backport documentation change for CVE-2023-52355 (RHEL-179103)
fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159311) Resolves: RHEL-179103 Resolves: RHEL-159311
This commit is contained in:
parent
90e9117053
commit
6aa001cc06
220
libtiff-4.6.0-CVE-2023-52355.patch
Normal file
220
libtiff-4.6.0-CVE-2023-52355.patch
Normal file
@ -0,0 +1,220 @@
|
||||
diff -up tiff-4.6.0/doc/conf.py.CVE-2023-52355 tiff-4.6.0/doc/conf.py
|
||||
--- tiff-4.6.0/doc/conf.py.CVE-2023-52355 2023-08-16 15:14:23.000000000 +0200
|
||||
+++ tiff-4.6.0/doc/conf.py 2026-06-03 09:57:30.411829074 +0200
|
||||
@@ -124,6 +124,7 @@ man_pages = [
|
||||
('functions/TIFFmemory', 'TIFFmemory', 'memory management-related functions for use with TIFF files', author, '3tiff'),
|
||||
('functions/TIFFMergeFieldInfo', 'TIFFMergeFieldInfo', 'add application-defined TIFF tags to the list of known libtiff tags', author, '3tiff'),
|
||||
('functions/TIFFOpen', 'TIFFOpen', 'open a TIFF file for reading or writing', author, '3tiff'),
|
||||
+ ('functions/TIFFOpenOptions', 'TIFFOpenOptions', 'a structure that can be passed to the TIFF open"Ext" functions to define internal settings', author, '3tiff'),
|
||||
('functions/TIFFPrintDirectory', 'TIFFPrintDirectory', 'print a description of a TIFF directory', author, '3tiff'),
|
||||
('functions/TIFFProcFunctions', 'TIFFProcFunctions', 'set TIFF processing functions', author, '3tiff'),
|
||||
('functions/TIFFquery', 'TIFFquery', 'query routines', author, '3tiff'),
|
||||
diff -up tiff-4.6.0/doc/functions/TIFFDeferStrileArrayWriting.rst.CVE-2023-52355 tiff-4.6.0/doc/functions/TIFFDeferStrileArrayWriting.rst
|
||||
--- tiff-4.6.0/doc/functions/TIFFDeferStrileArrayWriting.rst.CVE-2023-52355 2023-05-22 15:49:02.000000000 +0200
|
||||
+++ tiff-4.6.0/doc/functions/TIFFDeferStrileArrayWriting.rst 2026-06-03 09:52:37.234152512 +0200
|
||||
@@ -61,6 +61,11 @@ Diagnostics
|
||||
All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
|
||||
Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
|
||||
|
||||
+Note
|
||||
+----
|
||||
+
|
||||
+This functionality was introduced with libtiff 4.1.
|
||||
+
|
||||
See also
|
||||
--------
|
||||
|
||||
diff -up tiff-4.6.0/doc/functions/TIFFError.rst.CVE-2023-52355 tiff-4.6.0/doc/functions/TIFFError.rst
|
||||
--- tiff-4.6.0/doc/functions/TIFFError.rst.CVE-2023-52355 2023-05-22 15:49:02.000000000 +0200
|
||||
+++ tiff-4.6.0/doc/functions/TIFFError.rst 2026-06-03 09:52:37.234305928 +0200
|
||||
@@ -65,6 +65,9 @@ or :c:func:`TIFFClientOpenExt`.
|
||||
Furthermore, a **custom defined data structure** *user_data* for the
|
||||
error handler can be given along.
|
||||
|
||||
+Please refer to :doc:`/functions/TIFFOpenOptions` for how to setup the
|
||||
+application-specific handler introduced with libtiff 4.5.
|
||||
+
|
||||
Note
|
||||
----
|
||||
|
||||
diff -up tiff-4.6.0/doc/functions/TIFFOpenOptions.rst.CVE-2023-52355 tiff-4.6.0/doc/functions/TIFFOpenOptions.rst
|
||||
--- tiff-4.6.0/doc/functions/TIFFOpenOptions.rst.CVE-2023-52355 2023-05-22 15:49:02.000000000 +0200
|
||||
+++ tiff-4.6.0/doc/functions/TIFFOpenOptions.rst 2026-06-03 09:52:37.234592473 +0200
|
||||
@@ -38,12 +38,17 @@ opaque structure and returns a :c:type:`
|
||||
:c:func:`TIFFOpenOptionsFree` releases the allocated memory for
|
||||
:c:type:`TIFFOpenOptions`. The allocated memory for :c:type:`TIFFOpenOptions`
|
||||
can be released straight after successful execution of the related
|
||||
-TIFF open"Ext" functions like :c:func:`TIFFOpenExt`.
