import CS libtiff-4.4.0-16.el9

SOURCES/libtiff-4.4.0-cve-2025-8176.patch

@@ -0,0 +1,16 @@
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 354ee94c7a0a79e887bc8f835697b57b737548cb..2c79553be87e655f69690744b574b92c59fa92b5 100644
+--- a/tools/tiffmedian.c
++++ b/tools/tiffmedian.c
+@@ -386,7 +386,10 @@ get_histogram(TIFF* in, Colorbox* box)
+ 	}
+ 	for (i = 0; i < imagelength; i++) {
+ 		if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+-			break;
++		{
++			fprintf(stderr, "Error reading scanline\n");
++			exit(EXIT_FAILURE);
++		}
+ 		inptr = inputline;
+ 		for (j = imagewidth; j-- > 0;) {
+ 			red = (*inptr++) & 0xff >> COLOR_SHIFT;

SOURCES/libtiff-4.4.0-cve-2025-9900.patch

@@ -0,0 +1,37 @@
+diff -up tiff-4.4.0/libtiff/tif_getimage.c.before tiff-4.4.0/libtiff/tif_getimage.c
+--- tiff-4.4.0/libtiff/tif_getimage.c.before	2026-01-18 23:50:18.171737478 +0100
++++ tiff-4.4.0/libtiff/tif_getimage.c	2026-01-18 23:50:18.179737456 +0100
+@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uin
+ 		"No \"put\" routine setupl; probably can not handle image format");
+ 		return (0);
+     }
++	/* Verify raster width and height against image width and height. */
++    if (h > img->height)
++    {
++        /* Adapt parameters to read only available lines and put image at
++         * the bottom of the raster. */
++        raster += (size_t)(h - img->height) * w;
++        h = img->height;
++    }
++    if (w > img->width)
++    {
++        TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif),
++                        "Raster width of %d shall not be larger than image "
++                        "width of %d -> raster width adapted for reading",
++                        w, img->width);
++        w = img->width;
++    }
+     return (*img->get)(img, raster, w, h);
+ }
+ 
+@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
+ 
+ 	if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
+ 		img.req_orientation = (uint16_t)orientation;
+-		/* XXX verify rwidth and rheight against width and height */
+-		ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
+-			rwidth, img.height);
++		ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
+ 		TIFFRGBAImageEnd(&img);
+ 	} else {
+ 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);

SPECS/libtiff.spec

@@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.4.0
-Release:       15%{?dist}
+Release:       16%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/
 
@@ -43,6 +43,12 @@ Patch23:       libtiff-4.6.0-CVE-2024-7006.patch
 # https://gitlab.com/libtiff/libtiff/-/merge_requests/546.patch
 Patch24:       libtiff-4.4.0-CVE-2023-52356.patch
 Patch25:       libtiff-4.4.0-cve2023-52355.patch
+# from upstream, for < 4.7.1, RHEL-112543
+# https://gitlab.com/libtiff/libtiff/-/merge_requests/732.diff
+Patch26:       libtiff-4.4.0-cve-2025-9900.patch
+# frin upstream, for < 4.7.1, RHEL-120238
+# https://gitlab.com/libtiff/libtiff/-/commit/fe10872e53efba9cc36c66ac4ab3b41a839d5172
+Patch27:       libtiff-4.4.0-cve-2025-8176.patch
 
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel
@@ -201,6 +207,10 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*
 
 %changelog
+* Sun Jan 18 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-16
+- fix CVE-2025-9900: Out-of-Bounds Write in TIFFReadRGBAImageOriented (RHEL-112543)
+- fix CVE-2025-8176: use after free in tiffmedian (RHEL-120238)
+
 * Mon May 05 2025 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-15
 - backport documentation change for CVE-2023-52355 (RHEL-17328)