Fix CVE-2023-2731

Resolves: CVE-2023-2731
2023-06-08 14:26:40 +02:00 · 2023-06-08 14:26:40 +02:00 · 55b6eaeda7
parent c8be182a6a
commit 55b6eaeda7
2 changed files with 42 additions and 1 deletions
--- a/0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch
+++ b/0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch
@ -0,0 +1,36 @@
+From af4ee2276bfb9cfdd1809326604ead5a405735be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
+Date: Thu, 8 Jun 2023 14:10:59 +0200
+Subject: [PATCH] (CVE-2023-2731) LZWDecode(): avoid crash when trying to read
+ again from a strip whith a missing end-of-information marker (fixes #548)
+
+(cherry picked from commit 9be22b639ea69e102d3847dca4c53ef025e9527b)
+---
+ libtiff/tif_lzw.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
+index 096824d2..2ba6237e 100644
+--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
+@@ -404,7 +404,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
+ 	assert(sp->dec_codetab != NULL);
+ 
+ 	if (sp->read_error) {
+-		return 0;
+        TIFFErrorExt(tif->tif_clientdata, module,
+                      "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
+                      "previous error",
+                      tif->tif_row);
+        return 0;
+ 	}
+ 
+ 	/*
+@@ -705,6 +709,7 @@ after_loop:
+ 	return (1);
+ 
+ no_eoi:
+    sp->read_error = 1;
+     TIFFErrorExt(tif->tif_clientdata, module,
+                     "LZWDecode: Strip %"PRIu32" not terminated with EOI code",
+                     tif->tif_curstrip);
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.4.0
-Release:       8%{?dist}
+Release:       9%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/

@ -26,6 +26,7 @@ Patch0011: 0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
 Patch0012: 0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch
 # CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
 Patch0013: 0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch
+Patch0014: 0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch



@ -180,6 +181,10 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Thu Jun 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-9
+- Fix CVE-2023-2731
+- Resolves: CVE-2023-2731
+
 * Tue Mar 21 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-8
 - Fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
  CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799