From a5c51d73b8cbbccb6a13b201d480621099a5a429 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Thu, 22 Jun 2023 13:41:40 +0000 Subject: [PATCH] import libtiff-4.4.0-8.el9_2 --- ...iffcrop-Correct-simple-copy-paste-er.patch | 28 +++ ...E-2023-0801-CVE-2023-0802-CVE-2023-0.patch | 128 +++++++++++++ ...fcrop_correctly_update_buffersize_af.patch | 174 ++++++++++++++++++ ...E-2023-0796-CVE-2023-0797-CVE-2023-0.patch | 154 ++++++++++++++++ SPECS/libtiff.spec | 19 +- 5 files changed, 502 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0010-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch create mode 100644 SOURCES/0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch create mode 100644 SOURCES/0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch create mode 100644 SOURCES/0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch diff --git a/SOURCES/0010-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch b/SOURCES/0010-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch new file mode 100644 index 0000000..5696c5a --- /dev/null +++ b/SOURCES/0010-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch @@ -0,0 +1,28 @@ +From cadce9836463df5653b573eff47fddadc23431c5 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 21 Jan 2023 15:58:10 +0000 +Subject: [PATCH] (CVE-2022-48281) tiffcrop: Correct simple copy paste error. + Fix #488. + +Closes #488 + +See merge request libtiff/libtiff!459 + +(cherry picked from commit d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5) +--- + tools/tiffcrop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 70d56e55..57940697 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -7741,7 +7741,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + else + { +- prev_cropsize = seg_buffs[0].size; ++ prev_cropsize = seg_buffs[i].size; + if (prev_cropsize < cropsize) + { + next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); diff --git a/SOURCES/0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch b/SOURCES/0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch new file mode 100644 index 0000000..a4ba260 --- /dev/null +++ b/SOURCES/0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch @@ -0,0 +1,128 @@ +From 22b164b8734f9d1ea91760d87e9531e3b3cc7017 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 5 Feb 2023 15:53:16 +0000 +Subject: [PATCH] (CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 + CVE-2023-0804) tiffcrop: added check for assumption on composite images + (fixes #496) + +Closes #501, #500, #498, #497 et #496 + +See merge request libtiff/libtiff!466 + +(cherry picked from commit 33aee1275d9d1384791d2206776eb8152d397f00) +--- + tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 66 insertions(+), 2 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 57940697..2c0ebf4b 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5364,18 +5364,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + + crop->regionlist[i].buffsize = buffsize; + crop->bufftotal += buffsize; ++ ++ /* For composite images with more than one region, the ++ * combined_length or combined_width always needs to be equal, ++ * respectively. ++ * Otherwise, even the first section/region copy ++ * action might cause buffer overrun. */ + if (crop->img_mode == COMPOSITE_IMAGES) + { + switch (crop->edge_ref) + { + case EDGE_LEFT: + case EDGE_RIGHT: ++ if (i > 0 && zlength != crop->combined_length) ++ { ++ TIFFError( ++ "computeInputPixelOffsets", ++ "Only equal length regions can be combined for " ++ "-E left or right"); ++ return (-1); ++ } + crop->combined_length = zlength; + crop->combined_width += zwidth; + break; + case EDGE_BOTTOM: + case EDGE_TOP: /* width from left, length from top */ + default: ++ if (i > 0 && zwidth != crop->combined_width) ++ { ++ TIFFError("computeInputPixelOffsets", ++ "Only equal width regions can be " ++ "combined for -E " ++ "top or bottom"); ++ return (-1); ++ } + crop->combined_width = zwidth; + crop->combined_length += zlength; + break; +@@ -6589,6 +6611,46 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + crop->combined_width = 0; + crop->combined_length = 0; + ++ /* If there is more than one region, check beforehand whether all the width ++ * and length values of the regions are the same, respectively. */ ++ switch (crop->edge_ref) ++ { ++ default: ++ case EDGE_TOP: ++ case EDGE_BOTTOM: ++ for (i = 1; i < crop->selections; i++) ++ { ++ uint32_t crop_width0 = ++ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1; ++ uint32_t crop_width1 = ++ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ if (crop_width0 != crop_width1) ++ { ++ TIFFError("extractCompositeRegions", ++ "Only equal width regions can be combined for -E " ++ "top or bottom"); ++ return (1); ++ } ++ } ++ break; ++ case EDGE_LEFT: ++ case EDGE_RIGHT: ++ for (i = 1; i < crop->selections; i++) ++ { ++ uint32_t crop_length0 = ++ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1; ++ uint32_t crop_length1 = ++ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ if (crop_length0 != crop_length1) ++ { ++ TIFFError("extractCompositeRegions", ++ "Only equal length regions can be combined for " ++ "-E left or right"); ++ return (1); ++ } ++ } ++ } ++ + for (i = 0; i < crop->selections; i++) + { + /* rows, columns, width, length are expressed in pixels */ +@@ -6613,7 +6675,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + default: + case EDGE_TOP: + case EDGE_BOTTOM: +- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width)) ++ if ((crop->selections > i + 1) && ++ (crop_width != crop->regionlist[i + 1].width)) + { + TIFFError ("extractCompositeRegions", + "Only equal width regions can be combined for -E top or bottom"); +@@ -6694,7 +6757,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + break; + case EDGE_LEFT: /* splice the pieces of each row together, side by side */ + case EDGE_RIGHT: +- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length)) ++ if ((crop->selections > i + 1) && ++ (crop_length != crop->regionlist[i + 1].length)) + { + TIFFError ("extractCompositeRegions", + "Only equal length regions can be combined for -E left or right"); diff --git a/SOURCES/0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch b/SOURCES/0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch new file mode 100644 index 0000000..fd4c740 --- /dev/null +++ b/SOURCES/0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch @@ -0,0 +1,174 @@ +From 7160a3d1a81ba2feaee3a8c0aea10eb9efb74ab9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Tue, 14 Mar 2023 18:40:04 +0100 +Subject: [PATCH] Merge branch + 'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master' + +tiffcrop correctly update buffersize after rotateImage() fix#520 + +Closes #520 + +See merge request libtiff/libtiff!467 + +(cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3) +--- + tools/tiffcrop.c | 66 +++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 51 insertions(+), 15 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 2c0ebf4b..e183e849 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -526,7 +526,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t, + static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, + uint32_t, uint32_t, uint8_t *, uint8_t *); + static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, +- unsigned char **); ++ unsigned char **, size_t *); + static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, + unsigned char *); + static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +@@ -6557,7 +6557,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b + return (-1); + } + +- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr)) ++ if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL)) + { + TIFFError ("correct_orientation", "Unable to rotate image"); + return (-1); +@@ -7781,16 +7781,19 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { ++ /* rotateImage() set up a new buffer and calculates its size ++ * individually. Therefore, seg_buffs size needs to be updated ++ * accordingly. */ ++ size_t rot_buf_size = 0; + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, &crop_buff)) ++ &crop->combined_length, &crop_buff, &rot_buf_size)) + { + TIFFError("processCropSelections", + "Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation); + return (-1); + } + seg_buffs[0].buffer = crop_buff; +- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8) +- * image->spp) * crop->combined_length; ++ seg_buffs[0].size = rot_buf_size; + } + } + else /* Separated Images */ +@@ -7890,9 +7893,12 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + { + /* rotateImage() changes image->width, ->length, ->xres and ->yres, what it schouldn't do here, when more than one section is processed. + * ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !! +- */ +- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, +- &crop->regionlist[i].length, &crop_buff)) ++ * Furthermore, rotateImage() set up a new buffer and calculates ++ * its size individually. Therefore, seg_buffs size needs to be ++ * updated accordingly. */ ++ size_t rot_buf_size = 0; ++ if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, ++ &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) + { + TIFFError("processCropSelections", + "Failed to rotate crop region by %"PRIu16" degrees", crop->rotation); +@@ -7903,8 +7909,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + crop->combined_width = total_width; + crop->combined_length = total_length; + seg_buffs[i].buffer = crop_buff; +- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8) +- * image->spp) * crop->regionlist[i].length; ++ seg_buffs[i].size = rot_buf_size; + } + } /* for crop->selections loop */ + } /* Separated Images (else case) */ +@@ -8024,7 +8029,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, crop_buff_ptr)) ++ &crop->combined_length, crop_buff_ptr, NULL)) + { + TIFFError("createCroppedImage", + "Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation); +@@ -8687,13 +8692,14 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_ + /* Rotate an image by a multiple of 90 degrees clockwise */ + static int + rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, +- uint32_t *img_length, unsigned char **ibuff_ptr) ++ uint32_t * img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size) + { + int shift_width; + uint32_t bytes_per_pixel, bytes_per_sample; + uint32_t row, rowsize, src_offset, dst_offset; + uint32_t i, col, width, length; +- uint32_t colsize, buffsize, col_offset, pix_offset; ++ uint32_t colsize, col_offset, pix_offset; ++ tmsize_t buffsize; + unsigned char *ibuff; + unsigned char *src; + unsigned char *dst; +@@ -8706,12 +8712,40 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + spp = image->spp; + bps = image->bps; + ++ if ((spp != 0 && bps != 0 && ++ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) || ++ (spp != 0 && bps != 0 && ++ length > (uint32_t)((UINT32_MAX - 7) / spp / bps))) ++ { ++ TIFFError("rotateImage", "Integer overflow detected."); ++ return (-1); ++ } + rowsize = ((bps * spp * width) + 7) / 8; + colsize = ((bps * spp * length) + 7) / 8; + if ((colsize * width) > (rowsize * length)) +- buffsize = (colsize + 1) * width; ++ { ++ if (((tmsize_t)colsize + 1) != 0 && ++ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / ++ ((tmsize_t)colsize + 1))) ++ { ++ TIFFError("rotateImage", ++ "Integer overflow when calculating buffer size."); ++ return (-1); ++ } ++ buffsize = ((tmsize_t)colsize + 1) * width; ++ } + else ++ { ++ if (((tmsize_t)rowsize + 1) != 0 && ++ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / ++ ((tmsize_t)rowsize + 1))) ++ { ++ TIFFError("rotateImage", ++ "Integer overflow when calculating buffer size."); ++ return (-1); ++ } + buffsize = (rowsize + 1) * length; ++ } + + bytes_per_sample = (bps + 7) / 8; + bytes_per_pixel = ((bps * spp) + 7) / 8; +@@ -8734,7 +8768,7 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + /* Add 3 padding bytes for extractContigSamplesShifted32bits */ + if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) + { +- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); ++ TIFFError("rotateImage", "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT " bytes ", buffsize + NUM_BUFF_OVERSIZE_BYTES); + return (-1); + } + _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); +@@ -8764,6 +8798,8 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + for (row = 0; row < length; row++) + { + src_offset = row * rowsize; ++ if (rot_buf_size != NULL) ++ *rot_buf_size = buffsize; + dst_offset = (length - row - 1) * rowsize; + src = ibuff + src_offset; + dst = rbuff + dst_offset; diff --git a/SOURCES/0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch b/SOURCES/0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch new file mode 100644 index 0000000..ab6ff96 --- /dev/null +++ b/SOURCES/0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch @@ -0,0 +1,154 @@ +From 9debf535618baef5a906de9f07d937e361ea0bc0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= +Date: Tue, 14 Mar 2023 19:37:18 +0100 +Subject: [PATCH] (CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 + CVE-2023-0799) Merge branch 'tiffcrop_R270_fix#492' into 'master' + +tiffcrop: Amend rotateImage() not to toggle the input (main) image width and... + +Closes #519, #518, #499, #495, #494, #493 et #492 + +See merge request libtiff/libtiff!465 + +(cherry picked from commit afaabc3e50d4e5d80a94143f7e3c997e7e410f68) +--- + tools/tiffcrop.c | 49 +++++++++++++++++++++++++++--------------------- + 1 file changed, 28 insertions(+), 21 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index e183e849..c2688883 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -271,7 +271,6 @@ struct region { + uint32_t width; /* width in pixels */ + uint32_t length; /* length in pixels */ + uint32_t buffsize; /* size of buffer needed to hold the cropped region */ +- unsigned char *buffptr; /* address of start of the region */ + }; + + /* Cropping parameters from command line and image data +@@ -526,7 +525,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t, + static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, + uint32_t, uint32_t, uint8_t *, uint8_t *); + static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, +- unsigned char **, size_t *); ++ unsigned char **, size_t *, int); + static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, + unsigned char *); + static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +@@ -5224,7 +5223,6 @@ initCropMasks (struct crop_mask *cps) + cps->regionlist[i].width = 0; + cps->regionlist[i].length = 0; + cps->regionlist[i].buffsize = 0; +- cps->regionlist[i].buffptr = NULL; + cps->zonelist[i].position = 0; + cps->zonelist[i].total = 0; + } +@@ -6556,8 +6554,12 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b + (uint16_t) (image->adjustments & ROTATE_ANY)); + return (-1); + } +- +- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL)) ++ /* Dummy variable in order not to switch two times the ++ * image->width,->length within rotateImage(), ++ * but switch xres, yres there. */ ++ uint32_t width = image->width; ++ uint32_t length = image->length; ++ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, TRUE)) + { + TIFFError ("correct_orientation", "Unable to rotate image"); + return (-1); +@@ -6665,7 +6667,6 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + /* These should not be needed for composite images */ + crop->regionlist[i].width = crop_width; + crop->regionlist[i].length = crop_length; +- crop->regionlist[i].buffptr = crop_buff; + + src_rowsize = ((img_width * bps * spp) + 7) / 8; + dst_rowsize = (((crop_width * bps * count) + 7) / 8); +@@ -6904,7 +6905,6 @@ extractSeparateRegion(struct image_data *image, struct crop_mask *crop, + + crop->regionlist[region].width = crop_width; + crop->regionlist[region].length = crop_length; +- crop->regionlist[region].buffptr = crop_buff; + + src = read_buff; + dst = crop_buff; +@@ -7786,7 +7786,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + * accordingly. */ + size_t rot_buf_size = 0; + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, &crop_buff, &rot_buf_size)) ++ &crop->combined_length, &crop_buff, &rot_buf_size, FALSE)) + { + TIFFError("processCropSelections", + "Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation); +@@ -7898,7 +7898,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + * updated accordingly. */ + size_t rot_buf_size = 0; + if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, +- &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) ++ &crop->regionlist[i].length, &crop_buff, &rot_buf_size, FALSE)) + { + TIFFError("processCropSelections", + "Failed to rotate crop region by %"PRIu16" degrees", crop->rotation); +@@ -8029,7 +8029,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, crop_buff_ptr, NULL)) ++ &crop->combined_length, crop_buff_ptr, NULL, TRUE)) + { + TIFFError("createCroppedImage", + "Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation); +@@ -8692,7 +8692,8 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_ + /* Rotate an image by a multiple of 90 degrees clockwise */ + static int + rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, +- uint32_t * img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size) ++ uint32_t * img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size, ++ int rot_image_params) + { + int shift_width; + uint32_t bytes_per_pixel, bytes_per_sample; +@@ -8914,11 +8915,14 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + + *img_width = length; + *img_length = width; +- image->width = length; +- image->length = width; +- res_temp = image->xres; +- image->xres = image->yres; +- image->yres = res_temp; ++ /* Only toggle image parameters if whole input image is rotated. */ ++ if (rot_image_params) { ++ image->width = length; ++ image->length = width; ++ res_temp = image->xres; ++ image->xres = image->yres; ++ image->yres = res_temp; ++ } + break; + + case 270: if ((bps % 8) == 0) /* byte aligned data */ +@@ -8991,11 +8995,14 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + + *img_width = length; + *img_length = width; +- image->width = length; +- image->length = width; +- res_temp = image->xres; +- image->xres = image->yres; +- image->yres = res_temp; ++ /* Only toggle image parameters if whole input image is rotated. */ ++ if (rot_image_params) { ++ image->width = length; ++ image->length = width; ++ res_temp = image->xres; ++ image->xres = image->yres; ++ image->yres = res_temp; ++ } + break; + default: + break; diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec index f81a08f..c0e0908 100644 --- a/SPECS/libtiff.spec +++ b/SPECS/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.4.0 -Release: 7%{?dist} +Release: 8%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -18,6 +18,15 @@ Patch0006: 0006-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch Patch0007: 0007-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch Patch0008: 0008-CVE-2022-3570-CVE-2022-3598-tiffcrop-subroutines-req.patch Patch0009: 0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch +Patch0010: 0010-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch +# CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 +Patch0011: 0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch + +# Related to Patch0013 +Patch0012: 0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch +# CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 +Patch0013: 0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch + BuildRequires: gcc, gcc-c++ @@ -171,6 +180,14 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Tue Mar 21 2023 Matej Mužila - 4.4.0-8 +- Fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 + CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 + CVE-2022-48281 +- Resolves: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 + CVE-2023-0804 CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 + CVE-2023-0799 CVE-2022-48281 + * Tue Dec 06 2022 Matej Mužila - 4.4.0-7 - Fix CVE-2022-3970 - Resolves: CVE-2022-3970