fix CVE-2017-17095: heap-based buffer overflow in pal2rgb (RHEL-87363)

Resolves: RHEL-87363
2025-04-22 23:07:26 +02:00 · 2025-04-22 23:07:26 +02:00 · a1e03d6f7a
commit a1e03d6f7a
parent 21cdd75b44
2 changed files with 48 additions and 1 deletions
--- a/libtiff-4.0.9-CVE-2017-17095.patch
+++ b/libtiff-4.0.9-CVE-2017-17095.patch
@ -0,0 +1,40 @@
+From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001
+From: Nathan Baker <elitebadger@gmail.com>
+Date: Thu, 25 Jan 2018 21:28:15 +0000
+Subject: [PATCH] Add workaround to pal2rgb buffer overflow.
+
+---
+ tools/pal2rgb.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 0423598f0..01fcf9411 100644
+--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
+@@ -182,8 +182,21 @@ main(int argc, char* argv[])
+ 	{ unsigned char *ibuf, *obuf;
+ 	  register unsigned char* pp;
+ 	  register uint32 x;
+-	  ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
+-	  obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
+	  tmsize_t tss_in = TIFFScanlineSize(in);
+	  tmsize_t tss_out = TIFFScanlineSize(out);
+	  if (tss_out / tss_in < 3) {
+		/*
+		 * BUG 2750: The following code does not know about chroma
+		 * subsampling of JPEG data. It assumes that the output buffer is 3x
+		 * the length of the input buffer due to exploding the palette into
+		 * RGB tuples. If this assumption is incorrect, it could lead to a
+		 * buffer overflow. Go ahead and fail now to prevent that.
+		 */
+		fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
+		return -1;
+      }
+	  ibuf = (unsigned char*)_TIFFmalloc(tss_in);
+	  obuf = (unsigned char*)_TIFFmalloc(tss_out);
+ 	  switch (config) {
+ 	  case PLANARCONFIG_CONTIG:
+ 		for (row = 0; row < imagelength; row++) {
+-- 
+GitLab
+
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.9
-Release:       33%{?dist}
+Release:       34%{?dist}
 License:       libtiff
 Group:         System Environment/Libraries
 URL:           http://www.simplesystems.org/libtiff/
@ -59,6 +59,10 @@ Patch0043: 0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
 # https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779
 Patch44:       libtiff-4.6.0-CVE-2024-7006.patch

+# from upstream, for < 4.0.10, RHEL-87363
+# https://gitlab.com/libtiff/libtiff/-/commit/9171da596c88e6a2dadcab4a3a89dddd6e1b4655
+Patch45:       libtiff-4.0.9-CVE-2017-17095.patch
+
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires: libtool automake autoconf pkgconfig
@ -211,6 +215,9 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Tue Apr 22 2025 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-34
+- fix CVE-2017-17095: heap-based buffer overflow in pal2rgb (RHEL-87363)
+
 * Thu Aug 29 2024 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-33
 - fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52927)