rpms/libtiff
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI libtiff-4.0.9-32.el8_10

Browse Source
This commit is contained in:
eabdullin 2024-08-07 12:20:26 +00:00
parent efd5fcc0f0
commit 73027eb41a
5 changed files with 298 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
SOURCES/0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch Normal file
View File

@ -0,0 +1,37 @@
From b7bc0d684cee380f7497cb095a115361dbabef71 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@mines-paris.org>
Date: Tue, 13 Mar 2018 14:39:30 +0000
Subject: [PATCH] (CVE-2018-15209) Merge branch
'avoid_memory_exhaustion_in_ChopUpSingleUncompressedStrip' into 'master'
ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)
See merge request libtiff/libtiff!26
(cherry picked from commit 0a2e5e98b353a987ea69985d2283bba569a7e063)
---
libtiff/tif_dirread.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index b72e6a3b..bc1ab083 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5765,6 +5765,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
if( nstrips == 0 )
return;
+ /* If we are going to allocate a lot of memory, make sure that the */
+ /* file is as big as needed */
+ if( tif->tif_mode == O_RDONLY &&
+ nstrips > 1000000 &&
+ (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||
+ tif->tif_dir.td_stripbytecount[0] >
+ TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )
+ {
+ return;
+ }
+
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array");
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),

172
SOURCES/0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch Normal file
View File

@ -0,0 +1,172 @@
From 83f6ae4cce52cd4feaebf2bc4fc2d5077a10677c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 16 May 2024 14:43:44 +0200
Subject: [PATCH] (CVE-2023-25433) Merge branch
'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master'
tiffcrop correctly update buffersize after rotateImage() fix#520
Closes #520
See merge request libtiff/libtiff!467
(cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3)
---
tools/tiffcrop.c | 72 ++++++++++++++++++++++++++++++++++++++----------
1 file changed, 58 insertions(+), 14 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 77923cf3..8b761874 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -529,7 +529,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
uint32, uint32, uint8 *, uint8 *);
static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
- unsigned char **);
+ unsigned char **, tsize_t *);
static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
unsigned char *);
static int invertImage(uint16, uint16, uint16, uint32, uint32,
@@ -6358,7 +6358,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
return (-1);
}
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
+ if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
{
TIFFError ("correct_orientation", "Unable to rotate image");
return (-1);
@@ -7578,16 +7578,20 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
+ /* rotateImage() set up a new buffer and calculates its size
+ * individually. Therefore, seg_buffs size needs to be updated
+ * accordingly. */
+
+ tsize_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff))
+ &crop->combined_length, &crop_buff, &rot_buf_size))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %d degrees", crop->rotation);
return (-1);
}
seg_buffs[0].buffer = crop_buff;
- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
- * image->spp) * crop->combined_length;
+ seg_buffs[0].size = rot_buf_size;
}
}
else /* Separated Images */
@@ -7684,8 +7688,18 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff))
+ /* rotateImage() changes image->width, ->length, ->xres and
+ * ->yres, what it schouldn't do here, when more than one
+ * section is processed. ToDo: Therefore rotateImage() and its
+ * usage has to be reworked (e.g. like mirrorImage()) !!
+ * Furthermore, rotateImage() set up a new buffer and calculates
+ * its size individually. Therefore, seg_buffs size needs to be
+ * updated accordingly. */
+ tsize_t rot_buf_size = 0;
+ if (rotateImage(
+ crop->rotation, image, &crop->regionlist[i].width,
+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %d degrees", crop->rotation);
@@ -7696,8 +7710,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
crop->combined_width = total_width;
crop->combined_length = total_length;
seg_buffs[i].buffer = crop_buff;
- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
- * image->spp) * crop->regionlist[i].length;
+ seg_buffs[i].size = rot_buf_size;
}
}
}
@@ -7813,7 +7826,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr))
+ &crop->combined_length, crop_buff_ptr, NULL))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %d degrees", crop->rotation);
@@ -8476,13 +8489,14 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
/* Rotate an image by a multiple of 90 degrees clockwise */
static int
rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
- uint32 *img_length, unsigned char **ibuff_ptr)
+ uint32 *img_length, unsigned char **ibuff_ptr, tsize_t *rot_buf_size)
{
int shift_width;
uint32 bytes_per_pixel, bytes_per_sample;
uint32 row, rowsize, src_offset, dst_offset;
uint32 i, col, width, length;
- uint32 colsize, buffsize, col_offset, pix_offset;
+ uint32 colsize, col_offset, pix_offset;
+ tmsize_t buffsize;
unsigned char *ibuff;
unsigned char *src;
unsigned char *dst;
@@ -8495,12 +8509,40 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
spp = image->spp;
bps = image->bps;
+ if ((spp != 0 && bps != 0 &&
+ width > (uint32)((UINT32_MAX - 7) / spp / bps)) ||
+ (spp != 0 && bps != 0 &&
+ length > (uint32)((UINT32_MAX - 7) / spp / bps)))
+ {
+ TIFFError("rotateImage", "Integer overflow detected.");
+ return (-1);
+ }
rowsize = ((bps * spp * width) + 7) / 8;
colsize = ((bps * spp * length) + 7) / 8;
if ((colsize * width) > (rowsize * length))
- buffsize = (colsize + 1) * width;
+ {
+ if (((tmsize_t)colsize + 1) != 0 &&
+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - 3) /
+ ((tmsize_t)colsize + 1)))
+ {
+ TIFFError("rotateImage",
+ "Integer overflow when calculating buffer size.");
+ return (-1);
+ }
+ buffsize = ((tmsize_t)colsize + 1) * width;
+ }
else
- buffsize = (rowsize + 1) * length;
+ {
+ if (((tmsize_t)rowsize + 1) != 0 &&
+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - 3) /
+ ((tmsize_t)rowsize + 1)))
+ {
+ TIFFError("rotateImage",
+ "Integer overflow when calculating buffer size.");
+ return (-1);
+ }
+ buffsize = (rowsize + 1) * length;
+ }
bytes_per_sample = (bps + 7) / 8;
bytes_per_pixel = ((bps * spp) + 7) / 8;
@@ -8526,6 +8568,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
return (-1);
}
_TIFFmemset(rbuff, '\0', buffsize);
+ if (rot_buf_size != NULL)
+ *rot_buf_size = buffsize;
ibuff = *ibuff_ptr;
switch (rotation)

