diff --git a/libtiff-4.6.0-CVE-2023-52355.patch b/libtiff-4.6.0-CVE-2023-52355.patch new file mode 100644 index 0000000..49906c8 --- /dev/null +++ b/libtiff-4.6.0-CVE-2023-52355.patch @@ -0,0 +1,220 @@ +diff -up tiff-4.6.0/doc/conf.py.CVE-2023-52355 tiff-4.6.0/doc/conf.py +--- tiff-4.6.0/doc/conf.py.CVE-2023-52355 2023-08-16 15:14:23.000000000 +0200 ++++ tiff-4.6.0/doc/conf.py 2026-06-03 09:57:30.411829074 +0200 +@@ -124,6 +124,7 @@ man_pages = [ + ('functions/TIFFmemory', 'TIFFmemory', 'memory management-related functions for use with TIFF files', author, '3tiff'), + ('functions/TIFFMergeFieldInfo', 'TIFFMergeFieldInfo', 'add application-defined TIFF tags to the list of known libtiff tags', author, '3tiff'), + ('functions/TIFFOpen', 'TIFFOpen', 'open a TIFF file for reading or writing', author, '3tiff'), ++ ('functions/TIFFOpenOptions', 'TIFFOpenOptions', 'a structure that can be passed to the TIFF open"Ext" functions to define internal settings', author, '3tiff'), + ('functions/TIFFPrintDirectory', 'TIFFPrintDirectory', 'print a description of a TIFF directory', author, '3tiff'), + ('functions/TIFFProcFunctions', 'TIFFProcFunctions', 'set TIFF processing functions', author, '3tiff'), + ('functions/TIFFquery', 'TIFFquery', 'query routines', author, '3tiff'), +diff -up tiff-4.6.0/doc/functions/TIFFDeferStrileArrayWriting.rst.CVE-2023-52355 tiff-4.6.0/doc/functions/TIFFDeferStrileArrayWriting.rst +--- tiff-4.6.0/doc/functions/TIFFDeferStrileArrayWriting.rst.CVE-2023-52355 2023-05-22 15:49:02.000000000 +0200 ++++ tiff-4.6.0/doc/functions/TIFFDeferStrileArrayWriting.rst 2026-06-03 09:52:37.234152512 +0200 +@@ -61,6 +61,11 @@ Diagnostics + All error messages are directed to the :c:func:`TIFFErrorExtR` routine. + Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine. + ++Note ++---- ++ ++This functionality was introduced with libtiff 4.1. ++ + See also + -------- + +diff -up tiff-4.6.0/doc/functions/TIFFError.rst.CVE-2023-52355 tiff-4.6.0/doc/functions/TIFFError.rst +--- tiff-4.6.0/doc/functions/TIFFError.rst.CVE-2023-52355 2023-05-22 15:49:02.000000000 +0200 ++++ tiff-4.6.0/doc/functions/TIFFError.rst 2026-06-03 09:52:37.234305928 +0200 +@@ -65,6 +65,9 @@ or :c:func:`TIFFClientOpenExt`. + Furthermore, a **custom defined data structure** *user_data* for the + error handler can be given along. + ++Please refer to :doc:`/functions/TIFFOpenOptions` for how to setup the ++application-specific handler introduced with libtiff 4.5. ++ + Note + ---- + +diff -up tiff-4.6.0/doc/functions/TIFFOpenOptions.rst.CVE-2023-52355 tiff-4.6.0/doc/functions/TIFFOpenOptions.rst +--- tiff-4.6.0/doc/functions/TIFFOpenOptions.rst.CVE-2023-52355 2023-05-22 15:49:02.000000000 +0200 ++++ tiff-4.6.0/doc/functions/TIFFOpenOptions.rst 2026-06-03 09:52:37.234592473 +0200 +@@ -38,12 +38,17 @@ opaque structure and returns a :c:type:` + :c:func:`TIFFOpenOptionsFree` releases the allocated memory for + :c:type:`TIFFOpenOptions`. The allocated memory for :c:type:`TIFFOpenOptions` + can be released straight after successful execution of the related +-TIFF open"Ext" functions like :c:func:`TIFFOpenExt`. ++TIFFOpen"Ext" functions like :c:func:`TIFFOpenExt`. + + :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` sets parameter for the + maximum single memory limit in byte that ``libtiff`` internal memory allocation + functions are allowed to request per call. + ++.. note:: ++ However, the ``libtiff`` external functions :c:func:`_TIFFmalloc` ++ and :c:func:`_TIFFrealloc` **do not apply** this internal memory ++ allocation limit set by :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`! ++ + :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` sets the function pointer to + an application-specific and per-TIFF handle (re-entrant) error handler. + Furthermore, a pointer to a **custom defined data structure** *errorhandler_user_data* +@@ -55,6 +60,43 @@ The *errorhandler_user_data* argument ma + :c:func:`TIFFOpenOptionsSetErrorHandlerExtR` but for the warning handler, + which is invoked through :c:func:`TIFFWarningExtR` + ++Example ++------- ++ ++:: ++ ++ #include "tiffio.h" ++ ++ typedef struct MyErrorHandlerUserDataStruct ++ { ++ /* ... any user data structure ... */ ++ } MyErrorHandlerUserDataStruct; ++ ++ static int myErrorHandler(TIFF *tiff, void *user_data, const char *module, ++ const char *fmt, va_list ap) ++ { ++ MyErrorHandlerUserDataStruct *errorhandler_user_data = ++ (MyErrorHandlerUserDataStruct *)user_data; ++ /*... code of myErrorHandler ...