diff --git a/0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch b/0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch new file mode 100644 index 0000000..267a1e3 --- /dev/null +++ b/0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch @@ -0,0 +1,97 @@ +From 84f9ede8075774dd9a10080a9eea9016229adbaa Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Thu, 25 Aug 2022 16:11:41 +0200 +Subject: [PATCH] (CVE-2022-3597 CVE-2022-3626 CVE-2022-3627) tiffcrop: disable + incompatibility of -Z, -X, -Y, -z options with any PAGE_MODE_x option (fixes + #411 and #413) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S. + +Code analysis: + +With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[]. +In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) . + +Execution of the else-clause often leads to buffer-overflows. + +Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows. + +The MR solves issues #411 and #413. + +(cherry picked from commit 4746f16253b784287bc8a5003990c1c3b9a03a62) +--- + tools/tiffcrop.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index ff118496..848b2b49 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -106,9 +106,11 @@ + * lower level, scanline level routines. Debug reports a limited set + * of messages to monitor progress without enabling dump logs. + * +- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. ++ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive. + * In no case should the options be applied to a given selection successively. +- */ ++ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options ++ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. ++ */ + + static char tiffcrop_version_id[] = "2.4"; + static char tiffcrop_rev_date[] = "12-13-2010"; +@@ -754,7 +756,11 @@ static char* usage_info[] = { + " The four debug/dump options are independent, though it makes little sense to", + " specify a dump file without specifying a detail level.", + " ", +-"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive." ++"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.", ++" In no case should the options be applied to a given selection successively.", ++" ", ++"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options", ++" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.", + " ", + NULL + }; +@@ -2111,9 +2117,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; + S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; + if (XY + Z + R + S > 1) { +- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit"); + exit(EXIT_FAILURE); + } ++ ++ /* Check for not allowed combination: ++ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options ++ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. ++. */ ++ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) { ++ TIFFError("tiffcrop input error", ++ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit"); ++ exit(EXIT_FAILURE); ++ } ++ + } /* end process_command_opts */ + + /* Start a new output file if one has not been previously opened or +@@ -2381,6 +2398,7 @@ main(int argc, char* argv[]) + exit (-1); + } + ++ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */ + if (crop.selections > 0) + { + if (processCropSelections(&image, &crop, &read_buff, seg_buffs)) +@@ -2397,6 +2415,7 @@ main(int argc, char* argv[]) + exit (-1); + } + } ++ /* Format and write selected image parts to output file(s). */ + if (page.mode == PAGE_MODE_NONE) + { /* Whole image or sections not based on output page size */ + if (crop.selections > 0) diff --git a/0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch b/0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch new file mode 100644 index 0000000..ec774b4 --- /dev/null +++ b/0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch @@ -0,0 +1,37 @@ +From a28b2e1b23fc936989dc4bbc857e9a8a851c5ff0 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 8 Nov 2022 15:16:58 +0100 +Subject: [PATCH] (CVE-2022-3970) TIFFReadRGBATileExt(): fix (unsigned) integer + overflow on strips/tiles > 2 GB + +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 + + (cherry picked from commit 227500897dfb07fb7d27f7aa570050e62617e3be) +--- + libtiff/tif_getimage.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index b1f7cc95..00cd5510 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -3044,15 +3044,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop + return( ok ); + + for( i_row = 0; i_row < read_ysize; i_row++ ) { +- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize, +- raster + (read_ysize - i_row - 1) * read_xsize, ++ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, ++ raster + (size_t)(read_ysize - i_row - 1) * read_xsize, + read_xsize * sizeof(uint32) ); +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize, + 0, sizeof(uint32) * (tile_xsize - read_xsize) ); + } + + for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) { +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, + 0, sizeof(uint32) * tile_xsize ); + } + diff --git a/libtiff.spec b/libtiff.spec index 145f85e..eaa717c 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.9 -Release: 26%{?dist} +Release: 27%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -45,6 +45,8 @@ Patch0031: 0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch Patch0032: 0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch Patch0033: 0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch Patch0034: 0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch +Patch0035: 0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch +Patch0036: 0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch BuildRequires: gcc, gcc-c++ @@ -199,6 +201,10 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Mon Jan 16 2023 Matej Mužila - 4.0.9-27 +- Fix various CVEs +- Resolves: CVE-2022-3627 CVE-2022-3970 + * Mon Oct 24 2022 Matej Mužila - 4.0.9-26 - Fix various CVEs - Resolves: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953