50
SOURCES/0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch Normal file
View File

@ -0,0 +1,50 @@
From df8410cee20798b1d63c291c1bf106e3a52d59b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 16 May 2024 14:54:52 +0200
Subject: [PATCH] (CVE-2023-52356) Merge branch 'fix_622' into 'master'
TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of col/row (fixes #622)
Closes #622
See merge request libtiff/libtiff!546
(cherry picked from commit dfacff5a84d153d7febdfcbcb341b38c1f03b34e)
---
libtiff/tif_getimage.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 00cd5510..4f32b3a4 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -2929,6 +2929,14 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 row, uint32 * raster, int stop_on_error)
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
+ if (row >= img.height)
+ {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+ "Invalid row passed to TIFFReadRGBAStrip().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
+
img.row_offset = row;
img.col_offset = 0;
@@ -3004,6 +3012,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
return( 0 );
}
+ if (col >= img.width || row >= img.height)
+ {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+ "Invalid row/col passed to TIFFReadRGBATile().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
+
/*
* The TIFFRGBAImageGet() function doesn't allow us to get off the
* edge of the image, even to fill an otherwise valid tile. So we

30
SOURCES/0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch Normal file
View File

@ -0,0 +1,30 @@
From 32346d49db890969d7de19e8eebff00400280926 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 9 Sep 2023 15:11:42 +0000
Subject: [PATCH] (CVE-2023-6228) Merge branch
'fix_606_tiffcp_check_also_input_compression_codec' into 'master'
tiffcp: Fixes #606. Check also codec of input image, not only from output image.
Closes #606
See merge request libtiff/libtiff!533
(cherry picked from commit 668d2c1a52fa48658bbf69615924b42b5a059f9e)
---
tools/tiffcp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index fb98bd57..81ec6bbd 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -622,6 +622,8 @@ tiffcp(TIFF* in, TIFF* out)
else
CopyField(TIFFTAG_COMPRESSION, compression);
TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
+ if (!TIFFIsCODECConfigured(input_compression))
+ return FALSE;
TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
if (input_compression == COMPRESSION_JPEG) {
/* Force conversion to RGB */

11
SPECS/libtiff.spec
View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.0.9
Release: 31%{?dist}
Release: 32%{?dist}
License: libtiff
Group: System Environment/Libraries
URL: http://www.simplesystems.org/libtiff/
@ -50,7 +50,10 @@ Patch0036: 0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
Patch0037: 0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch
Patch0038: 0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
Patch0039: 0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch
Patch0040: 0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch
Patch0041: 0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch
Patch0042: 0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch
Patch0043: 0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -204,6 +207,10 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
* Thu May 16 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-32
- Fix CVE-2023-6228 CVE-2023-52356 CVE-2023-25433 CVE-2018-15209
- Resolves: RHEL-30682 RHEL-30520 RHEL-30474 RHEL-5406
* Fri Jan 05 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-31
- Fix CVE-2022-3599 CVE-2022-4645
- Resolves: RHEL-5399