From 90e9117053bc1871df1ccabcc2912976260bc60e Mon Sep 17 00:00:00 2001
From: Michal Hlavinka <mhlavink@redhat.com>
Date: Fri, 20 Feb 2026 11:24:09 +0100
Subject: [PATCH] fix CVE-2023-52356: libtiff could crash in
 TIFFReadRGBATileExt when parsing crafted tiff file (RHEL-148253)

Resolves: RHEL-148253
---
 libtiff-4.6.0-CVE-2023-52356.patch | 33 ++++++++++++++++++++++++++++++
 libtiff.spec                       |  9 +++++++-
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 libtiff-4.6.0-CVE-2023-52356.patch

diff --git a/libtiff-4.6.0-CVE-2023-52356.patch b/libtiff-4.6.0-CVE-2023-52356.patch
new file mode 100644
index 0000000..a492249
--- /dev/null
+++ b/libtiff-4.6.0-CVE-2023-52356.patch
@@ -0,0 +1,33 @@
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 41f7dfd77e00cd878304f7a43b753efd15f75338..6fee35db28ed4682699a9c0cbdbc96134dc751e8 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster,
+     if (TIFFRGBAImageOK(tif, emsg) &&
+         TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
+     {
++        if (row >= img.height)
++        {
++            TIFFErrorExtR(tif, TIFFFileName(tif),
++                          "Invalid row passed to TIFFReadRGBAStrip().");
++            TIFFRGBAImageEnd(&img);
++            return (0);
++        }
+ 
+         img.row_offset = row;
+         img.col_offset = 0;
+@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster,
+         return (0);
+     }
+ 
++    if (col >= img.width || row >= img.height)
++    {
++        TIFFErrorExtR(tif, TIFFFileName(tif),
++                      "Invalid row/col passed to TIFFReadRGBATile().");
++        TIFFRGBAImageEnd(&img);
++        return (0);
++    }
++
+     /*
+      * The TIFFRGBAImageGet() function doesn't allow us to get off the
+      * edge of the image, even to fill an otherwise valid tile.  So we
diff --git a/libtiff.spec b/libtiff.spec
index a504ac7..3b4e8bb 100644
--- a/libtiff.spec
+++ b/libtiff.spec
@@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.6.0
-Release:       7%{?dist}
+Release:       8%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/
 
@@ -15,6 +15,9 @@ Patch1:        libtiff-4.6.0-CVE-2024-7006.patch
 # from upstream, for < 4.7.1, RHEL-112523
 # https://gitlab.com/libtiff/libtiff/-/merge_requests/732.diff
 Patch2:        libtiff-4.6.0-cve-2025-9900.patch
+# from upstream, for <=4.6.0, RHEL-148253
+# https://gitlab.com/libtiff/libtiff/-/merge_requests/546.patch
+Patch3:        libtiff-4.6.0-CVE-2023-52356.patch
 
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel liblerc-devel
@@ -68,6 +71,7 @@ image files using the libtiff library.
 %patch -P 0 -p1 -b .backup
 %patch -P 1 -p1 -b .CVE-2024-7006
 %patch -P 2 -p1 -b .cve-2025-9900
+%patch -P 3 -p1 -b .CVE-2023-52356
 
 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@@ -166,6 +170,9 @@ LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check
 %{_mandir}/man1/*
 
 %changelog
+* Fri Feb 20 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.6.0-8
+- fix CVE-2023-52356: libtiff could crash in TIFFReadRGBATileExt when parsing crafted tiff file (RHEL-148253)
+
 * Thu Jan 15 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.6.0-7
 - fix CVE-2025-9900: Out-of-Bounds Write in TIFFReadRGBAImageOriented (RHEL-112523)