fix CVE-2025-9900: Out-of-Bounds Write in TIFFReadRGBAImageOriented (RHEL-112523)

Resolves: RHEL-112523
2026-01-15 10:03:49 +01:00 · 2026-01-15 10:03:49 +01:00 · bb2590da7a
commit bb2590da7a
parent a3b554fedf
2 changed files with 59 additions and 1 deletions
--- a/libtiff-4.6.0-cve-2025-9900.patch
+++ b/libtiff-4.6.0-cve-2025-9900.patch
@ -0,0 +1,51 @@
+From 8c951535e8551e314a66cdff01b83f055a204e8c Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 11 Jun 2025 19:45:19 +0000
+Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
+ rows at TIFFReadRGBAImageOriented()
+
+---
+ libtiff/tif_getimage.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 41f7dfd..9e94353 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -600,6 +600,22 @@ int TIFFRGBAImageGet(TIFFRGBAImage *img, uint32_t *raster, uint32_t w,
+             "No \"put\" routine setupl; probably can not handle image format");
+         return (0);
+     }
+    /* Verify raster width and height against image width and height. */
+    if (h > img->height)
+    {
+        /* Adapt parameters to read only available lines and put image at
+         * the bottom of the raster. */
+        raster += (size_t)(h - img->height) * w;
+        h = img->height;
+    }
+    if (w > img->width)
+    {
+        TIFFWarningExtR(img->tif, TIFFFileName(img->tif),
+                        "Raster width of %d shall not be larger than image "
+                        "width of %d -> raster width adapted for reading",
+                        w, img->width);
+        w = img->width;
+    }
+     return (*img->get)(img, raster, w, h);
+ }
+ 
+@@ -617,9 +633,7 @@ int TIFFReadRGBAImageOriented(TIFF *tif, uint32_t rwidth, uint32_t rheight,
+     if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg))
+     {
+         img.req_orientation = (uint16_t)orientation;
+-        /* XXX verify rwidth and rheight against width and height */
+-        ok = TIFFRGBAImageGet(&img, raster + (rheight - img.height) * rwidth,
+-                              rwidth, img.height);
+        ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
+         TIFFRGBAImageEnd(&img);
+     }
+     else
+-- 
+2.47.3
+
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.6.0
-Release:       6%{?dist}
+Release:       7%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/

@ -12,6 +12,9 @@ Patch0:        libtiff-am-version.patch
 # from upstream, for <=4.6.0, RHEL-52926
 # https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779
 Patch1:        libtiff-4.6.0-CVE-2024-7006.patch
+# from upstream, for < 4.7.1, RHEL-112523
+# https://gitlab.com/libtiff/libtiff/-/merge_requests/732.diff
+Patch2:        libtiff-4.6.0-cve-2025-9900.patch

 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel liblerc-devel
@ -64,6 +67,7 @@ image files using the libtiff library.

 %patch -P 0 -p1 -b .backup
 %patch -P 1 -p1 -b .CVE-2024-7006
+%patch -P 2 -p1 -b .cve-2025-9900

 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@ -162,6 +166,9 @@ LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check
 %{_mandir}/man1/*

 %changelog
+* Thu Jan 15 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.6.0-7
+- fix CVE-2025-9900: Out-of-Bounds Write in TIFFReadRGBAImageOriented (RHEL-112523)
+
 * Mon Mar 31 2025 Michal Hlavinka <mhlavink@redhat.com> - 4.6.0-6
 - drop unused compat libtiff.so.5 (RHEL-85372)