New upstream release 4.5.0 (#2153870)

Fix CVE-2022-3570, CVE-2022-2867, CVE-2022-2868, CVE-2022-2869, CVE-2022-2519,
  CVE-2022-2953, CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3626,
  CVE-2022-3627, CVE-2022-3970 (#2142735, #2118854, #2118867, #2118875,
  #2122795, #2134437, #2142737, #2148881, #2148888, #2148894, #2148897,
  #2148919)
This commit is contained in:
Matej Mužila 2023-05-22 14:21:11 +02:00
parent 178634f441
commit cfa398260d
7 changed files with 65 additions and 276 deletions

1
.gitignore vendored
View File

@ -11,3 +11,4 @@
/tiff-4.2.0.tar.gz /tiff-4.2.0.tar.gz
/tiff-4.3.0.tar.gz /tiff-4.3.0.tar.gz
/tiff-4.4.0.tar.gz /tiff-4.4.0.tar.gz
/tiff-4.5.0.tar.gz

View File

@ -1,180 +0,0 @@
From dd1bcc7abb26094e93636e85520f0d8f81ab0fab Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Sat, 11 Jun 2022 09:31:43 +0000
Subject: [PATCH] fix the FPE in tiffcrop (#415, #427, and #428)
---
libtiff/tif_aux.c | 9 +++++++
libtiff/tiffiop.h | 1 +
tools/tiffcrop.c | 62 ++++++++++++++++++++++++++---------------------
3 files changed, 44 insertions(+), 28 deletions(-)
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
index 140f26c7..5b88c8d0 100644
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val )
return (float)val;
}
+uint32_t _TIFFClampDoubleToUInt32(double val)
+{
+ if( val < 0 )
+ return 0;
+ if( val > 0xFFFFFFFFU || val != val )
+ return 0xFFFFFFFFU;
+ return (uint32_t)val;
+}
+
int _TIFFSeekOK(TIFF* tif, toff_t off)
{
/* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index e3af461d..4e8bdac2 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64_t);
extern float _TIFFUInt64ToFloat(uint64_t);
extern float _TIFFClampDoubleToFloat(double);
+extern uint32_t _TIFFClampDoubleToUInt32(double);
extern tmsize_t
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip,
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 1f827b2b..90286a5e 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
{
- x1 = (uint32_t) (crop->corners[i].X1 * scale * xres);
- x2 = (uint32_t) (crop->corners[i].X2 * scale * xres);
- y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres);
- y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
}
else
{
- x1 = (uint32_t) (crop->corners[i].X1);
- x2 = (uint32_t) (crop->corners[i].X2);
- y1 = (uint32_t) (crop->corners[i].Y1);
- y2 = (uint32_t) (crop->corners[i].Y2);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
}
/* a) Region needs to be within image sizes 0.. width-1; 0..length-1
* b) Corners are expected to be submitted as top-left to bottom-right.
@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{ /* User has specified pixels as reference unit */
- tmargin = (uint32_t)(crop->margins[0]);
- lmargin = (uint32_t)(crop->margins[1]);
- bmargin = (uint32_t)(crop->margins[2]);
- rmargin = (uint32_t)(crop->margins[3]);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
}
else
{ /* inches or centimeters specified */
- tmargin = (uint32_t)(crop->margins[0] * scale * yres);
- lmargin = (uint32_t)(crop->margins[1] * scale * xres);
- bmargin = (uint32_t)(crop->margins[2] * scale * yres);
- rmargin = (uint32_t)(crop->margins[3] * scale * xres);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
}
if ((lmargin + rmargin) > image->width)
@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32_t)crop->width;
+ width = _TIFFClampDoubleToUInt32(crop->width);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32_t)crop->length;
+ length = _TIFFClampDoubleToUInt32(crop->length);
else
length = image->length - tmargin - bmargin;
}
else
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32_t)(crop->width * scale * image->xres);
+ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32_t)(crop->length * scale * image->yres);
+ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
else
length = image->length - tmargin - bmargin;
}
@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
{ /* inches or centimeters specified */
- hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
- vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
}
else
{ /* Otherwise user has specified pixels as reference unit */
- hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8));
- vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
}
if ((hmargin * 2.0) > (pwidth * page->hres))
@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->mode & PAGE_MODE_PAPERSIZE )
{
- owidth = (uint32_t)((pwidth * page->hres) - (hmargin * 2));
- olength = (uint32_t)((plength * page->vres) - (vmargin * 2));
+ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
+ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
}
else
{
- owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres));
- olength = (uint32_t)(ilength - (vmargin * 2 * page->vres));
+ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
+ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
}
}
@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
if (olength > ilength)
olength = ilength;
+ if (owidth == 0 || olength == 0)
+ {
+ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
+ exit(EXIT_FAILURE);
+ }
+
/* Compute the number of pages required for Portrait or Landscape */
switch (page->orient)
{
--
GitLab

