From 722e4b6baacd98a5ed2373483a576472d0d85f5d Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 30 Oct 2025 14:15:09 +0000 Subject: [PATCH] Import from CS git --- SOURCES/RHEL-112533.patch | 51 +++++++++++++++++++++++++++++++++++++++ SPECS/libtiff.spec | 10 +++++++- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 SOURCES/RHEL-112533.patch diff --git a/SOURCES/RHEL-112533.patch b/SOURCES/RHEL-112533.patch new file mode 100644 index 0000000..765e19f --- /dev/null +++ b/SOURCES/RHEL-112533.patch @@ -0,0 +1,51 @@ +From 3e164d0fa9c48dbdc76620442ffbb02de9e5724e Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Wed, 11 Jun 2025 19:45:19 +0000 +Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster + rows at TIFFReadRGBAImageOriented() + +--- + libtiff/tif_getimage.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 4f32b3a..70a0362 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -511,6 +511,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + "No \"put\" routine setupl; probably can not handle image format"); + return (0); + } ++ /* Verify raster width and height against image width and height. */ ++ if (h > img->height) ++ { ++ /* Adapt parameters to read only available lines and put image at ++ * the bottom of the raster. */ ++ raster += (size_t)(h - img->height) * w; ++ h = img->height; ++ } ++ if (w > img->width) ++ { ++ TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif), ++ "Raster width of %d shall not be larger than image " ++ "width of %d -> raster width adapted for reading", ++ w, img->width); ++ w = img->width; ++ } + return (*img->get)(img, raster, w, h); + } + +@@ -529,9 +545,7 @@ TIFFReadRGBAImageOriented(TIFF* tif, + + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) { + img.req_orientation = (uint16)orientation; +- /* XXX verify rwidth and rheight against width and height */ +- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth, +- rwidth, img.height); ++ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight); + TIFFRGBAImageEnd(&img); + } else { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg); +-- +2.47.3 + diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec index 7907502..c6e1e3b 100644 --- a/SPECS/libtiff.spec +++ b/SPECS/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.9 -Release: 34%{?dist} +Release: 35%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -63,6 +63,10 @@ Patch44: libtiff-4.6.0-CVE-2024-7006.patch # https://gitlab.com/libtiff/libtiff/-/commit/9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Patch45: libtiff-4.0.9-CVE-2017-17095.patch +# Fix buffer underflow crash for less raster rows at TIFFReadRGBAImageOriented(), RHEL-112533 +# CVE-2025-9900 +Patch46: RHEL-112533.patch + BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -215,6 +219,10 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Tue Oct 14 2025 RHEL Packaging Agent - 4.0.9-35 +- fix CVE-2025-9900: buffer underflow crash in TIFFReadRGBAImageOriented() + (RHEL-112533) + * Tue Apr 22 2025 Michal Hlavinka - 4.0.9-34 - fix CVE-2017-17095: heap-based buffer overflow in pal2rgb (RHEL-87363)