7 +1,8 @@
From b64713005e6110c36265750435cfa641d3a9281f Mon Sep 17 00:00:00 2001
From 25f99f92536fe2c7bf8e1a7fe12f0145c67a0383 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Mon, 11 Feb 2019 23:08:25 +0100
Subject: [PATCH] tiffcrop.c: fix invertImage() for bps 2 and 4
Subject: [PATCH] (CVE-2020-19131) tiffcrop.c: fix invertImage() for bps 2 and
4
too much bytes were processed, causing a heap buffer overrun
http://bugzilla.maptools.org/show_bug.cgi?id=2831
@ -14,12 +15,14 @@ Also the values were not properly calculated. It should be
But anyway it is easyer to invert all bits as 255-x = ~x, etc.
(substracting from a binary number composed of all 1 is like inverting
the bits)
(cherry picked from commit 9cfa5c469109c207bf3b916c52e618d4400ba2c0)
---
tools/tiffcrop.c | 37 ++++++-------------------------------
1 file changed, 6 insertions(+), 31 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 3862b1c..a612914 100644
index 3862b1ca..a6129148 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -9142,7 +9142,6 @@ static int
@ -85,5 +88,5 @@ index 3862b1c..a612914 100644
*src = ~(*src);
src++;
--
2.32.0
2.34.1

30
SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch Normal file
View File

@ -0,0 +1,30 @@
From b94f6754796d32e204b874b3660a125973815933 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 6 Feb 2022 13:08:38 +0100
Subject: [PATCH] (CVE-2022-0561) TIFFFetchStripThing(): avoid calling memcpy()
with a null source pointer and size of zero (fixes #362)
(cherry picked from commit eecb0712f4c3a5b449f70c57988260a667ddbdef)
---
libtiff/tif_dirread.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 80aaf8d1..1e6f1c2f 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5633,8 +5633,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
_TIFFfree(data);
return(0);
}
- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
+ if( dir->tdir_count )
+ _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+ _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
_TIFFfree(data);
data=resizeddata;
}
--
2.34.1

28
SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch Normal file
View File

@ -0,0 +1,28 @@
From b7426cc131d837de8d139b8007f66f9db59c4f6a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 5 Feb 2022 20:36:41 +0100
Subject: [PATCH] (CVE-2022-0562) TIFFReadDirectory(): avoid calling memcpy()
with a null source pointer and size of zero (fixes #362)
(cherry picked from commit 561599c99f987dc32ae110370cfdd7df7975586b)
---
libtiff/tif_dirread.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 1e6f1c2f..d68aecc5 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4083,7 +4083,8 @@ TIFFReadDirectory(TIFF* tif)
goto bad;
}
- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+ if (old_extrasamples > 0)
+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
_TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
_TIFFfree(new_sampleinfo);
}
--
2.34.1

39
SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch Normal file
View File

@ -0,0 +1,39 @@
From 377a37d06f8ea753cba404cd6954b988ca861ad3 Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Tue, 25 Jan 2022 16:25:28 +0000
Subject: [PATCH] (CVE-2022-22844) tiffset: fix global-buffer-overflow for
ASCII tags where count is required (fixes #355)
(cherry picked from commit 03047a26952a82daaa0792957ce211e0aa51bc64)
---
tools/tiffset.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/tools/tiffset.c b/tools/tiffset.c
index 894c9f1f..e4b0d49f 100644
--- a/tools/tiffset.c
+++ b/tools/tiffset.c
@@ -134,9 +134,19 @@ main(int argc, char* argv[])
arg_index++;
if (TIFFFieldDataType(fip) == TIFF_ASCII) {
- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
+ if(TIFFFieldPassCount( fip )) {
+ size_t len;
+ len = strlen(argv[arg_index]) + 1;
+ if (len > ((uint16)(~0)) || TIFFSetField(tiff, TIFFFieldTag(fip),
+ (uint16)len, argv[arg_index]) != 1)
fprintf( stderr, "Failed to set %s=%s\n",
TIFFFieldName(fip), argv[arg_index] );
+ } else {
+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
+ argv[arg_index]) != 1)
+ fprintf( stderr, "Failed to set %s=%s\n",
+ TIFFFieldName(fip), argv[arg_index] );
+ }
} else if (TIFFFieldWriteCount(fip) > 0
|| TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
int ret = 1;
--
2.34.1

