Import from CS git

2025-10-30 14:15:09 +00:00 · 2025-10-30 14:15:09 +00:00 · 722e4b6baa
commit 722e4b6baa
parent f03c6faa2b
2 changed files with 60 additions and 1 deletions
--- a/SOURCES/RHEL-112533.patch
+++ b/SOURCES/RHEL-112533.patch
@ -0,0 +1,51 @@
+From 3e164d0fa9c48dbdc76620442ffbb02de9e5724e Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 11 Jun 2025 19:45:19 +0000
+Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
+ rows at TIFFReadRGBAImageOriented()
+
+---
+ libtiff/tif_getimage.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 4f32b3a..70a0362 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -511,6 +511,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 		"No \"put\" routine setupl; probably can not handle image format");
+ 		return (0);
+     }
+    /* Verify raster width and height against image width and height. */
+    if (h > img->height)
+    {
+        /* Adapt parameters to read only available lines and put image at
+         * the bottom of the raster. */
+        raster += (size_t)(h - img->height) * w;
+        h = img->height;
+    }
+    if (w > img->width)
+    {
+        TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif),
+                        "Raster width of %d shall not be larger than image "
+                        "width of %d -> raster width adapted for reading",
+                        w, img->width);
+        w = img->width;
+    }
+     return (*img->get)(img, raster, w, h);
+ }
+ 
+@@ -529,9 +545,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
+ 
+ 	if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
+ 		img.req_orientation = (uint16)orientation;
+-		/* XXX verify rwidth and rheight against width and height */
+-		ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
+-			rwidth, img.height);
+		ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
+ 		TIFFRGBAImageEnd(&img);
+ 	} else {
+ 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
+-- 
+2.47.3
+
--- a/SPECS/libtiff.spec
+++ b/SPECS/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.9
-Release:       34%{?dist}
+Release:       35%{?dist}
 License:       libtiff
 Group:         System Environment/Libraries
 URL:           http://www.simplesystems.org/libtiff/
@ -63,6 +63,10 @@ Patch44:       libtiff-4.6.0-CVE-2024-7006.patch
 # https://gitlab.com/libtiff/libtiff/-/commit/9171da596c88e6a2dadcab4a3a89dddd6e1b4655
 Patch45:       libtiff-4.0.9-CVE-2017-17095.patch

+# Fix buffer underflow crash for less raster rows at TIFFReadRGBAImageOriented(), RHEL-112533
+# CVE-2025-9900
+Patch46:       RHEL-112533.patch
+
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires: libtool automake autoconf pkgconfig
@ -215,6 +219,10 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Tue Oct 14 2025 RHEL Packaging Agent <jotnar@redhat.com> - 4.0.9-35
+- fix CVE-2025-9900: buffer underflow crash in TIFFReadRGBAImageOriented()
+  (RHEL-112533)
+
 * Tue Apr 22 2025 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-34
 - fix CVE-2017-17095: heap-based buffer overflow in pal2rgb (RHEL-87363)