Fix CVE-2022-2056 CVE-2022-2057 CVE-2022-2058

Resolves: #2106768

0001-Back-off-the-minimum-required-automake-version-to-1..patch

@@ -0,0 +1,40 @@
+From b2e3171e935be3c4b79657aebf4175ef3be403b1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
+Date: Mon, 18 Jul 2022 13:40:10 +0200
+Subject: [PATCH] Back off the minimum required automake version to 1.11. 
+ There isn't anything in libtiff currently that actually requires 1.12, and
+ changing this allows the package to be built on pre-F18 machines for easier
+ testing.
+
+This patch can go away once we no longer care about testing on pre-F18.
+---
+ Makefile.am      | 2 +-
+ test/Makefile.am | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index aaabf4d1..66e13dd8 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -25,7 +25,7 @@
+ 
+ docdir = $(LIBTIFF_DOCDIR)
+ 
+-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
++AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
+ ACLOCAL_AMFLAGS = -I m4
+ 
+ docfiles = \
+diff --git a/test/Makefile.am b/test/Makefile.am
+index b5823198..949667ee 100644
+--- a/test/Makefile.am
++++ b/test/Makefile.am
+@@ -23,7 +23,7 @@
+ 
+ # Process this file with automake to produce Makefile.in.
+ 
+-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
++AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
+ 
+ LIBTIFF = $(top_builddir)/libtiff/libtiff.la
+ 

0002-Fix-Makefile.patch

@@ -0,0 +1,21 @@
+From ab8a25b78922ba0e93fc4264d15c3e796a6f4c34 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
+Date: Thu, 5 May 2022 14:42:52 +0200
+Subject: [PATCH] Fix Makefile
+
+---
+ html/man/Makefile.am | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/html/man/Makefile.am b/html/man/Makefile.am
+index 3ed00d44..8a64925a 100644
+--- a/html/man/Makefile.am
++++ b/html/man/Makefile.am
+@@ -90,7 +90,6 @@ docfiles = \
+ 	tiffcrop.1.html \
+ 	tiffdither.1.html \
+ 	tiffdump.1.html \
+-	tiffgt.1.html \
+ 	tiffinfo.1.html \
+ 	tiffmedian.1.html \
+ 	tiffset.1.html \

