diff --git a/SOURCES/libtiff-4.4.0-cve-2025-8176.patch b/SOURCES/libtiff-4.4.0-cve-2025-8176.patch new file mode 100644 index 0000000..2ea9dbf --- /dev/null +++ b/SOURCES/libtiff-4.4.0-cve-2025-8176.patch @@ -0,0 +1,16 @@ +diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c +index 354ee94c7a0a79e887bc8f835697b57b737548cb..2c79553be87e655f69690744b574b92c59fa92b5 100644 +--- a/tools/tiffmedian.c ++++ b/tools/tiffmedian.c +@@ -386,7 +386,10 @@ get_histogram(TIFF* in, Colorbox* box) + } + for (i = 0; i < imagelength; i++) { + if (TIFFReadScanline(in, inputline, i, 0) <= 0) +- break; ++ { ++ fprintf(stderr, "Error reading scanline\n"); ++ exit(EXIT_FAILURE); ++ } + inptr = inputline; + for (j = imagewidth; j-- > 0;) { + red = (*inptr++) & 0xff >> COLOR_SHIFT; diff --git a/SOURCES/libtiff-4.4.0-cve-2025-9900.patch b/SOURCES/libtiff-4.4.0-cve-2025-9900.patch new file mode 100644 index 0000000..d094a32 --- /dev/null +++ b/SOURCES/libtiff-4.4.0-cve-2025-9900.patch @@ -0,0 +1,37 @@ +diff -up tiff-4.4.0/libtiff/tif_getimage.c.before tiff-4.4.0/libtiff/tif_getimage.c +--- tiff-4.4.0/libtiff/tif_getimage.c.before 2026-01-18 23:50:18.171737478 +0100 ++++ tiff-4.4.0/libtiff/tif_getimage.c 2026-01-18 23:50:18.179737456 +0100 +@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uin + "No \"put\" routine setupl; probably can not handle image format"); + return (0); + } ++ /* Verify raster width and height against image width and height. */ ++ if (h > img->height) ++ { ++ /* Adapt parameters to read only available lines and put image at ++ * the bottom of the raster. */ ++ raster += (size_t)(h - img->height) * w; ++ h = img->height; ++ } ++ if (w > img->width) ++ { ++ TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif), ++ "Raster width of %d shall not be larger than image " ++ "width of %d -> raster width adapted for reading", ++ w, img->width); ++ w = img->width; ++ } + return (*img->get)(img, raster, w, h); + } + +@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif, + + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) { + img.req_orientation = (uint16_t)orientation; +- /* XXX verify rwidth and rheight against width and height */ +- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth, +- rwidth, img.height); ++ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight); + TIFFRGBAImageEnd(&img); + } else { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg); diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec index d2eb1c5..a903503 100644 --- a/SPECS/libtiff.spec +++ b/SPECS/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.4.0 -Release: 15%{?dist} +Release: 16%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -43,6 +43,12 @@ Patch23: libtiff-4.6.0-CVE-2024-7006.patch # https://gitlab.com/libtiff/libtiff/-/merge_requests/546.patch Patch24: libtiff-4.4.0-CVE-2023-52356.patch Patch25: libtiff-4.4.0-cve2023-52355.patch +# from upstream, for < 4.7.1, RHEL-112543 +# https://gitlab.com/libtiff/libtiff/-/merge_requests/732.diff +Patch26: libtiff-4.4.0-cve-2025-9900.patch +# frin upstream, for < 4.7.1, RHEL-120238 +# https://gitlab.com/libtiff/libtiff/-/commit/fe10872e53efba9cc36c66ac4ab3b41a839d5172 +Patch27: libtiff-4.4.0-cve-2025-8176.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel @@ -201,6 +207,10 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Sun Jan 18 2026 Michal Hlavinka - 4.4.0-16 +- fix CVE-2025-9900: Out-of-Bounds Write in TIFFReadRGBAImageOriented (RHEL-112543) +- fix CVE-2025-8176: use after free in tiffmedian (RHEL-120238) + * Mon May 05 2025 Michal Hlavinka - 4.4.0-15 - backport documentation change for CVE-2023-52355 (RHEL-17328)