36
SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch Normal file
View File

@ -0,0 +1,36 @@
From 2d598cd7523cba7ee8441fac96bfe422ec277efc Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 24 Feb 2022 22:26:02 +0100
Subject: [PATCH] (CVE-2022-0865) tif_jbig.c: fix crash when reading a file
with multiple IFD in memory-mapped mode and when bit reversal is needed
(fixes #385)
(cherry picked from commit a1c933dabd0e1c54a412f3f84ae0aa58115c6067)
---
libtiff/tif_jbig.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
index 8136c77b..698428f0 100644
--- a/libtiff/tif_jbig.c
+++ b/libtiff/tif_jbig.c
@@ -210,6 +210,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
*/
tif->tif_flags |= TIFF_NOBITREV;
tif->tif_flags &= ~TIFF_MAPPED;
+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
+ * value to be consistent with the state of a non-memory mapped file.
+ */
+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
+ tif->tif_rawdata = NULL;
+ tif->tif_rawdatasize = 0;
+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
+ tif->tif_flags |= TIFF_MYBUFFER;
+ }
/* Setup the function pointers for encode, decode, and cleanup. */
tif->tif_setupdecode = JBIGSetupDecode;
--
2.34.1

201
SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch Normal file
View File

@ -0,0 +1,201 @@
From 465c2d93e2a2d20ac4844ad0d98b35f00e8063fb Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 8 Mar 2022 17:02:44 +0000
Subject: [PATCH] (CVE-2022-0891) tiffcrop: fix issue #380 and #382 heap buffer
overflow in extractImageSection
(cherry picked from commit 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c)
---
tools/tiffcrop.c | 84 ++++++++++++++++++------------------------------
1 file changed, 32 insertions(+), 52 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index a6129148..83cf80ad 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -6668,10 +6668,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
uint32 img_length;
#endif
- uint32 j, shift1, shift2, trailing_bits;
+ uint32 j, shift1, trailing_bits;
uint32 row, first_row, last_row, first_col, last_col;
uint32 src_offset, dst_offset, row_offset, col_offset;
- uint32 offset1, offset2, full_bytes;
+ uint32 offset1, full_bytes;
uint32 sect_width;
#ifdef DEVELMODE
uint32 sect_length;
@@ -6681,7 +6681,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
int k;
unsigned char bitset;
- static char *bitarray = NULL;
#endif
img_width = image->width;
@@ -6699,17 +6698,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
dst_offset = 0;
#ifdef DEVELMODE
- if (bitarray == NULL)
- {
- if ((bitarray = (char *)malloc(img_width)) == NULL)
- {
- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
- return (-1);
- }
- }
+ char bitarray[39];
#endif
- /* rows, columns, width, length are expressed in pixels */
+ /* rows, columns, width, length are expressed in pixels
+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
+ * last_col shall be also extracted. */
first_row = section->y1;
last_row = section->y2;
first_col = section->x1;
@@ -6719,9 +6713,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
sect_length = last_row - first_row + 1;
#endif
- img_rowsize = ((img_width * bps + 7) / 8) * spp;
+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
+ * samples rather than separate planes so the same logic works to extract regions
+ * regardless of the way the data are organized in the input file.
+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
+ */
+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
- trailing_bits = (sect_width * bps) % 8;
+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
#ifdef DEVELMODE
TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",
@@ -6734,10 +6733,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if ((bps % 8) == 0)
{
- col_offset = first_col * spp * bps / 8;
+ col_offset = (first_col * spp * bps) / 8;
for (row = first_row; row <= last_row; row++)
{
- /* row_offset = row * img_width * spp * bps / 8; */
row_offset = row * img_rowsize;
src_offset = row_offset + col_offset;
@@ -6750,14 +6748,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
}
else
{ /* bps != 8 */
- shift1 = spp * ((first_col * bps) % 8);
- shift2 = spp * ((last_col * bps) % 8);
+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
for (row = first_row; row <= last_row; row++)
{
/* pull out the first byte */
row_offset = row * img_rowsize;
- offset1 = row_offset + (first_col * bps / 8);
- offset2 = row_offset + (last_col * bps / 8);
+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
#ifdef DEVELMODE
for (j = 0, k = 7; j < 8; j++, k--)
@@ -6769,12 +6765,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
sprintf(&bitarray[9], " ");
for (j = 10, k = 7; j < 18; j++, k--)
{
- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
sprintf(&bitarray[j], (bitset) ? "1" : "0");
}
bitarray[18] = '\0';
- TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Shift2: %d\n",
- row, offset1, shift1, offset2, shift2);
+ TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Trailing_bits: %d\n",
+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
#endif
bytebuff1 = bytebuff2 = 0;
@@ -6798,11 +6794,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if (trailing_bits != 0)
{
- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
sect_buff[dst_offset] = bytebuff2;
#ifdef DEVELMODE
TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n",
- offset2, dst_offset);
+ offset1 + full_bytes, dst_offset);
for (j = 30, k = 7; j < 38; j++, k--)
{
bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
@@ -6821,8 +6818,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#endif
for (j = 0; j <= full_bytes; j++)
{
+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
}
#ifdef DEVELMODE
@@ -6838,35 +6837,16 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#endif
dst_offset += full_bytes;
+ /* Copy the trailing_bits for the last byte in the destination buffer.
+ Could come from one ore two bytes of the source buffer. */
if (trailing_bits != 0)
{
#ifdef DEVELMODE
- TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset);
-#endif
- if (shift2 > shift1)
- {
- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
- sect_buff[dst_offset] = bytebuff2;
-#ifdef DEVELMODE
- TIFFError ("", " Shift2 > Shift1\n");
+ TIFFError("", " Trailing bits %4d src offset: %8d, Dst offset: %8d\n", trailing_bits, offset1 + full_bytes, dst_offset);
#endif
- }
- else
- {
- if (shift2 < shift1)
- {
- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
- sect_buff[dst_offset] &= bytebuff2;
-#ifdef DEVELMODE
- TIFFError ("", " Shift2 < Shift1\n");
-#endif
- }
-#ifdef DEVELMODE
- else
- TIFFError ("", " Shift2 == Shift1\n");
-#endif
- }
+ /* More than necessary bits are already copied into last destination buffer,
+ * only masking of last byte in destination buffer is necessary.*/
+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
}
#ifdef DEVELMODE
sprintf(&bitarray[28], " ");
@@ -7020,7 +7000,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
width = sections[i].x2 - sections[i].x1 + 1;
length = sections[i].y2 - sections[i].y1 + 1;
sectsize = (uint32)
- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
/* allocate a buffer if we don't have one already */
if (createImageSection(sectsize, sect_buff_ptr))
{
--
2.34.1