0003-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch

@@ -0,0 +1,179 @@
+From eda0ab31e15edbb6ddee96f5c87d52888d68872c Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Sat, 11 Jun 2022 09:31:43 +0000
+Subject: [PATCH] (CVE-2022-2056 CVE-2022-2057 CVE-2022-2058) fix the FPE in
+ tiffcrop (#415, #427, and #428)
+
+(cherry picked from commit dd1bcc7abb26094e93636e85520f0d8f81ab0fab)
+---
+ libtiff/tif_aux.c |  9 +++++++
+ libtiff/tiffiop.h |  1 +
+ tools/tiffcrop.c  | 62 ++++++++++++++++++++++++++---------------------
+ 3 files changed, 44 insertions(+), 28 deletions(-)
+
+diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
+index 140f26c7..5b88c8d0 100644
+--- a/libtiff/tif_aux.c
++++ b/libtiff/tif_aux.c
+@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val )
+     return (float)val;
+ }
+ 
++uint32_t _TIFFClampDoubleToUInt32(double val)
++{
++    if( val < 0 )
++        return 0;
++    if( val > 0xFFFFFFFFU || val != val )
++        return 0xFFFFFFFFU;
++    return (uint32_t)val;
++}
++
+ int _TIFFSeekOK(TIFF* tif, toff_t off)
+ {
+     /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
+diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
+index e3af461d..4e8bdac2 100644
+--- a/libtiff/tiffiop.h
++++ b/libtiff/tiffiop.h
+@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64_t);
+ extern float _TIFFUInt64ToFloat(uint64_t);
+ 
+ extern float _TIFFClampDoubleToFloat(double);
++extern uint32_t _TIFFClampDoubleToUInt32(double);
+ 
+ extern tmsize_t
+ _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip,
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 1f827b2b..90286a5e 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+       {
+       if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
+         {
+-	x1 = (uint32_t) (crop->corners[i].X1 * scale * xres);
+-	x2 = (uint32_t) (crop->corners[i].X2 * scale * xres);
+-	y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres);
+-	y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres);
++	x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
++	x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
++	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
++	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
+         }
+       else
+         {
+-	x1 = (uint32_t) (crop->corners[i].X1);
+-	x2 = (uint32_t) (crop->corners[i].X2);
+-	y1 = (uint32_t) (crop->corners[i].Y1);
+-	y2 = (uint32_t) (crop->corners[i].Y2);
++	x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
++	x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
++	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
++	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+ 	}
+       /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 
+        * b) Corners are expected to be submitted as top-left to bottom-right.
+@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+     {
+     if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
+       { /* User has specified pixels as reference unit */
+-      tmargin = (uint32_t)(crop->margins[0]);
+-      lmargin = (uint32_t)(crop->margins[1]);
+-      bmargin = (uint32_t)(crop->margins[2]);
+-      rmargin = (uint32_t)(crop->margins[3]);
++      tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
++      lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
++      bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
++      rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
+       }
+     else
+       { /* inches or centimeters specified */
+-      tmargin = (uint32_t)(crop->margins[0] * scale * yres);
+-      lmargin = (uint32_t)(crop->margins[1] * scale * xres);
+-      bmargin = (uint32_t)(crop->margins[2] * scale * yres);
+-      rmargin = (uint32_t)(crop->margins[3] * scale * xres);
++      tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
++      lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
++      bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
++      rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
+       }
+ 
+     if ((lmargin + rmargin) > image->width)
+@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+   if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
+     {
+     if (crop->crop_mode & CROP_WIDTH)
+-      width = (uint32_t)crop->width;
++      width = _TIFFClampDoubleToUInt32(crop->width);
+     else
+       width = image->width - lmargin - rmargin;
+ 
+     if (crop->crop_mode & CROP_LENGTH)
+-      length  = (uint32_t)crop->length;
++      length  = _TIFFClampDoubleToUInt32(crop->length);
+     else
+       length = image->length - tmargin - bmargin;
+     }
+   else
+     {
+     if (crop->crop_mode & CROP_WIDTH)
+-      width = (uint32_t)(crop->width * scale * image->xres);
++      width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
+     else
+       width = image->width - lmargin - rmargin;
+ 
+     if (crop->crop_mode & CROP_LENGTH)
+-      length  = (uint32_t)(crop->length * scale * image->yres);
++      length  = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
+     else
+       length = image->length - tmargin - bmargin;
+     }
+@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
+     {
+     if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
+       { /* inches or centimeters specified */
+-      hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
+-      vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
++      hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
++      vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
+       }
+     else
+       { /* Otherwise user has specified pixels as reference unit */
+-      hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8));
+-      vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8));
++      hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
++      vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
+       }
+ 
+     if ((hmargin * 2.0) > (pwidth * page->hres))
+@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
+     {
+     if (page->mode & PAGE_MODE_PAPERSIZE )
+       {
+-      owidth  = (uint32_t)((pwidth * page->hres) - (hmargin * 2));
+-      olength = (uint32_t)((plength * page->vres) - (vmargin * 2));
++      owidth  = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
++      olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
+       }
+     else
+       {
+-      owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres));
+-      olength = (uint32_t)(ilength - (vmargin * 2 * page->vres));
++      owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
++      olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
+       }
+     }
+ 
+@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
+   if (olength > ilength)
+     olength = ilength;
+ 
++  if (owidth == 0 || olength == 0)
++  {
++    TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
++    exit(EXIT_FAILURE);
++  }
++
+   /* Compute the number of pages required for Portrait or Landscape */
+   switch (page->orient)
+     {

libtiff.spec

@@ -1,14 +1,17 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.4.0
-Release:       2%{?dist}
+Release:       3%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/
 
 Source:        ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
 
-Patch0:        libtiff-am-version.patch
-Patch1:        libtiff-make-check.patch
+# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/c9s
+# Patches were generated by: git format-patch -N ...
+Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch
+Patch0002: 0002-Fix-Makefile.patch
+Patch0003: 0003-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch
 
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel
@@ -56,10 +59,7 @@ This package contains command-line programs for manipulating TIFF format
 image files using the libtiff library.
 
 %prep
-%setup -q -n tiff-%{version}
-
-%patch0 -p1
-%patch1 -p1
+%autosetup -p1 -n tiff-%{version}
 
 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@@ -164,6 +164,10 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*
 
 %changelog
+* Mon Jul 18 2022 Matej Mužila <mmuzila@redhat.com> 4.4.0-3
+- Fix CVE-2022-2056 CVE-2022-2057 CVE-2022-2058
+- Resolves: #2106768
+
 * Wed Jun 15 2022 Matej Mužila <mmuzila@redhat.com> 4.4.0-2
 - Update to version 4.4.0
 - Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865