View File

@ -1,28 +0,0 @@
From 275735d0354e39c0ac1dc3c0db2120d6f31d1990 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 27 Jun 2022 16:09:43 +0200
Subject: [PATCH] _TIFFCheckFieldIsValidForCodec(): return FALSE when passed a
codec-specific tag and the codec is not configured (fixes #433)
This avoids crashes when querying such tags
---
libtiff/tif_dirinfo.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
index c30f569b..3371cb5c 100644
--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
@@ -1191,6 +1191,9 @@ _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
default:
return 1;
}
+ if( !TIFFIsCODECConfigured(tif->tif_dir.td_compression) ) {
+ return 0;
+ }
/* Check if codec specific tags are allowed for the current
* compression scheme (codec) */
switch (tif->tif_dir.td_compression) {
--
GitLab

View File

@ -15,10 +15,11 @@ diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 84e26ac6..480b927c 100644 index 84e26ac6..480b927c 100644
--- a/tools/tiffcrop.c --- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c +++ b/tools/tiffcrop.c
@@ -5329,18 +5329,39 @@ @@ -5935,18 +5935,40 @@ static int computeInputPixelOffsets(struct crop_mask *crop,
crop->regionlist[i].buffsize = buffsize; crop->regionlist[i].buffsize = buffsize;
crop->bufftotal += buffsize; crop->bufftotal += buffsize;
+
+ /* For composite images with more than one region, the + /* For composite images with more than one region, the
+ * combined_length or combined_width always needs to be equal, + * combined_length or combined_width always needs to be equal,
+ * respectively. + * respectively.
@ -55,7 +56,7 @@ index 84e26ac6..480b927c 100644
crop->combined_width = zwidth; crop->combined_width = zwidth;
crop->combined_length += zlength; crop->combined_length += zlength;
break; break;
@@ -6546,6 +6567,46 @@ @@ -7301,6 +7323,46 @@ static int extractCompositeRegions(struct image_data *image,
crop->combined_width = 0; crop->combined_width = 0;
crop->combined_length = 0; crop->combined_length = 0;
@ -102,7 +103,7 @@ index 84e26ac6..480b927c 100644
for (i = 0; i < crop->selections; i++) for (i = 0; i < crop->selections; i++)
{ {
/* rows, columns, width, length are expressed in pixels */ /* rows, columns, width, length are expressed in pixels */
@@ -6570,7 +6631,8 @@ @@ -7325,7 +7387,8 @@ static int extractCompositeRegions(struct image_data *image,
default: default:
case EDGE_TOP: case EDGE_TOP:
case EDGE_BOTTOM: case EDGE_BOTTOM:
@ -110,15 +111,18 @@ index 84e26ac6..480b927c 100644
+ if ((crop->selections > i + 1) && + if ((crop->selections > i + 1) &&
+ (crop_width != crop->regionlist[i + 1].width)) + (crop_width != crop->regionlist[i + 1].width))
{ {
TIFFError ("extractCompositeRegions", TIFFError("extractCompositeRegions",
"Only equal width regions can be combined for -E top or bottom"); "Only equal width regions can be combined for -E "
@@ -6651,7 +6713,8 @@ @@ -7418,7 +7481,8 @@ static int extractCompositeRegions(struct image_data *image,
break; case EDGE_LEFT: /* splice the pieces of each row together, side by
case EDGE_LEFT: /* splice the pieces of each row together, side by side */ side */
case EDGE_RIGHT: case EDGE_RIGHT:
- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length)) - if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
+ if ((crop->selections > i + 1) && + if ((crop->selections > i + 1) &&
+ (crop_length != crop->regionlist[i + 1].length)) + (crop_length != crop->regionlist[i + 1].length))
{ {
TIFFError ("extractCompositeRegions", TIFFError("extractCompositeRegions",
"Only equal length regions can be combined for -E left or right"); "Only equal length regions can be combined for "
--
2.38.1

View File

@ -1,12 +0,0 @@
diff --git a/html/man/Makefile.am b/html/man/Makefile.am
index 587296c..696005e 100644
--- a/html/man/Makefile.am
+++ b/html/man/Makefile.am
@@ -92,7 +92,6 @@ docfiles = \
tiffcrop.1.html \
tiffdither.1.html \
tiffdump.1.html \
- tiffgt.1.html \
tiffinfo.1.html \
tiffmedian.1.html \
tiffset.1.html \

