import UBI libtiff-4.4.0-13.el9_6.2

2025-10-28 02:32:31 +00:00 · 2025-10-28 02:32:31 +00:00 · ca24b7890e
commit ca24b7890e
parent 5e80ac8fc5
3 changed files with 137 additions and 1 deletions
--- a/SOURCES/RHEL-112542.patch
+++ b/SOURCES/RHEL-112542.patch
@ -0,0 +1,51 @@
+From 713269dcf24faec847643f3ed82c22948ec587b7 Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 11 Jun 2025 19:45:19 +0000
+Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
+ rows at TIFFReadRGBAImageOriented()
+
+---
+ libtiff/tif_getimage.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 9a2e0c5..7110bfd 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h)
+ 		"No \"put\" routine setupl; probably can not handle image format");
+ 		return (0);
+     }
+    /* Verify raster width and height against image width and height. */
+    if (h > img->height)
+    {
+        /* Adapt parameters to read only available lines and put image at
+         * the bottom of the raster. */
+        raster += (size_t)(h - img->height) * w;
+        h = img->height;
+    }
+    if (w > img->width)
+    {
+        TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif),
+                       "Raster width of %d shall not be larger than image "
+                       "width of %d -> raster width adapted for reading",
+                       w, img->width);
+        w = img->width;
+    }
+     return (*img->get)(img, raster, w, h);
+ }
+ 
+@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
+ 
+ 	if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
+ 		img.req_orientation = (uint16_t)orientation;
+-		/* XXX verify rwidth and rheight against width and height */
+-		ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
+-			rwidth, img.height);
+		ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
+ 		TIFFRGBAImageEnd(&img);
+ 	} else {
+ 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
+-- 
+2.47.3
+
--- a/SOURCES/RHEL-120243.patch
+++ b/SOURCES/RHEL-120243.patch
@ -0,0 +1,70 @@
+From c91a4216678bd6692b4195f5c3257605f6d39a18 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Mon, 19 May 2025 10:53:30 -0700
+Subject: [PATCH] Don't skip the first line of the input image. Addresses issue
+ #703
+
+---
+ tools/tiffdither.c | 4 ++--
+ tools/tiffmedian.c | 9 ++++++---
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/tools/tiffdither.c b/tools/tiffdither.c
+index f3f9672..42ad079 100644
+--- a/tools/tiffdither.c
+++ b/tools/tiffdither.c
+@@ -95,7 +95,7 @@ fsdither(TIFF* in, TIFF* out)
+ 	nextptr = nextline;
+ 	for (j = 0; j < imagewidth; ++j)
+ 		*nextptr++ = *inptr++;
+-	for (i = 1; i < imagelength; ++i) {
+	for (i = 0; i < imagelength; ++i) {
+ 		tmpptr = thisline;
+ 		thisline = nextline;
+ 		nextline = tmpptr;
+@@ -138,7 +138,7 @@ fsdither(TIFF* in, TIFF* out)
+ 					nextptr[0] += v / 16;
+ 			}
+ 		}
+-		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
+		if (TIFFWriteScanline(out, outline, i, 0) < 0)
+ 			goto skip_on_error;
+ 	}
+ 	goto exit_label;
+diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
+index 90c4c6a..8fc2674 100644
+--- a/tools/tiffmedian.c
+++ b/tools/tiffmedian.c
+@@ -386,7 +386,10 @@ get_histogram(TIFF* in, Colorbox* box)
+ 	}
+ 	for (i = 0; i < imagelength; i++) {
+ 		if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+-			break;
+		{
+			fprintf(stderr, "Error reading scanline\n");
+			exit(EXIT_FAILURE);
+		}
+ 		inptr = inputline;
+ 		for (j = imagewidth; j-- > 0;) {
+ 			red = (*inptr++) & 0xff >> COLOR_SHIFT;
+@@ -845,7 +848,7 @@ quant_fsdither(TIFF* in, TIFF* out)
+ 	outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out));
+ 
+ 	GetInputLine(in, 0, goto bad);		/* get first line */
+-	for (i = 1; i <= imagelength; ++i) {
+	for (i = 0; i < imagelength; ++i) {
+ 		SWAP(short *, thisline, nextline);
+ 		lastline = (i >= imax);
+ 		if (i <= imax)
+@@ -916,7 +919,7 @@ quant_fsdither(TIFF* in, TIFF* out)
+ 				nextptr += 3;
+ 			}
+ 		}
+-		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
+		if (TIFFWriteScanline(out, outline, i, 0) < 0)
+ 			break;
+ 	}
+ bad:
+-- 
+2.47.3
+
--- a/SPECS/libtiff.spec
+++ b/SPECS/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.4.0
-Release:       13%{?dist}
+Release:       13%{?dist}.2
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/

@ -40,6 +40,12 @@ Patch0022: 0022-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
 # https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779
 Patch23:       libtiff-4.6.0-CVE-2024-7006.patch

+# CVE-2025-9900
+Patch24:       RHEL-112542.patch
+
+# CVE-2025-8176
+Patch25:       RHEL-120243.patch
+
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel
 BuildRequires: libtool automake autoconf pkgconfig
@ -191,6 +197,15 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Mon Oct 20 2025 RHEL Packaging Agent <jotnar@redhat.com> - 4.4.0-13.2
+- fix CVE-2025-8176 off-by-one error skipping first line in tiffdither
+  and tiffmedian
+- Resolves: RHEL-120243
+
+* Fri Oct 10 2025 RHEL Packaging Agent <jotnar@redhat.com> - 4.4.0-13.1
+- fix CVE-2025-9900 buffer underflow in TIFFReadRGBAImageOriented
+- Resolves: RHEL-112542
+
 * Wed Aug 21 2024 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-13
 - fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52931)