From a4ef6233fc2495d668f303093dec3771b00d9931 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Thu, 12 Jan 2023 03:27:07 -0500 Subject: [PATCH] import libtiff-4.0.9-26.el8_7 --- ...imum-required-automake-version-to-1..patch | 3 - SOURCES/0002-Fix-Makefile.patch | 3 - .../0003-CVE-2018-5784-Fix-for-bug-2772.patch | 3 - ...x-NULL-pointer-dereference-in-TIFFPr.patch | 3 - ...2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch | 3 - ...ff2pdf-Fix-apparent-incorrect-type-f.patch | 3 - ...ibtiff-tif_print.c-TIFFPrintDirector.patch | 3 - ...WDecodeCompat-fix-potential-index-ou.patch | 3 - ...IFFWriteDirectorySec-avoid-assertion.patch | 3 - ...void-potential-int32-overflows-in-mu.patch | 3 - ...BIG-fix-potential-out-of-bounds-writ.patch | 3 - ...iff2bw-avoid-null-pointer-dereferenc.patch | 3 - ...013-bz1602597-Fix-two-resource-leaks.patch | 3 - ...heck-that-Tile-Width-Samples-Pixel-d.patch | 3 - ...ix-integer-overflow-in-_TIFFCheckMal.patch | 3 - ...GBA-interface-fix-integer-overflow-p.patch | 3 - ...VE-2020-35522-enforce-configurable-m.patch | 3 - ...tTileContig-check-Tile-width-for-ove.patch | 3 - ...iff2pdf.c-properly-calculate-datasiz.patch | 3 - ...iffcrop.c-fix-invertImage-for-bps-2-.patch | 3 - ...FFFetchStripThing-avoid-calling-memc.patch | 3 - ...FFReadDirectory-avoid-calling-memcpy.patch | 3 - ...iffset-fix-global-buffer-overflow-fo.patch | 3 - ...f_jbig.c-fix-crash-when-reading-a-fi.patch | 3 - ...ffcrop-fix-issue-380-and-382-heap-bu.patch | 3 - ...x-heap-buffer-overflow-in-tiffcp-278.patch | 3 - ...022-0909-fix-the-FPE-in-tiffcrop-393.patch | 3 - ...FFFetchNormalTag-avoid-calling-memcp.patch | 3 - ...ffcp-avoid-buffer-overflow-in-mode-s.patch | 3 - ..._TIFFClampDoubleToFloat-to-tif_aux.c.patch | 161 ++++++++++++++++ ...E-2022-2057-CVE-2022-2058-fix-the-FP.patch | 179 ++++++++++++++++++ ...E-2022-2868-tiffcrop.c-Fix-issue-352.patch | 161 ++++++++++++++++ ...E-2022-2520-CVE-2022-2521-CVE-2022-2.patch | 92 +++++++++ ...E-2022-2520-CVE-2022-2521-CVE-2022-2.patch | 32 ++++ SPECS/libtiff.spec | 22 ++- 35 files changed, 645 insertions(+), 89 deletions(-) create mode 100644 SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch create mode 100644 SOURCES/0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch create mode 100644 SOURCES/0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch create mode 100644 SOURCES/0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch create mode 100644 SOURCES/0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch diff --git a/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch b/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch index 5486431..922631b 100644 --- a/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch +++ b/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch @@ -38,6 +38,3 @@ index 2052487c..227f228f 100644 LIBTIFF = $(top_builddir)/libtiff/libtiff.la --- -2.34.1 - diff --git a/SOURCES/0002-Fix-Makefile.patch b/SOURCES/0002-Fix-Makefile.patch index f252fff..d237372 100644 --- a/SOURCES/0002-Fix-Makefile.patch +++ b/SOURCES/0002-Fix-Makefile.patch @@ -19,6 +19,3 @@ index 3ed00d44..8a64925a 100644 tiffinfo.1.html \ tiffmedian.1.html \ tiffset.1.html \ --- -2.34.1 - diff --git a/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch b/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch index 933f6ea..1aaade9 100644 --- a/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch +++ b/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch @@ -125,6 +125,3 @@ index c69177e0..c60cb389 100644 if (image_count == 0) { dirnum = 0; --- -2.34.1 - diff --git a/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch b/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch index 0a3af0a..8148474 100644 --- a/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch +++ b/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch @@ -168,6 +168,3 @@ index 24d4b98a..10a588ea 100644 fprintf(fd, " %5u", td->td_transferfunction[i][l]); fputc('\n', fd); --- -2.34.1 - diff --git a/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch b/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch index c76ee4a..1021a29 100644 --- a/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch +++ b/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch @@ -150,6 +150,3 @@ index bdb91262..ef5d6a01 100644 t2p->tiff_transferfunctioncount=3; } else { t2p->tiff_transferfunctioncount=1; --- -2.34.1 - diff --git a/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch b/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch index 80522ba..e44206f 100644 --- a/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch +++ b/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch @@ -56,6 +56,3 @@ index ef5d6a01..bd23c9e5 100644 ) { t2p->tiff_transferfunctioncount=3; } else { --- -2.34.1 - diff --git a/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch b/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch index 8c23d07..6c3816b 100644 --- a/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch +++ b/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch @@ -32,6 +32,3 @@ index 10a588ea..b9b53a0f 100644 #endif } } --- -2.34.1 - diff --git a/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch b/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch index db6c0e5..e1c0322 100644 --- a/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch +++ b/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch @@ -50,6 +50,3 @@ index bc8f9c84..186ea3ca 100644 } else { *op++ = (char)code; occ--; --- -2.34.1 - diff --git a/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch b/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch index 58c6ff2..1fd8f7b 100644 --- a/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch +++ b/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch @@ -27,6 +27,3 @@ index c68d6d21..5d0a6699 100644 } } } --- -2.34.1 - diff --git a/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch b/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch index 22fb539..67a79f0 100644 --- a/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch +++ b/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch @@ -36,6 +36,3 @@ index 91415e96..81ffa3db 100644 } int --- -2.34.1 - diff --git a/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch b/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch index 5cbdde0..0c75963 100644 --- a/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch +++ b/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch @@ -105,6 +105,3 @@ index 2ba985a7..04100f4d 100644 #else whole_strip = 1; #endif --- -2.34.1 - diff --git a/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch b/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch index 18b6f0e..9ce55f9 100644 --- a/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch +++ b/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch @@ -117,6 +117,3 @@ index c60cb389..3862b1ca 100644 #define TRUE 1 #define FALSE 0 --- -2.34.1 - diff --git a/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch b/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch index 0eff22e..6dbf46d 100644 --- a/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch +++ b/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch @@ -38,6 +38,3 @@ index bd23c9e5..ff7b9c22 100644 t2p->t2p_error = T2P_ERR_ERROR; return(0); } --- -2.34.1 - diff --git a/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch b/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch index 3a25723..52c80b0 100644 --- a/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch +++ b/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch @@ -45,6 +45,3 @@ index 489459a7..96f14728 100644 tilebuf = _TIFFmalloc(tilesize); if (tilebuf == 0) return 0; --- -2.34.1 - diff --git a/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch b/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch index 713178a..8eca5e5 100644 --- a/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch +++ b/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch @@ -421,6 +421,3 @@ index 08e5dc44..d4b86314 100644 extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*); extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); --- -2.34.1 - diff --git a/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch b/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch index 4520181..9d0adc8 100644 --- a/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch +++ b/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch @@ -100,6 +100,3 @@ index ec09feaf..c6edd27c 100644 && img->stoponerr) { ret = 0; --- -2.34.1 - diff --git a/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch b/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch index a943dca..03f47a0 100644 --- a/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch +++ b/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch @@ -84,6 +84,3 @@ index 4de96aec..e6de2209 100644 NULL }; --- -2.34.1 - diff --git a/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch