From 5aa6ee0ee288ef521f79e8987f0efd9124863fed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Mu=C5=BEila?= Date: Tue, 6 Dec 2022 12:53:52 +0100 Subject: [PATCH] Fix CVE-2022-3970 Resolves: CVE-2022-3970 --- ...FFReadRGBATileExt-fix-unsigned-integ.patch | 37 +++++++++++++++++++ libtiff.spec | 7 +++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch diff --git a/0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch b/0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch new file mode 100644 index 0000000..e4c3135 --- /dev/null +++ b/0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch @@ -0,0 +1,37 @@ +From b6204fada53418fdf140e039e87052f987770de1 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 8 Nov 2022 15:16:58 +0100 +Subject: [PATCH] (CVE-2022-3970) TIFFReadRGBATileExt(): fix (unsigned) integer + overflow on strips/tiles > 2 GB + +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 + +(cherry picked from commit 227500897dfb07fb7d27f7aa570050e62617e3be) +--- + libtiff/tif_getimage.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index a1b6570b..9a2e0c59 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -3058,15 +3058,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in + return( ok ); + + for( i_row = 0; i_row < read_ysize; i_row++ ) { +- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize, +- raster + (read_ysize - i_row - 1) * read_xsize, ++ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, ++ raster + (size_t)(read_ysize - i_row - 1) * read_xsize, + read_xsize * sizeof(uint32_t) ); +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize, + 0, sizeof(uint32_t) * (tile_xsize - read_xsize) ); + } + + for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) { +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, + 0, sizeof(uint32_t) * tile_xsize ); + } + diff --git a/libtiff.spec b/libtiff.spec index 929b00f..f81a08f 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.4.0 -Release: 6%{?dist} +Release: 7%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -17,6 +17,7 @@ Patch0005: 0005-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-tiffcrop-S.patch Patch0006: 0006-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch Patch0007: 0007-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch Patch0008: 0008-CVE-2022-3570-CVE-2022-3598-tiffcrop-subroutines-req.patch +Patch0009: 0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch BuildRequires: gcc, gcc-c++ @@ -170,6 +171,10 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Tue Dec 06 2022 Matej Mužila - 4.4.0-7 +- Fix CVE-2022-3970 +- Resolves: CVE-2022-3970 + * Mon Dec 05 2022 Matej Mužila - 4.4.0-6 - Fix CVE-2022-3597 CVE-2022-3626 CVE-2022-3599 CVE-2022-3570 CVE-2022-3598 CVE-2022-3627