*/ ++ return 1; ++ } ++ ++ ++ main() ++ { ++ tmsize_t limit = (256 * 1024 * 1024); ++ MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */}; ++ ++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc(); ++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit); ++ TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data); ++ TIFF *tif = TIFFOpenExt("foo.tif", "r", opts); ++ TIFFOpenOptionsFree(opts); ++ /* ... go on here ... */ ++ ++ TIFFClose(tif); ++ } ++ + Note + ---- + +diff -up tiff-4.6.0/doc/functions/TIFFOpen.rst.CVE-2023-52355 tiff-4.6.0/doc/functions/TIFFOpen.rst +--- tiff-4.6.0/doc/functions/TIFFOpen.rst.CVE-2023-52355 2023-05-22 16:03:41.000000000 +0200 ++++ tiff-4.6.0/doc/functions/TIFFOpen.rst 2026-06-03 09:52:37.234439597 +0200 +@@ -94,8 +94,9 @@ TIFF structure without closing the file + file should be closed using its file descriptor *fd*. + + :c:func:`TIFFOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFOpen`, +-but options, such as re-entrant error and warning handlers may be passed +-with the *opts* argument. The *opts* argument may be NULL. ++but options, such as re-entrant error and warning handlers and a limit in byte ++that libtiff internal memory allocation functions are allowed to request per call ++may be passed with the *opts* argument. The *opts* argument may be NULL. + Refer to :doc:`TIFFOpenOptions` for allocating and filling the *opts* argument + parameters. The allocated memory for :c:type:`TIFFOpenOptions` + can be released straight after successful execution of the related +@@ -105,9 +106,7 @@ can be released straight after successfu + but opens a TIFF file with a Unicode filename. + + :c:func:`TIFFFdOpenExt` (added in libtiff 4.5) is like :c:func:`TIFFFdOpen`, +-but options, such as re-entrant error and warning handlers may be passed +-with the *opts* argument. The *opts* argument may be NULL. +-Refer to :doc:`TIFFOpenOptions` for filling the *opts* argument. ++but options argument *opts* like for :c:func:`TIFFOpenExt` can be passed. + + :c:func:`TIFFSetFileName` sets the file name in the tif-structure + and returns the old file name. +@@ -326,5 +325,5 @@ See also + + :doc:`libtiff` (3tiff), + :doc:`TIFFClose` (3tiff), +-:doc:`TIFFStrileQuery`, ++:doc:`TIFFStrileQuery` (3tiff), + :doc:`TIFFOpenOptions` +\ No newline at end of file +diff -up tiff-4.6.0/doc/functions/TIFFStrileQuery.rst.CVE-2023-52355 tiff-4.6.0/doc/functions/TIFFStrileQuery.rst +--- tiff-4.6.0/doc/functions/TIFFStrileQuery.rst.CVE-2023-52355 2023-05-22 15:49:02.000000000 +0200 ++++ tiff-4.6.0/doc/functions/TIFFStrileQuery.rst 2026-06-03 09:52:37.234691247 +0200 +@@ -66,6 +66,11 @@ Diagnostics + All error messages are directed to the :c:func:`TIFFErrorExtR` routine. + Likewise, warning messages are directed to the :c:func:`TIFFWarningExtR` routine. + ++Note ++---- ++ ++This functionality was introduced with libtiff 4.1. ++ + See also + -------- + +diff -up tiff-4.6.0/doc/libtiff.rst.CVE-2023-52355 tiff-4.6.0/doc/libtiff.rst +--- tiff-4.6.0/doc/libtiff.rst.CVE-2023-52355 2023-05-22 15:48:36.000000000 +0200 ++++ tiff-4.6.0/doc/libtiff.rst 2026-06-03 09:52:37.234832360 +0200 +@@ -90,11 +90,15 @@ compatibility on machines with a segment + :c:func:`realloc`, and :c:func:`free` routines in the C library.) + + To deal with segmented pointer issues ``libtiff`` also provides +-:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemmove` ++:c:func:`_TIFFmemcpy`, :c:func:`_TIFFmemset`, and :c:func:`_TIFFmemcmp` + routines that mimic the equivalent ANSI C routines, but that are + intended for use with memory allocated through :c:func:`_TIFFmalloc` + and :c:func:`_TIFFrealloc`. + ++With ``libtiff`` 4.5 a method was introduced to limit the internal ++memory allocation that functions are allowed to request per call ++(see :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc` and :c:func:`TIFFOpenExt`). ++ + Error Handling + -------------- + +@@ -106,6 +110,10 @@ routine that can be specified with a cal + Likewise warning messages are directed to a single handler routine + that can be specified with a call to :c:func:`TIFFSetWarningHandler` + ++Further