b/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch index be5176b..f150651 100644 --- a/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch +++ b/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch @@ -48,6 +48,3 @@ index c6edd27c..b1f7cc95 100644 } /* --- -2.34.1 - diff --git a/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch b/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch index 7aff264..59e4fbc 100644 --- a/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch +++ b/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch @@ -36,6 +36,3 @@ index ff7b9c22..a5db1f64 100644 } if (k == 0) { /* Assume we had overflow inside TIFFScanlineSize */ --- -2.34.1 - diff --git a/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch b/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch index eb61fab..094b908 100644 --- a/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch +++ b/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch @@ -87,6 +87,3 @@ index 3862b1ca..a6129148 100644 { *src = ~(*src); src++; --- -2.34.1 - diff --git a/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch b/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch index fb1652b..146f7b6 100644 --- a/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch +++ b/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch @@ -25,6 +25,3 @@ index 80aaf8d1..1e6f1c2f 100644 _TIFFfree(data); data=resizeddata; } --- -2.34.1 - diff --git a/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch b/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch index ef22de3..26116a2 100644 --- a/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch +++ b/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch @@ -23,6 +23,3 @@ index 1e6f1c2f..d68aecc5 100644 _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); _TIFFfree(new_sampleinfo); } --- -2.34.1 - diff --git a/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch b/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch index 49e4e9d..c07175a 100644 --- a/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch +++ b/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch @@ -34,6 +34,3 @@ index 894c9f1f..e4b0d49f 100644 } else if (TIFFFieldWriteCount(fip) > 0 || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { int ret = 1; --- -2.34.1 - diff --git a/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch b/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch index 87eb654..be0fa01 100644 --- a/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch +++ b/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch @@ -31,6 +31,3 @@ index 8136c77b..698428f0 100644 /* Setup the function pointers for encode, decode, and cleanup. */ tif->tif_setupdecode = JBIGSetupDecode; --- -2.34.1 - diff --git a/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch b/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch index af2e18d..d790f39 100644 --- a/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch +++ b/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch @@ -196,6 +196,3 @@ index a6129148..83cf80ad 100644 /* allocate a buffer if we don't have one already */ if (createImageSection(sectsize, sect_buff_ptr)) { --- -2.34.1 - diff --git a/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch b/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch index 769799f..bc3af27 100644 --- a/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch +++ b/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch @@ -49,6 +49,3 @@ index 96f14728..d5f1d248 100644 if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { TIFFError(TIFFFileName(out), "Error, can't write strip %u", --- -2.34.1 - diff --git a/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch b/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch index 6ffaba8..70461d8 100644 --- a/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch +++ b/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch @@ -28,6 +28,3 @@ index c36a5f3f..f126f2aa 100644 goto badvaluedouble; td->td_yresolution = TIFFClampDoubleToFloat( dblval ); break; --- -2.34.1 - diff --git a/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch b/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch index b76d47f..931a2fa 100644 --- a/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch +++ b/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch @@ -25,6 +25,3 @@ index d68aecc5..b72e6a3b 100644 o[(uint32)dp->tdir_count]=0; if (data!