|
||||
+TIFFOpen"Ext" functions like :c:func:`TIFFOpenExt`.
|
||||
|
||||
:c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` sets parameter for the
|
||||
maximum single memory limit in byte that ``libtiff`` internal memory allocation
|
||||
functions are allowed to request per call.
|
||||
|
||||
+.. note::
|
||||
+ However, the ``libtiff`` external functions :c:func:`_TIFFmalloc`
|
||||
+ and :c:func:`_TIFFrealloc` **do not apply** this internal memory
|
||||
+ allocation limit set by :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`!
|
||||
+
|
||||
:c:func:`TIFFOpenOptionsSetErrorHandlerExtR` sets the function pointer to
|
||||
an application-specific and per-TIFF handle (re-entrant) error handler.
|
||||
Furthermore, a pointer to a **custom defined data structure** *errorhandler_user_data*
|
||||
@@ -55,6 +60,43 @@ The *errorhandler_user_data* argument ma
|
||||
:c:func:`TIFFOpenOptionsSetErrorHandlerExtR` but for the warning handler,
|
||||
which is invoked through :c:func:`TIFFWarningExtR`
|
||||
|
||||
+Example
|
||||
+-------
|
||||
+
|
||||
+::
|
||||
+
|
||||
+ #include "tiffio.h"
|
||||
+
|
||||
+ typedef struct MyErrorHandlerUserDataStruct
|
||||
+ {
|
||||
+ /* ... any user data structure ... */
|
||||
+ } MyErrorHandlerUserDataStruct;
|
||||
+
|
||||
+ static int myErrorHandler(TIFF *tiff, void *user_data, const char *module,
|
||||
+ const char *fmt, va_list ap)
|
||||
+ {
|
||||
+ MyErrorHandlerUserDataStruct *errorhandler_user_data =
|
||||
+ (MyErrorHandlerUserDataStruct *)user_data;
|
||||
+ /*... code of myErrorHandler ...*/
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
+ main()
|
||||
+ {
|
||||
+ tmsize_t limit = (256 * 1024 * 1024);
|
||||
+ MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */};
|
||||
+
|
||||
+ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
|
||||
+ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
|
||||
+ TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data);
|
||||
+ TIFF *tif = TIFFOpenExt("foo.tif", "r", opts);
|
||||
+ TIFFOpenOptionsFree(opts);
|
||||
+ /* ... go on here ... */
|
||||
+
|
||||
+ TIFFClose(tif);
|
||||
+ }
|
||||
+
|
||||
Note
|
||||
----
|
||||
|
||||
diff -up tiff-4.6.0/doc/functions/TIFFOpen.rst.CVE-2023-52355 tiff-4.6.0/doc/functions/TIFFOpen.rst
|
||||
--- tiff-4.6.0/doc/functions/TIFFOpen.rst.CVE-2023-52355 2023-05-22 16:03:41.000000000 +0200
|
||||
+++ tiff-4.6.0/doc/functions/TIFFOpen.rst 2026-06-03 09:52:37.234439597 +0200
|
||||
@@ -94,8 +94,9 @@ TIFF structure without closing the file
|
||||
file should be closed using its file descriptor *fd*.
|
||||
|
||||
:c:func:`TIFFOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFOpen`,
|
||||
-but options, such as re-entrant error and warning handlers may be passed
|
||||
-with the *opts* argument. The *opts* argument may be NULL.
|
||||
+but options, such as re-entrant error and warning handlers and a limit in byte
|
||||
+that libtiff internal memory allocation functions are allowed to request per call
|
||||
+may be passed with the *opts* argument. The *opts* argument may be NULL.
|
||||
Refer to :doc:`TIFFOpenOptions` for allocating and filling the *opts* argument
|
||||
parameters. The allocated memory for :c:type:`TIFFOpenOptions`
|
||||
can be released straight after successful execution of the related
|
||||
@@ -105,9 +106,7 @@ can be released straight after successfu
|
||||
but opens a TIFF file with a Unicode filename.
|
||||
|
||||
:c:func:`TIFFFdOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFFdOpen`,
|
||||
-but options, such as re-entrant error and warning handlers may be passed
|
||||
-with the *opts* argument. The *opts* argument may be NULL.
|
||||
-Refer to :doc:`TIFFOpenOptions` for filling the *opts* argument.
|
||||
+but options argument *opts* like for :c:func:`TIFFOpenExt` can be passed.