54
SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch Normal file
View File

@ -0,0 +1,54 @@
From 0bbe164e12be733a1b7e0fe9939ea3461ed7fff2 Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Thu, 10 Mar 2022 08:48:00 +0000
Subject: [PATCH] (CVE-2022-0924) fix heap buffer overflow in tiffcp (#278)
(cherry picked from commit 88d79a45a31c74cba98c697892fed5f7db8b963a)
---
tools/tiffcp.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 96f14728..d5f1d248 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1506,12 +1506,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
tdata_t obuf;
tstrip_t strip = 0;
tsample_t s;
+ uint16 bps = 0, bytes_per_sample;
obuf = _TIFFmalloc(stripsize);
if (obuf == NULL)
return (0);
_TIFFmemset(obuf, 0, stripsize);
(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+ if( bps == 0 )
+ {
+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
+ _TIFFfree(obuf);
+ return 0;
+ }
+ if( (bps % 8) != 0 )
+ {
+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
+ _TIFFfree(obuf);
+ return 0;
+ }
+ bytes_per_sample = bps/8;
for (s = 0; s < spp; s++) {
uint32 row;
for (row = 0; row < imagelength; row += rowsperstrip) {
@@ -1521,7 +1536,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
cpContigBufToSeparateBuf(
obuf, (uint8*) buf + row*rowsize + s,
- nrows, imagewidth, 0, 0, spp, 1);
+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
TIFFError(TIFFFileName(out),
"Error, can't write strip %u",
--
2.34.1