=0) _TIFFfree(data); --- -2.34.1 - diff --git a/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch b/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch index deb2812..706254e 100644 --- a/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch +++ b/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch @@ -53,6 +53,3 @@ index d5f1d248..fb98bd57 100644 break; case 'x': pageInSeq = 1; --- -2.34.1 - diff --git a/SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch b/SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch new file mode 100644 index 0000000..e8cbc0f --- /dev/null +++ b/SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch @@ -0,0 +1,161 @@ +From 9ed8c91366c9f6a3c9068aee6c5a7a0fe1c5c9c8 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Tue, 12 Feb 2019 16:04:28 +0100 +Subject: [PATCH] move _TIFFClampDoubleToFloat() to tif_aux.c + +the same function was declared in tif_dir.c and tif_dirwrite.c + +see http://bugzilla.maptools.org/show_bug.cgi?id=2842 + +(cherry picked from commit 8420a31e8ca5181ca36580cfeeca28661b348262) +--- + libtiff/tif_aux.c | 10 ++++++++++ + libtiff/tif_dir.c | 20 +++++--------------- + libtiff/tif_dirwrite.c | 12 +----------- + libtiff/tiffiop.h | 2 ++ + 4 files changed, 18 insertions(+), 26 deletions(-) + +diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c +index 38a98b67..2071d19c 100644 +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -32,6 +32,7 @@ + #include "tiffiop.h" + #include "tif_predict.h" + #include ++#include + + uint32 + _TIFFMultiply32(TIFF* tif, uint32 first, uint32 second, const char* where) +@@ -398,6 +399,15 @@ _TIFFUInt64ToDouble(uint64 ui64) + } + } + ++float _TIFFClampDoubleToFloat( double val ) ++{ ++ if( val > FLT_MAX ) ++ return FLT_MAX; ++ if( val < -FLT_MAX ) ++ return -FLT_MAX; ++ return (float)val; ++} ++ + int _TIFFSeekOK(TIFF* tif, toff_t off) + { + /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */ +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index f126f2aa..ad550c65 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -31,7 +31,6 @@ + * (and also some miscellaneous stuff) + */ + #include "tiffiop.h" +-#include + + /* + * These are used in the backwards compatibility code... +@@ -155,15 +154,6 @@ bad: + return (0); + } + +-static float TIFFClampDoubleToFloat( double val ) +-{ +- if( val > FLT_MAX ) +- return FLT_MAX; +- if( val < -FLT_MAX ) +- return -FLT_MAX; +- return (float)val; +-} +- + static int + _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + { +@@ -322,13 +312,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + dblval = va_arg(ap, double); + if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; +- td->td_xresolution = TIFFClampDoubleToFloat( dblval ); ++ td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_YRESOLUTION: + dblval = va_arg(ap, double); + if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; +- td->td_yresolution = TIFFClampDoubleToFloat( dblval ); ++ td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_PLANARCONFIG: + v = (uint16) va_arg(ap, uint16_vap); +@@ -337,10 +327,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + td->td_planarconfig = (uint16) v; + break; + case TIFFTAG_XPOSITION: +- td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); ++ td->td_xposition = _TIFFClampDoubleToFloat( va_arg(ap, double) ); + break; + case TIFFTAG_YPOSITION: +- td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); ++ td->td_yposition = _TIFFClampDoubleToFloat( va_arg(ap, double) ); + break; + case TIFFTAG_RESOLUTIONUNIT: + v = (uint16) va_arg(ap, uint16_vap); +@@ -686,7 +676,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + case TIFF_SRATIONAL: + case TIFF_FLOAT: + { +- float v2 = TIFFClampDoubleToFloat(va_arg(ap, double)); ++ float v2 = _TIFFClampDoubleToFloat(va_arg(ap, double)); + _TIFFmemcpy(val, &v2, tv_size); + } + break; +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index 5d0a6699..03a9f296 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -30,7 +30,6 @@ + * Directory Write Support Routines. + */ + #include "tiffiop.h" +-#include + + #ifdef HAVE_IEEEFP + #define TIFFCvtNativeToIEEEFloat(tif, n, fp) +@@ -948,15 +947,6 @@ bad: + return(0); + } + +-static float TIFFClampDoubleToFloat( double val ) +-{ +- if( val > FLT_MAX ) +- return FLT_MAX; +- if( val < -FLT_MAX ) +- return -FLT_MAX; +- return (float)val; +-} +- + static int8 TIFFClampDoubleToInt8( double val ) + { + if( val > 127 ) +@@ -1031,7 +1021,7 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di + if (tif->tif_dir.td_bitspersample<=32) + { + for (i = 0; i < count; ++i) +- ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]); ++ ((float*)conv)[i] = _TIFFClampDoubleToFloat(value[i]); + ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv); + } + else +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index d4b86314..05ba735b 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -377,6 +377,8 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); + extern double _TIFFUInt64ToDouble(uint64); + extern float _TIFFUInt64ToFloat(uint64); + ++extern float _TIFFClampDoubleToFloat(double); ++ + extern tmsize_t + _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, + void **buf, tmsize_t bufsizetoalloc, diff --git a/SOURCES/0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch b/SOURCES/0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch new file mode 100644 index 0000000..9e34aac --- /dev/null +++ b/SOURCES/0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch @@ -0,0 +1,179 @@ +From fddff26550de7a5ea9735649a74aa3829e461ae5 Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Sat, 11 Jun 2022 09:31:43 +0000 +Subject: [PATCH] (CVE-2022-2056 CVE-2022-2057 CVE-2022-2058) fix the FPE in + tiffcrop (#415, #427, and #428) + +(cherry picked from commit dd1bcc7abb26094e93636e85520f0d8f81ab0fab) +--- + libtiff/tif_aux.c | 9 +++++++ + libtiff/tiffiop.h | 1 + + tools/tiffcrop.c | 62 ++++++++++++++++++++++++++--------------------- + 3 files changed, 44 insertions(+), 28 deletions(-) + +diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c +index 2071d19c..4d1869b4 100644 +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -408,6 +408,15 @@ float _TIFFClampDoubleToFloat( double val ) + return (float)val; + } + ++uint32 _TIFFClampDoubleToUInt32(double val) ++{ ++ if( val < 0 ) ++ return 0; ++ if( val > 0xFFFFFFFFU || val != val ) ++ return 0xFFFFFFFFU; ++ return (uint32)val; ++} ++ + int _TIFFSeekOK(TIFF* tif, toff_t off) + { + /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */ +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index 05ba735b..5b106e03 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -378,6 +378,7 @@ extern double _TIFFUInt64ToDouble(uint64); + extern float _TIFFUInt64ToFloat(uint64); + + extern float _TIFFClampDoubleToFloat(double); ++extern uint32 _TIFFClampDoubleToUInt32(double); + + extern tmsize_t + _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 83cf80ad..ea0b98be 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5140,17 +5140,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER)) + { +- x1 = (uint32) (crop->corners[i].X1 * scale * xres); +- x2 = (uint32) (crop->corners[i].X2 * scale * xres); +- y1 = (uint32) (crop->corners[i].Y1 * scale * yres); +- y2 = (uint32) (crop->corners[i].Y2 * scale * yres); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres); + } + else + { +- x1 = (uint32) (crop->corners[i].X1); +- x2 = (uint32) (crop->corners[i].X2); +- y1 = (uint32) (crop->corners[i].Y1); +- y2 = (uint32) (crop->corners[i].Y2); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } + if (x1 < 1) + crop->regionlist[i].x1 = 0; +@@ -5213,17 +5213,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { /* User has specified pixels as reference unit */ +- tmargin = (uint32)(crop->margins[0]); +- lmargin = (uint32)(crop->margins[1]); +- bmargin = (uint32)(crop->margins[2]); +- rmargin = (uint32)(crop->margins[3]); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]); + } + else + { /* inches or centimeters specified */ +- tmargin = (uint32)(crop->margins[0] * scale * yres); +- lmargin = (uint32)(crop->margins[1] * scale * xres); +- bmargin = (uint32)(crop->margins[2] * scale * yres); +- rmargin = (uint32)(crop->margins[3] * scale * xres); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres); + } + + if ((lmargin + rmargin) > image->width) +@@ -5253,24 +5253,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32)crop->width; ++ width = _TIFFClampDoubleToUInt32(crop->width); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32)crop->length; ++ length = _TIFFClampDoubleToUInt32(crop->length); + else + length = image->length - tmargin - bmargin; + } + else + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32)(crop->width * scale * image->xres); ++ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32)(crop->length * scale * image->yres); ++ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres); + else + length = image->length - tmargin - bmargin; + } +@@ -5669,13 +5669,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER) + { /* inches or centimeters specified */ +- hmargin = (uint32)(page->hmargin * scale * page->hres * ((image->bps + 7)/ 8)); +- vmargin = (uint32)(page->vmargin * scale * page->vres * ((image->bps + 7)/ 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); + } + else + { /* Otherwise user has specified pixels as reference unit */ +- hmargin = (uint32)(page->hmargin * scale * ((image->bps + 7)/ 8)); +- vmargin = (uint32)(page->vmargin * scale * ((image->bps + 7)/ 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8)); + } + + if ((hmargin * 2.0) > (pwidth * page->hres)) +@@ -5713,13 +5713,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->mode & PAGE_MODE_PAPERSIZE ) + { +- owidth = (uint32)((pwidth * page->hres) - (hmargin * 2)); +- olength = (uint32)((plength * page->vres) - (vmargin * 2)); ++ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2)); ++ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2)); + } + else + { +- owidth = (uint32)(iwidth - (hmargin * 2 * page->hres)); +- olength = (uint32)(ilength - (vmargin * 2 * page->vres)); ++ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres)); ++ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres)); + } + } + +@@ -5728,6 +5728,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + if (olength > ilength) + olength = ilength; + ++ if (owidth == 0 || olength == 0) ++ { ++ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages"); ++ exit(EXIT_FAILURE); ++ } ++ + /* Compute the number of pages required for Portrait or Landscape */ + switch (page->orient) + { diff --git a/SOURCES/0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch b/SOURCES/0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch new file mode 100644 index 0000000..15e8d00 --- /dev/null +++ b/SOURCES/0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch @@ -0,0 +1,161 @@ +From 5d214a07db3bb8dcea8354d8f1e52f9c46264acb Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Wed, 9 Feb 2022 21:31:29 +0000 +Subject: [PATCH] (CVE-2022-2867 CVE-2022-2868) tiffcrop.c: Fix issue #352 + heap-buffer-overflow by correcting uint32_t underflow. + +(cherry picked from commit 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c) +--- + tools/tiffcrop.c | 81 +++++++++++++++++++++++++++++++----------------- + 1 file changed, 53 insertions(+), 28 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index ea0b98be..5801b8f6 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5152,29 +5152,45 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } +- if (x1 < 1) +- crop->regionlist[i].x1 = 0; +- else +- crop->regionlist[i].x1 = (uint32) (x1 - 1); ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 ++ * b) Corners are expected to be submitted as top-left to bottom-right. ++ * Therefore, check that and reorder input. ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) ++ */ ++ uint32 aux; ++ if (x1 > x2) { ++ aux = x1; ++ x1 = x2; ++ x2 = aux; ++ } ++ if (y1 > y2) { ++ aux = y1; ++ y1 = y2; ++ y2 = aux; ++ } ++ if (x1 > image->width - 1) ++ crop->regionlist[i].x1 = image->width - 1; ++ else if (x1 > 0) ++ crop->regionlist[i].x1 = (uint32)(x1 - 1); + + if (x2 > image->width - 1) + crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = (uint32) (x2 - 1); +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ else if (x2 > 0) ++ crop->regionlist[i].x2 = (uint32)(x2 - 1); + +- if (y1 < 1) +- crop->regionlist[i].y1 = 0; +- else +- crop->regionlist[i].y1 = (uint32) (y1 - 1); ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ ++ if (y1 > image->length - 1) ++ crop->regionlist[i].y1 = image->length - 1; ++ else if (y1 > 0) ++ crop->regionlist[i].y1 = (uint32)(y1 - 1); + + if (y2 > image->length - 1) + crop->regionlist[i].y2 = image->length - 1; +- else +- crop->regionlist[i].y2 = (uint32) (y2 - 1); +- +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ else if (y2 > 0) ++ crop->regionlist[i].y2 = (uint32)(y2 - 1); + ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + if (zwidth > max_width) + max_width = zwidth; + if (zlength > max_length) +@@ -5204,7 +5220,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + } + } + return (0); +- } ++ } /* crop_mode == CROP_REGIONS */ + + /* Convert crop margins into offsets into image + * Margins are expressed as pixel rows and columns, not bytes +@@ -5240,7 +5256,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + bmargin = (uint32) 0; + return (-1); + } +- } ++ } /* crop_mode == CROP_MARGINS */ + else + { /* no margins requested */ + tmargin = (uint32) 0; +@@ -5331,24 +5347,23 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + off->endx = endx; + off->endy = endy; + +- crop_width = endx - startx + 1; +- crop_length = endy - starty + 1; +- +- if (crop_width <= 0) ++ if (endx + 1 <= startx) + { + TIFFError("computeInputPixelOffsets", + "Invalid left/right margins and /or image crop width requested"); + return (-1); + } ++ crop_width = endx - startx + 1; + if (crop_width > image->width) + crop_width = image->width; + +- if (crop_length <= 0) ++ if (endy + 1 <= starty) + { + TIFFError("computeInputPixelOffsets", + "Invalid top/bottom margins and /or image crop length requested"); + return (-1); + } ++ crop_length = endy - starty + 1; + if (crop_length > image->length) + crop_length = image->length; + +@@ -5448,10 +5463,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + else + crop->selections = crop->zones; + +- for (i = 0; i < crop->zones; i++) ++ /* Initialize regions iterator i */ ++ i = 0; ++ for (int j = 0; j < crop->zones; j++) + { +- seg = crop->zonelist[i].position; +- total = crop->zonelist[i].total; ++ seg = crop->zonelist[j].position; ++ total = crop->zonelist[j].total; ++ ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ ++ if (seg == 0 || total == 0 || seg > total) { ++ continue; ++ } + + switch (crop->edge_ref) + { +@@ -5578,10 +5600,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + if (dump->outfile != NULL) + dump_info (dump->outfile, dump->format, "", "Zone %d, width: %4d, length: %4d, x1: %4d x2: %4d y1: %4d y2: %4d", + i + 1, (uint32)zwidth, (uint32)zlength, +- crop->regionlist[i].x1, crop->regionlist[i].x2, +- crop->regionlist[i].y1, crop->regionlist[i].y2); ++ crop->regionlist[i].x1, crop->regionlist[i].x2, ++ crop->regionlist[i].y1, crop->regionlist[i].y2); ++ /* increment regions iterator */ ++ i++; + } +- ++ /* set number of generated regions out of given zones */ ++ crop->selections = i; + return (0); + } /* end getCropOffsets */ + diff --git a/SOURCES/0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch b/SOURCES/0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch new file mode 100644 index 0000000..d7f816a --- /dev/null +++ b/SOURCES/0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch @@ -0,0 +1,92 @@ +From d26748dd8fb90b0af8c9344615f65d273dc66f93 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Mon, 15 Aug 2022 22:11:03 +0200 +Subject: [PATCH] =?UTF-8?q?(CVE-2022-2519=20CVE-2022-2520=20CVE-2022-2521?= + =?UTF-8?q?=20CVE-2022-2953)=20According=20to=20Richard=20Nolde=20https://?= + =?UTF-8?q?gitlab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the?= + =?UTF-8?q?=20tiffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutua?= + =?UTF-8?q?lly=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),?= + =?UTF-8?q?=20-Z=20and=20-z.?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is now checked and ends tiffcrop if those arguments are not mutually exclusive. + +This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424 + +(cherry picked from commit 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf) +--- + tools/tiffcrop.c | 31 +++++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 8 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 5801b8f6..27e6f81c 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -104,7 +104,10 @@ + * includes annotations for image parameters and scanline info. Level + * selects which functions dump data, with higher numbers selecting + * lower level, scanline level routines. Debug reports a limited set +- * of messages to monitor progess without enabling dump logs. ++ * of messages to monitor progress without enabling dump logs. ++ * ++ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. ++ * In no case should the options be applied to a given selection successively. + */ + + static char tiffcrop_version_id[] = "2.4"; +@@ -177,12 +180,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring); + #define ROTATECW_270 32 + #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270) + +-#define CROP_NONE 0 +-#define CROP_MARGINS 1 +-#define CROP_WIDTH 2 +-#define CROP_LENGTH 4 +-#define CROP_ZONES 8 +-#define CROP_REGIONS 16 ++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */ ++#define CROP_MARGINS 1 /* "-m" */ ++#define CROP_WIDTH 2 /* "-X" */ ++#define CROP_LENGTH 4 /* "-Y" */ ++#define CROP_ZONES 8 /* "-Z" */ ++#define CROP_REGIONS 16 /* "-z" */ + #define CROP_ROTATE 32 + #define CROP_MIRROR 64 + #define CROP_INVERT 128 +@@ -320,7 +323,7 @@ struct