|
||||
|
||||
:c:func:`TIFFSetFileName` sets the file name in the tif-structure
|
||||
and returns the old file name.
|
||||
@@ -326,5 +325,5 @@ See also
|
||||
|
||||
:doc:`libtiff` (3tiff),
|
||||
:doc:`TIFFClose` (3tiff),
|
||||
-:doc:`TIFFStrileQuery`,
|
||||
+:doc:`TIFFStrileQuery` (3tiff),
|
||||
:doc:`TIFFOpenOptions`
|
||||
\ No newline at end of file
|
||||
diff -up tiff-4.6.0/doc/functions/TIFFStrileQuery.rst.CVE-2023-52355 tiff-4.6.0/doc/functions/TIFFStrileQuery.rst
|
||||
--- tiff-4.6.0/doc/functions/TIFFStrileQuery.rst.CVE-2023-52355 2023-05-22 15:49:02.000000000 +0200
|
||||
+++ tiff-4.6.0/doc/functions/TIFFStrileQuery.rst 2026-06-03 09:52:37.234691247 +0200
|
||||
@@ -66,6 +66,11 @@ Diagnostics
|
||||
All error messages are directed to the :c:func:`TIFFErrorExtR` routine.
|
||||
Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine.
|
||||
|
||||
+Note
|
||||
+----
|
||||
+
|
||||
+This functionality was introduced with libtiff 4.1.
|
||||
+
|
||||
See also
|
||||
--------
|
||||
|
||||
diff -up tiff-4.6.0/doc/libtiff.rst.CVE-2023-52355 tiff-4.6.0/doc/libtiff.rst
|
||||
--- tiff-4.6.0/doc/libtiff.rst.CVE-2023-52355 2023-05-22 15:48:36.000000000 +0200
|
||||
+++ tiff-4.6.0/doc/libtiff.rst 2026-06-03 09:52:37.234832360 +0200
|
||||
@@ -90,11 +90,15 @@ compatibility on machines with a segment
|
||||
:c:func:`realloc`, and :c:func:`free` routines in the C library.)
|
||||
|
||||
To deal with segmented pointer issues ``libtiff`` also provides
|
||||
-:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemmove`
|
||||
+:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemcmp`
|
||||
routines that mimic the equivalent ANSI C routines, but that are
|
||||
intended for use with memory allocated through :c:func:`_TIFFmalloc`
|
||||
and :c:func:`_TIFFrealloc`.
|
||||
|
||||
+With ``libtiff`` 4.5 a method was introduced to limit the internal
|
||||
+memory allocation that functions are allowed to request per call
|
||||
+(see :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` and :c:func:`TIFFOpenExt`).
|
||||
+
|
||||
Error Handling
|
||||
--------------
|
||||
|
||||
@@ -106,6 +110,10 @@ routine that can be specified with a cal
|
||||
Likewise warning messages are directed to a single handler routine
|
||||
that can be specified with a call to :c:func:`TIFFSetWarningHandler`
|
||||
|
||||
+Further application-specific and per-TIFF handle (re-entrant) error handler
|
||||
+and warning handler can be set. Please refer to :doc:`/functions/TIFFError`
|
||||
+and :doc:`/functions/TIFFOpenOptions`.
|
||||
+
|
||||
Basic File Handling
|
||||
-------------------
|
||||
|
||||
@@ -139,7 +147,7 @@ a ``"w"`` argument:
|
||||
main()
|
||||
{
|
||||
TIFF* tif = TIFFOpen("foo.tif", "w");
|
||||
- ... do stuff ...
|
||||
+ /* ... do stuff ... */
|
||||
TIFFClose(tif);
|
||||
}
|
||||
|
||||
@@ -157,6 +165,25 @@ to always call :c:func:`TIFFClose` or :c
|
||||
buffered information to a file. Note that if you call :c:func:`TIFFClose`
|
||||
you do not need to call :c:func:`TIFFFlush`.
|
||||
|
||||
+.. warning::
|
||||
+
|
||||
+ In order to prevent out-of-memory issues when opening a TIFF file
|
||||
+ :c:func:`TIFFOpenExt` can be used and then the maximum single memory
|
||||
+ limit in byte that ``libtiff`` internal memory allocation functions
|
||||
+ are allowed to request per call can be set with
|
||||
+ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`.