application-specific and per-TIFF handle (re-entrant) error handler ++and warning handler can be set. Please refer to :doc:`/functions/TIFFError` ++and :doc:`/functions/TIFFOpenOptions`. ++ + Basic File Handling + ------------------- + +@@ -139,7 +147,7 @@ a ``"w"`` argument: + main() + { + TIFF* tif = TIFFOpen("foo.tif", "w"); +- ... do stuff ... ++ /* ... do stuff ... */ + TIFFClose(tif); + } + +@@ -157,6 +165,25 @@ to always call :c:func:`TIFFClose` or :c + buffered information to a file. Note that if you call :c:func:`TIFFClose` + you do not need to call :c:func:`TIFFFlush`. + ++.. warning:: ++ ++ In order to prevent out-of-memory issues when opening a TIFF file ++ :c:func:`TIFFOpenExt` can be used and then the maximum single memory ++ limit in byte that ``libtiff`` internal memory allocation functions ++ are allowed to request per call can be set with ++ :c:func:`TIFFOpenOptionsSetMaxSingleMemAlloc`. ++ ++Example ++ ++:: ++ ++ tmsize_t limit = (256 * 1024 * 1024); ++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc(); ++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit); ++ TIFF *tif = TIFFOpenExt("foo.tif", "w", opts); ++ TIFFOpenOptionsFree(opts); ++ /* ... go on here ... */ ++ + TIFF Directories + ---------------- + diff --git a/libtiff-4.6.0-CVE-2026-4775.patch b/libtiff-4.6.0-CVE-2026-4775.patch new file mode 100644 index 0000000..1c23907 --- /dev/null +++ b/libtiff-4.6.0-CVE-2026-4775.patch @@ -0,0 +1,40 @@ +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 4543dddaefd9818494635f3912c8b22f772e6ba9..fa82d09105490cca6720a5dd934c51f19052ebe0 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -2224,7 +2224,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile) + uint32_t *cp1 = cp + w + toskew; + uint32_t *cp2 = cp1 + w + toskew; + uint32_t *cp3 = cp2 + w + toskew; +- int32_t incr = 3 * w + 4 * toskew; ++ const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew; + + (void)y; + /* adjust fromskew */ +@@ -2364,7 +2364,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr44tile) + DECLAREContigPutFunc(putcontig8bitYCbCr42tile) + { + uint32_t *cp1 = cp + w + toskew; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + + (void)y; + fromskew = (fromskew / 4) * (4 * 2 + 2); +@@ -2522,7 +2522,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile) + DECLAREContigPutFunc(putcontig8bitYCbCr22tile) + { + uint32_t *cp2; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + (void)y; + fromskew = (fromskew / 2) * (2 * 2 + 2); + cp2 = cp + w + toskew; +@@ -2625,7 +2625,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile) + DECLAREContigPutFunc(putcontig8bitYCbCr12tile) + { + uint32_t *cp2; +- int32_t incr = 2 * toskew + w; ++ const tmsize_t incr = 2 * (tmsize_t)toskew + w; + (void)y; + fromskew = (fromskew / 1) * (1 * 2 + 2); + cp2 = cp + w + toskew; diff --git a/libtiff.spec b/libtiff.spec index 3b4e8bb..87b3402 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.6.0 -Release: 8%{?dist} +Release: 9%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -18,6 +18,12 @@ Patch2: libtiff-4.6.0-cve-2025-9900.patch # from upstream, for <=4.6.0, RHEL-148253 # https://gitlab.com/libtiff/libtiff/-/merge_requests/546.patch Patch3: libtiff-4.6.0-CVE-2023-52356.patch +# from upstream, for <= 4.7.1, RHEL-159311 +# https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c +Patch4: libtiff-4.6.0-CVE-2026-4775.patch +# from upstream, for < 4.7.0, RHEL-179103 +# https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4 +Patch5: libtiff-4.6.0-CVE-2023-52355.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel liblerc-devel @@ -72,6 +78,8 @@ image files using the libtiff library. %patch -P 1 -p1 -b .CVE-2024-7006 %patch -P 2 -p1 -b .cve-2025-9900 %patch -P 3 -p1 -b .CVE-2023-52356 +%patch -P 4 -p1 -b .CVE-2026-4775 +%patch -P 5 -p1 -b .CVE-2023-52355 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -170,6 +178,10 @@ LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check %{_mandir}/man1/* %changelog +* Wed Jun 03 2026 Michal Hlavinka - 4.6.0-9 +- backport documentation change for CVE-2023-52355 (RHEL-179103) +- fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159311) + * Fri Feb 20 2026 Michal Hlavinka - 4.6.0-8 - fix CVE-2023-52356: libtiff could crash in TIFFReadRGBATileExt when parsing crafted tiff file (RHEL-148253)