crop_mask { + #define PAGE_MODE_RESOLUTION 1 + #define PAGE_MODE_PAPERSIZE 2 + #define PAGE_MODE_MARGINS 4 +-#define PAGE_MODE_ROWSCOLS 8 ++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */ + + #define INVERT_DATA_ONLY 10 + #define INVERT_DATA_AND_TAG 11 +@@ -751,6 +754,8 @@ static char* usage_info[] = { + " The four debug/dump options are independent, though it makes little sense to", + " specify a dump file without specifying a detail level.", + " ", ++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive." ++" ", + NULL + }; + +@@ -2099,6 +2104,16 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + /*NOTREACHED*/ + } + } ++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ ++ char XY, Z, R, S; ++ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); ++ Z = (crop_data->crop_mode & CROP_ZONES); ++ R = (crop_data->crop_mode & CROP_REGIONS); ++ S = (page->mode & PAGE_MODE_ROWSCOLS); ++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); ++ exit(EXIT_FAILURE); ++ } + } /* end process_command_opts */ + + /* Start a new output file if one has not been previously opened or diff --git a/SOURCES/0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch b/SOURCES/0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch new file mode 100644 index 0000000..7fc4e5a --- /dev/null +++ b/SOURCES/0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch @@ -0,0 +1,32 @@ +From 3635844b59578eb572372e7546548ea84c967ba1 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 20 Aug 2022 23:35:26 +0200 +Subject: [PATCH] (CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953) + tiffcrop -S option: Make decision simpler. + +(cherry picked from commit bad48e90b410df32172006c7876da449ba62cdba) +--- + tools/tiffcrop.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 27e6f81c..ff118496 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -2106,11 +2106,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + } + /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ + char XY, Z, R, S; +- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); +- Z = (crop_data->crop_mode & CROP_ZONES); +- R = (crop_data->crop_mode & CROP_REGIONS); +- S = (page->mode & PAGE_MODE_ROWSCOLS); +- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { ++ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0; ++ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0; ++ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; ++ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; ++ if (XY + Z + R + S > 1) { + TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); + exit(EXIT_FAILURE); + } diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec index 5e51860..145f85e 100644 --- a/SPECS/libtiff.spec +++ b/SPECS/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.9 -Release: 23%{?dist} +Release: 26%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -10,7 +10,7 @@ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz # Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/rhel-8.7.0 -# Patches were generated by: git format-patch -N ... +# Patches were generated by: git format-patch -N --no-signature ... Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch Patch0002: 0002-Fix-Makefile.patch Patch0003: 0003-CVE-2018-5784-Fix-for-bug-2772.patch @@ -40,6 +40,11 @@ Patch0026: 0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch Patch0027: 0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch Patch0028: 0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch Patch0029: 0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch +Patch0030: 0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch +Patch0031: 0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch +Patch0032: 0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch +Patch0033: 0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch +Patch0034: 0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch BuildRequires: gcc, gcc-c++ @@ -194,6 +199,19 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Mon Oct 24 2022 Matej Mužila - 4.0.9-26 +- Fix various CVEs +- Resolves: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953 + +* Tue Sep 06 2022 Matej Mužila - 4.0.9-25 +- Fix CVE-2022-2867 (#2118857) +- Fix CVE-2022-2868 (#2118882) +- Fix CVE-2022-2869 (#2118878) + +* Mon Jul 18 2022 Matej Mužila - 4.0.9-24 +- Fix CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 +- Resolves: #2103222 + * Thu May 12 2022 Matej Mužila - 4.0.9-23 - Fix various CVEs - Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865