|
||||
+
|
||||
+Example
|
||||
+
|
||||
+::
|
||||
+
|
||||
+ tmsize_t limit = (256 * 1024 * 1024);
|
||||
+ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
|
||||
+ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
|
||||
+ TIFF *tif = TIFFOpenExt("foo.tif", "w", opts);
|
||||
+ TIFFOpenOptionsFree(opts);
|
||||
+ /* ... go on here ... */
|
||||
+
|
||||
TIFF Directories
|
||||
----------------
|
||||
|
||||
40
libtiff-4.6.0-CVE-2026-4775.patch
Normal file
40
libtiff-4.6.0-CVE-2026-4775.patch
Normal file
@ -0,0 +1,40 @@
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index 4543dddaefd9818494635f3912c8b22f772e6ba9..fa82d09105490cca6720a5dd934c51f19052ebe0 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -2224,7 +2224,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile)
|
||||
uint32_t *cp1 = cp + w + toskew;
|
||||
uint32_t *cp2 = cp1 + w + toskew;
|
||||
uint32_t *cp3 = cp2 + w + toskew;
|
||||
- int32_t incr = 3 * w + 4 * toskew;
|
||||
+ const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew;
|
||||
|
||||
(void)y;
|
||||
/* adjust fromskew */
|
||||
@@ -2364,7 +2364,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile)
|
||||
DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
|
||||
{
|
||||
uint32_t *cp1 = cp + w + toskew;
|
||||
- int32_t incr = 2 * toskew + w;
|
||||
+ const tmsize_t incr = 2 * (tmsize_t)toskew + w;
|
||||
|
||||
(void)y;
|
||||
fromskew = (fromskew / 4) * (4 * 2 + 2);
|
||||
@@ -2522,7 +2522,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
|
||||
DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
|
||||
{
|
||||
uint32_t *cp2;
|
||||
- int32_t incr = 2 * toskew + w;
|
||||
+ const tmsize_t incr = 2 * (tmsize_t)toskew + w;
|
||||
(void)y;
|
||||
fromskew = (fromskew / 2) * (2 * 2 + 2);
|
||||
cp2 = cp + w + toskew;
|
||||
@@ -2625,7 +2625,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
|
||||
DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
|
||||
{
|
||||
uint32_t *cp2;
|
||||
- int32_t incr = 2 * toskew + w;
|
||||
+ const tmsize_t incr = 2 * (tmsize_t)toskew + w;
|
||||
(void)y;
|
||||
fromskew = (fromskew / 1) * (1 * 2 + 2);
|
||||
cp2 = cp + w + toskew;
|
||||
14
libtiff.spec
14
libtiff.spec
@ -1,7 +1,7 @@
|
||||
Summary: Library of functions for manipulating TIFF format image files
|
||||
Name: libtiff
|
||||
Version: 4.6.0
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
License: libtiff
|
||||
URL: http://www.simplesystems.org/libtiff/
|
||||
|
||||
@ -18,6 +18,12 @@ Patch2: libtiff-4.6.0-cve-2025-9900.patch
|
||||
# from upstream, for <=4.6.0, RHEL-148253
|
||||
# https://gitlab.com/libtiff/libtiff/-/merge_requests/546.patch
|
||||
Patch3: libtiff-4.6.0-CVE-2023-52356.patch
|
||||
# from upstream, for <= 4.7.1, RHEL-159311
|
||||
# https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c
|
||||
Patch4: libtiff-4.6.0-CVE-2026-4775.patch
|
||||
# from upstream, for < 4.7.0, RHEL-179103
|
||||
# https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4
|
||||
Patch5: libtiff-4.6.0-CVE-2023-52355.patch
|
||||
|
||||
BuildRequires: gcc, gcc-c++
|
||||
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel liblerc-devel
|
||||
@ -72,6 +78,8 @@ image files using the libtiff library.
|
||||
%patch -P 1 -p1 -b .CVE-2024-7006
|
||||
%patch -P 2 -p1 -b .cve-2025-9900
|
||||
%patch -P 3 -p1 -b .CVE-2023-52356
|
||||
%patch -P 4 -p1 -b .CVE-2026-4775
|
||||
%patch -P 5 -p1 -b .CVE-2023-52355
|
||||
|
||||
# Use build system's libtool.m4, not the one in the package.
|
||||
rm -f libtool.m4
|
||||
@ -170,6 +178,10 @@ LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Wed Jun 03 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.6.0-9
|
||||
- backport documentation change for CVE-2023-52355 (RHEL-179103)
|
||||
- fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159311)
|
||||
|
||||
* Fri Feb 20 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.6.0-8
|
||||
- fix CVE-2023-52356: libtiff could crash in TIFFReadRGBATileExt when parsing crafted tiff file (RHEL-148253)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user