33
SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch Normal file
View File

@ -0,0 +1,33 @@
From fb2bd72a49496d10c4860102b7c26b9bc8adff70 Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Tue, 8 Mar 2022 16:22:04 +0000
Subject: [PATCH] (CVE-2022-0909) fix the FPE in tiffcrop (#393)
(cherry picked from commit 32ea0722ee68f503b7a3f9b2d557acb293fc8cde)
---
libtiff/tif_dir.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index c36a5f3f..f126f2aa 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -320,13 +320,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
break;
case TIFFTAG_XRESOLUTION:
dblval = va_arg(ap, double);
- if( dblval < 0 )
+ if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
td->td_xresolution = TIFFClampDoubleToFloat( dblval );
break;
case TIFFTAG_YRESOLUTION:
dblval = va_arg(ap, double);
- if( dblval < 0 )
+ if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
td->td_yresolution = TIFFClampDoubleToFloat( dblval );
break;
--
2.34.1

30
SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch Normal file
View File

@ -0,0 +1,30 @@
From e1ee7d9aa1936d5d2f8c7e1a453ad669ed6b38dd Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 17 Feb 2022 15:28:43 +0100
Subject: [PATCH] (CVE-2022-0908) TIFFFetchNormalTag(): avoid calling memcpy()
with a null source pointer and size of zero (fixes #383)
(cherry picked from commit a95b799f65064e4ba2e2dfc206808f86faf93e85)
---
libtiff/tif_dirread.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index d68aecc5..b72e6a3b 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4972,7 +4972,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
_TIFFfree(data);
return(0);
}
- _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
+ if (dp->tdir_count > 0 )
+ {
+ _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
+ }
o[(uint32)dp->tdir_count]=0;
if (data!=0)
_TIFFfree(data);
--
2.34.1

58
SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch Normal file
View File

@ -0,0 +1,58 @@
From b43def1519d18fecb6f23778e045838e30e027cc Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sat, 2 Apr 2022 22:33:31 +0200
Subject: [PATCH] (CVE-2022-1355) tiffcp: avoid buffer overflow in "mode"
string (fixes #400)
(cherry picked from commit fb1db384959698edd6caeea84e28253d272a0f96)
---
tools/tiffcp.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index d5f1d248..fb98bd57 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -249,19 +249,34 @@ main(int argc, char* argv[])
deftilewidth = atoi(optarg);
break;
case 'B':
- *mp++ = 'b'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'b'; *mp = '\0';
+ }
break;
case 'L':
- *mp++ = 'l'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'l'; *mp = '\0';
+ }
break;
case 'M':
- *mp++ = 'm'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'm'; *mp = '\0';
+ }
break;
case 'C':
- *mp++ = 'c'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'c'; *mp = '\0';
+ }
break;
case '8':
- *mp++ = '8'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode)-1))
+ {
+ *mp++ = '8'; *mp = '\0';
+ }
break;
case 'x':
pageInSeq = 1;
--
2.34.1

31
SOURCES/libtiff-am-version.patch
View File

@ -1,31 +0,0 @@
Back off the minimum required automake version to 1.11. There isn't
anything in libtiff currently that actually requires 1.12, and changing
this allows the package to be built on pre-F18 machines for easier testing.
This patch can go away once we no longer care about testing on pre-F18.
diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am
--- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400
+++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400
@@ -25,7 +25,7 @@
docdir = $(LIBTIFF_DOCDIR)
-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
ACLOCAL_AMFLAGS = -I m4
docfiles = \
diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am
--- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400
+++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400
@@ -23,7 +23,7 @@
# Process this file with automake to produce Makefile.in.
-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
LIBTIFF = $(top_builddir)/libtiff/libtiff.la

