rpms/libtiff
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2022-0907 (#2064147), CVE-2022-0908 (#2064153) and CVE-2022-0909 (#2064152)

Browse Source
This commit is contained in:
Nikola Forró 2022-03-18 16:23:34 +01:00
parent a330170971
commit c1ae4857a3
4 changed files with 163 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
libtiff-CVE-2022-0907.patch Normal file
View File

@ -0,0 +1,89 @@
From 10b4736669928673cc9a5c5f2a88ffdc92f1b560 Mon Sep 17 00:00:00 2001
From: Augustus <wangdw.augustus@qq.com>
Date: Mon, 7 Mar 2022 18:21:49 +0800
Subject: [PATCH 1/3] add checks for return value of limitMalloc (#392)
---
tools/tiffcrop.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 302a7e9..e407bf5 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
if (!sect_buff)
{
sect_buff = (unsigned char *)limitMalloc(sectsize);
- *sect_buff_ptr = sect_buff;
+ if (!sect_buff)
+ {
+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+ return (-1);
+ }
_TIFFmemset(sect_buff, 0, sectsize);
}
else
@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
else
sect_buff = new_buff;
+ if (!sect_buff)
+ {
+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+ return (-1);
+ }
_TIFFmemset(sect_buff, 0, sectsize);
}
}
- if (!sect_buff)
- {
- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
- return (-1);
- }
prev_sectsize = sectsize;
*sect_buff_ptr = sect_buff;
@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (!crop_buff)
{
crop_buff = (unsigned char *)limitMalloc(cropsize);
- *crop_buff_ptr = crop_buff;
+ if (!crop_buff)
+ {
+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+ return (-1);
+ }
_TIFFmemset(crop_buff, 0, cropsize);
prev_cropsize = cropsize;
}
@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
}
else
crop_buff = new_buff;
+ if (!crop_buff)
+ {
+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+ return (-1);
+ }
_TIFFmemset(crop_buff, 0, cropsize);
}
}
- if (!crop_buff)
- {
- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
- return (-1);
- }
*crop_buff_ptr = crop_buff;
if (crop->crop_mode & CROP_INVERT)
@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
* fill-column: 78
* End:
*/
+
--
2.35.1

29
libtiff-CVE-2022-0908.patch Normal file
View File

@ -0,0 +1,29 @@
From 2fac3f6f3178bd2fee777bced88cccef71873b2b Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 17 Feb 2022 15:28:43 +0100
Subject: [PATCH 2/3] TIFFFetchNormalTag(): avoid calling memcpy() with a null
source pointer and size of zero (fixes #383)
---
libtiff/tif_dirread.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index d654a1c..a31109a 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5080,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
_TIFFfree(data);
return(0);
}
- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
+ if (dp->tdir_count > 0 )
+ {
+ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
+ }
o[(uint32_t)dp->tdir_count]=0;
if (data!=0)
_TIFFfree(data);
--
2.35.1

32
libtiff-CVE-2022-0909.patch Normal file
View File

@ -0,0 +1,32 @@
From 802070f1c2e2064a4df3d7e0aa63316677845ec0 Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Tue, 8 Mar 2022 16:22:04 +0000
Subject: [PATCH 3/3] fix the FPE in tiffcrop (#393)
---
libtiff/tif_dir.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index a6c254f..77da6ea 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
break;
case TIFFTAG_XRESOLUTION:
dblval = va_arg(ap, double);
- if( dblval < 0 )
+ if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
break;
case TIFFTAG_YRESOLUTION:
dblval = va_arg(ap, double);
- if( dblval < 0 )
+ if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
break;
--
2.35.1

14
libtiff.spec
View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.3.0
Release: 5%{?dist}
Release: 6%{?dist}
License: libtiff
URL: http://www.simplesystems.org/libtiff/
@ -20,6 +20,12 @@ Patch5: libtiff-CVE-2022-0865.patch
Patch6: libtiff-CVE-2022-0891.patch
# https://gitlab.com/libtiff/libtiff/-/commit/408976c44ef0aad975e0d1b6c6dc80d60f9dc665
Patch7: libtiff-CVE-2022-0924.patch
# https://gitlab.com/libtiff/libtiff/-/commit/f2b656e2e64adde07a6cffd5c8e96bd81a850fea
Patch8: libtiff-CVE-2022-0907.patch
# https://gitlab.com/libtiff/libtiff/-/commit/a95b799f65064e4ba2e2dfc206808f86faf93e85
Patch9: libtiff-CVE-2022-0908.patch
# https://gitlab.com/libtiff/libtiff/-/commit/f8d0f9aa1ba04c9ae3bfe869a18141a8b8117ad7
Patch10: libtiff-CVE-2022-0909.patch
BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel
@ -77,6 +83,9 @@ image files using the libtiff library.
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
@ -181,6 +190,9 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
* Fri Mar 18 2022 Nikola Forró <nforro@redhat.com> - 4.3.0-6
- Fix CVE-2022-0907 (#2064147), CVE-2022-0908 (#2064153) and CVE-2022-0909 (#2064152)
* Fri Mar 18 2022 Nikola Forró <nforro@redhat.com> - 4.3.0-5
- Fix CVE-2022-0865 (#2065359), CVE-2022-0891 (#2065389) and CVE-2022-0924 (#2064154)