From 8878a3cc34c571d2b3839e018fbe53fcd57c2339 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 5 Oct 2021 10:22:06 -0400 Subject: [PATCH] import libtiff-4.0.9-20.el8 --- ...ibtiff-CVE-2020-35521_CVE-2020-35522.patch | 86 +++++++++++++++++++ SOURCES/libtiff-CVE-2020-35523.patch | 50 +++++++++++ SOURCES/libtiff-CVE-2020-35524.patch | 39 +++++++++ SPECS/libtiff.spec | 17 +++- 4 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch create mode 100644 SOURCES/libtiff-CVE-2020-35523.patch create mode 100644 SOURCES/libtiff-CVE-2020-35524.patch diff --git a/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch b/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch new file mode 100644 index 0000000..83c7ae7 --- /dev/null +++ b/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch @@ -0,0 +1,86 @@ +From 1205e9800a359b4bb4f35b2a7ff5821986e74f19 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Sun, 15 Nov 2020 17:02:51 +0100 +Subject: [PATCH 1/3] enforce (configurable) memory limit in tiff2rgba + +fixes #207 +fixes #209 +--- + tools/tiff2rgba.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c +index 4de96ae..e6de220 100644 +--- a/tools/tiff2rgba.c ++++ b/tools/tiff2rgba.c +@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1; + int process_by_block = 0; /* default is whole image at once */ + int no_alpha = 0; + int bigtiff_output = 0; ++#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024) ++/* malloc size limit (in bytes) ++ * disabled when set to 0 */ ++static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC; + + + static int tiffcvt(TIFF* in, TIFF* out); +@@ -70,8 +74,11 @@ main(int argc, char* argv[]) + extern char *optarg; + #endif + +- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1) ++ while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1) + switch (c) { ++ case 'M': ++ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20; ++ break; + case 'b': + process_by_block = 1; + break; +@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out ) + (unsigned long)width, (unsigned long)height); + return 0; + } ++ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) { ++ TIFFError(TIFFFileName(in), ++ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.", ++ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc); ++ return 0; ++ } + + rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); +@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out) + TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); + CopyField(TIFFTAG_DOCUMENTNAME, stringv); + ++ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc) ++ { ++ TIFFError(TIFFFileName(in), ++ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")", ++ (uint64)TIFFStripSize(in), (uint64)maxMalloc); ++ return 0; ++ } + if( process_by_block && TIFFIsTiled( in ) ) + return( cvt_by_tile( in, out ) ); + else if( process_by_block ) +@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out) + } + + static char* stuff[] = { +- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", ++ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output", + "where comp is one of the following compression algorithms:", + " jpeg\t\tJPEG encoding", + " zip\t\tZip/Deflate encoding", +@@ -543,6 +563,7 @@ static char* stuff[] = { + " -b (progress by block rather than as a whole image)", + " -n don't emit alpha component.", + " -8 write BigTIFF file instead of ClassicTIFF", ++ " -M set the memory allocation limit in MiB. 0 to disable limit", + NULL + }; + +-- +2.31.1 + diff --git a/SOURCES/libtiff-CVE-2020-35523.patch b/SOURCES/libtiff-CVE-2020-35523.patch new file mode 100644 index 0000000..0f2ca43 --- /dev/null +++ b/SOURCES/libtiff-CVE-2020-35523.patch @@ -0,0 +1,50 @@ +From 058e0d9c5822a912fe75ab3bd2d24b3350f4e44d Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Tue, 10 Nov 2020 01:54:30 +0100 +Subject: [PATCH 2/3] gtTileContig(): check Tile width for overflow + +fixes #211 +--- + libtiff/tif_getimage.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index c6edd27..b1f7cc9 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -31,6 +31,7 @@ + */ + #include "tiffiop.h" + #include ++#include + + static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); + static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); +@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + + flip = setorientation(img); + if (flip & FLIP_VERTICALLY) { +- y = h - 1; +- toskew = -(int32)(tw + w); ++ if ((tw + w) > INT_MAX) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); ++ return (0); ++ } ++ y = h - 1; ++ toskew = -(int32)(tw + w); + } + else { +- y = 0; +- toskew = -(int32)(tw - w); ++ if (tw > (INT_MAX + w)) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); ++ return (0); ++ } ++ y = 0; ++ toskew = -(int32)(tw - w); + } + + /* +-- +2.31.1 + diff --git a/SOURCES/libtiff-CVE-2020-35524.patch b/SOURCES/libtiff-CVE-2020-35524.patch new file mode 100644 index 0000000..3dda4e2 --- /dev/null +++ b/SOURCES/libtiff-CVE-2020-35524.patch @@ -0,0 +1,39 @@ +From f74e26a36dd32050774f1c4a9256147fb25ae595 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Sat, 14 Nov 2020 12:53:01 +0000 +Subject: [PATCH 3/3] tiff2pdf.c: properly calculate datasize when saving to + JPEG YCbCr + +fixes #220 +--- + tools/tiff2pdf.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index a15a3ef..db380ec 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){ + #endif + (void) 0; + } +- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); +- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ +- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ++#ifdef JPEG_SUPPORT ++ if(t2p->pdf_compression == T2P_COMPRESS_JPEG ++ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) { ++ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p); ++ } else ++#endif ++ { ++ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); ++ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ ++ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ++ } + } + if (k == 0) { + /* Assume we had overflow inside TIFFScanlineSize */ +-- +2.31.1 + diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec index 44c07bb..eaffd0b 100644 --- a/SPECS/libtiff.spec +++ b/SPECS/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.9 -Release: 18%{?dist} +Release: 20%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -23,6 +23,9 @@ Patch11: libtiff-CVE-2018-18661.patch Patch12: libtiff-CVE-2018-12900.patch Patch13: libtiff-CVE-2019-14973.patch Patch14: libtiff-CVE-2019-17546.patch +Patch15: libtiff-CVE-2020-35521_CVE-2020-35522.patch +Patch16: libtiff-CVE-2020-35523.patch +Patch17: libtiff-CVE-2020-35524.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel @@ -89,6 +92,9 @@ image files using the libtiff library. %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -192,6 +198,15 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Thu Apr 29 2021 Nikola Forró - 4.0.9-20 +- Rebuild for fixed binutils (#1954437) + +* Fri Apr 09 2021 Nikola Forró - 4.0.9-19 +- Fix CVE-2020-35521 (#1945539) +- Fix CVE-2020-35522 (#1945555) +- Fix CVE-2020-35523 (#1945542) +- Fix CVE-2020-35524 (#1945546) + * Thu Feb 20 2020 Nikola Forró - 4.0.9-18 - Fix CVE-2019-17546 (#1771372)