42
SOURCES/libtiff-coverity.patch
View File

@ -1,42 +0,0 @@
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
index 81ffa3d..a02e865 100644
--- a/tools/ppm2tiff.c
+++ b/tools/ppm2tiff.c
@@ -285,6 +285,8 @@ main(int argc, char* argv[])
if (TIFFWriteScanline(out, buf, row, 0) < 0)
break;
}
+ if (in != stdin)
+ fclose(in);
(void) TIFFClose(out);
if (buf)
_TIFFfree(buf);
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index bd23c9e..a15a3ef 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
"for t2p_readwrite_pdf_image_tile, %s",
(unsigned long) t2p->tiff_datasize,
TIFFFileName(input));
+ _TIFFfree(buffer);
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
@@ -3747,11 +3748,11 @@ t2p_sample_rgbaa_to_rgb(tdata_t data, uint32 samplecount)
{
uint32 i;
- /* For the 3 first samples, there is overlapping between souce and
- destination, so use memmove().
- See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */
- for(i = 0; i < 3 && i < samplecount; i++)
- memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
+ /* For the 3 first samples, there is overlapping between souce and
+ destination, so use memmove().
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */
+ for(i = 0; i < 3 && i < samplecount; i++)
+ memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
for(; i < samplecount; i++)
memcpy((uint8*)data + i * 3, (uint8*)data + i * 4, 3);

12
SOURCES/libtiff-make-check.patch
View File

@ -1,12 +0,0 @@
diff --git a/html/man/Makefile.am b/html/man/Makefile.am
index 587296c..696005e 100644
--- a/html/man/Makefile.am
+++ b/html/man/Makefile.am
@@ -92,7 +92,6 @@ docfiles = \
tiffcrop.1.html \
tiffdither.1.html \
tiffdump.1.html \
- tiffgt.1.html \
tiffinfo.1.html \
tiffmedian.1.html \
tiffset.1.html \

81
SPECS/libtiff.spec
View File

@ -1,32 +1,46 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.0.9
Release: 21%{?dist}
Release: 23%{?dist}
License: libtiff
Group: System Environment/Libraries
URL: http://www.simplesystems.org/libtiff/
Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
Patch0: libtiff-am-version.patch
Patch1: libtiff-make-check.patch
Patch2: libtiff-CVE-2018-5784.patch
Patch3: libtiff-CVE-2018-7456.patch
Patch4: libtiff-CVE-2017-9935.patch
Patch5: libtiff-CVE-2017-18013.patch
Patch6: libtiff-CVE-2018-8905.patch
Patch7: libtiff-CVE-2018-10963.patch
Patch8: libtiff-CVE-2018-17100.patch
Patch9: libtiff-coverity.patch
Patch10: libtiff-CVE-2018-18557.patch
Patch11: libtiff-CVE-2018-18661.patch
Patch12: libtiff-CVE-2018-12900.patch
Patch13: libtiff-CVE-2019-14973.patch
Patch14: libtiff-CVE-2019-17546.patch
Patch15: libtiff-CVE-2020-35521_CVE-2020-35522.patch
Patch16: libtiff-CVE-2020-35523.patch
Patch17: libtiff-CVE-2020-35524.patch
Patch18: libtiff-CVE-2020-19131.patch
# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/rhel-8.7.0
# Patches were generated by: git format-patch -N ...
Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch
Patch0002: 0002-Fix-Makefile.patch
Patch0003: 0003-CVE-2018-5784-Fix-for-bug-2772.patch
Patch0004: 0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch
Patch0005: 0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch
Patch0006: 0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch
Patch0007: 0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch
Patch0008: 0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch
Patch0009: 0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch
Patch0010: 0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch
Patch0011: 0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch
Patch0012: 0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch
Patch0013: 0013-bz1602597-Fix-two-resource-leaks.patch
Patch0014: 0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch
Patch0015: 0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch
Patch0016: 0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch
Patch0017: 0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch
Patch0018: 0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch
Patch0019: 0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch
Patch0020: 0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch
Patch0021: 0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch
Patch0022: 0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch
Patch0023: 0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch
Patch0024: 0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch
Patch0025: 0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
Patch0026: 0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
Patch0027: 0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
Patch0028: 0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
Patch0029: 0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -76,27 +90,7 @@ This package contains command-line programs for manipulating TIFF format
image files using the libtiff library.
%prep
%setup -q -n tiff-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%autosetup -p1 -n tiff-%{version}
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
@ -200,6 +194,11 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
* Thu May 12 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-23
- Fix various CVEs
- Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865
CVE-2022-0891 CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-1355
* Wed Sep 29 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-21
- Fix CVE-2020-19131 (#2006535)