fix CVE-2023-52356: libtiff could crash in TIFFReadRGBATileExt when parsing crafted tiff file (RHEL-148253)

Resolves: RHEL-148253
2026-02-20 11:24:09 +01:00 · 2026-02-20 11:24:09 +01:00 · 90e9117053
commit 90e9117053
parent bb2590da7a
2 changed files with 41 additions and 1 deletions
--- a/libtiff-4.6.0-CVE-2023-52356.patch
+++ b/libtiff-4.6.0-CVE-2023-52356.patch
@ -0,0 +1,33 @@
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 41f7dfd77e00cd878304f7a43b753efd15f75338..6fee35db28ed4682699a9c0cbdbc96134dc751e8 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster,
+     if (TIFFRGBAImageOK(tif, emsg) &&
+         TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
+     {
+        if (row >= img.height)
+        {
+            TIFFErrorExtR(tif, TIFFFileName(tif),
+                          "Invalid row passed to TIFFReadRGBAStrip().");
+            TIFFRGBAImageEnd(&img);
+            return (0);
+        }
+ 
+         img.row_offset = row;
+         img.col_offset = 0;
+@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster,
+         return (0);
+     }
+ 
+    if (col >= img.width || row >= img.height)
+    {
+        TIFFErrorExtR(tif, TIFFFileName(tif),
+                      "Invalid row/col passed to TIFFReadRGBATile().");
+        TIFFRGBAImageEnd(&img);
+        return (0);
+    }
+
+     /*
+      * The TIFFRGBAImageGet() function doesn't allow us to get off the
+      * edge of the image, even to fill an otherwise valid tile.  So we
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.6.0
-Release:       7%{?dist}
+Release:       8%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/

@ -15,6 +15,9 @@ Patch1:        libtiff-4.6.0-CVE-2024-7006.patch
 # from upstream, for < 4.7.1, RHEL-112523
 # https://gitlab.com/libtiff/libtiff/-/merge_requests/732.diff
 Patch2:        libtiff-4.6.0-cve-2025-9900.patch
+# from upstream, for <=4.6.0, RHEL-148253
+# https://gitlab.com/libtiff/libtiff/-/merge_requests/546.patch
+Patch3:        libtiff-4.6.0-CVE-2023-52356.patch

 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel liblerc-devel
@ -68,6 +71,7 @@ image files using the libtiff library.
 %patch -P 0 -p1 -b .backup
 %patch -P 1 -p1 -b .CVE-2024-7006
 %patch -P 2 -p1 -b .cve-2025-9900
+%patch -P 3 -p1 -b .CVE-2023-52356

 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@ -166,6 +170,9 @@ LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check
 %{_mandir}/man1/*

 %changelog
+* Fri Feb 20 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.6.0-8
+- fix CVE-2023-52356: libtiff could crash in TIFFReadRGBATileExt when parsing crafted tiff file (RHEL-148253)
+
 * Thu Jan 15 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.6.0-7
 - fix CVE-2025-9900: Out-of-Bounds Write in TIFFReadRGBAImageOriented (RHEL-112523)