View File

@ -1,21 +1,21 @@
Summary: Library of functions for manipulating TIFF format image files Summary: Library of functions for manipulating TIFF format image files
Name: libtiff Name: libtiff
Version: 4.4.0 Version: 4.5.0
Release: 8%{?dist} Release: 3%{?dist}
License: libtiff License: libtiff
URL: http://www.simplesystems.org/libtiff/ URL: http://www.simplesystems.org/libtiff/
Source: http://download.osgeo.org/libtiff/tiff-%{version}.tar.gz Source: http://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
Patch0: libtiff-am-version.patch Patch0: libtiff-am-version.patch
Patch1: libtiff-make-check.patch
Patch2: libtiff-CVE-2022-2056_2057_2058.patch
Patch3: libtiff-CVE-2022-34526.patch
Patch4: libtiff-CVE-2023-0804.patch Patch4: libtiff-CVE-2023-0804.patch
BuildRequires: gcc, gcc-c++ BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel liblerc-devel BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel liblerc-devel
BuildRequires: libtool automake autoconf pkgconfig BuildRequires: libtool automake autoconf pkgconfig
# Add old libtiff to work with packages not built with new libtiff.so.6
BuildRequires: libtiff
BuildRequires: make BuildRequires: make
%description %description
@ -62,9 +62,6 @@ image files using the libtiff library.
%autosetup -n tiff-%{version} -N %autosetup -n tiff-%{version} -N
%patch0 -p1 -b .backup %patch0 -p1 -b .backup
%patch1 -p1 -b .backup
%patch2 -p1 -b .backup
%patch3 -p1 -b .backup
%patch4 -p1 -b .backup %patch4 -p1 -b .backup
# Use build system's libtool.m4, not the one in the package. # Use build system's libtool.m4, not the one in the package.
@ -98,9 +95,6 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/tiffsv
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffgt.1 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffgt.1
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/sgi2tiff.1 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/sgi2tiff.1
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffsv.1 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffsv.1
rm -f html/man/tiffgt.1.html
rm -f html/man/sgi2tiff.1.html
rm -f html/man/tiffsv.1.html
# multilib header hack # multilib header hack
# we only apply this to known Red Hat multilib arches, per bug #233091 # we only apply this to known Red Hat multilib arches, per bug #233091
@ -140,22 +134,24 @@ EOF
fi fi
# Copy old soname %{_libdir}/libtiff.so.5
# Copy old soname %{_libdir}/libtiffxx.so.5
cp %{_libdir}/libtiff.so.5* $RPM_BUILD_ROOT%{_libdir}
cp %{_libdir}/libtiffxx.so.5* $RPM_BUILD_ROOT%{_libdir}
%ldconfig_scriptlets %ldconfig_scriptlets
%check %check
LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check
# don't include documentation Makefiles, they are a multilib hazard
find html -name 'Makefile*' | xargs rm
%files %files
%license COPYRIGHT %license LICENSE.md
%doc README.md RELEASE-DATE VERSION %doc README.md RELEASE-DATE VERSION
%{_libdir}/libtiff.so.* %{_libdir}/libtiff.so.*
%{_libdir}/libtiffxx.so.* %{_libdir}/libtiffxx.so.*
%files devel %files devel
%doc TODO ChangeLog html %doc TODO ChangeLog
%{_includedir}/* %{_includedir}/*
%{_libdir}/libtiff.so %{_libdir}/libtiff.so
%{_libdir}/libtiffxx.so %{_libdir}/libtiffxx.so
@ -170,6 +166,14 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Thu Oct 05 2023 Matej Mužila <mmuzila@redhat.com> - 4.5.0-3
- New upstream release 4.5.0 (#2153870)
- Fix CVE-2022-3570, CVE-2022-2867, CVE-2022-2868, CVE-2022-2869, CVE-2022-2519,
CVE-2022-2953, CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3626,
CVE-2022-3627, CVE-2022-3970 (#2142735, #2118854, #2118867, #2118875,
#2122795, #2134437, #2142737, #2148881, #2148888, #2148894, #2148897,
#2148919)
* Mon Aug 28 2023 Nikola Forró <nforro@redhat.com> - 4.4.0-8 * Mon Aug 28 2023 Nikola Forró <nforro@redhat.com> - 4.4.0-8
- Enable support for LERC compression (#2234459) - Enable support for LERC compression (#2234459)

View File

@ -1 +1 @@
SHA512 (tiff-4.4.0.tar.gz) = 78ffab7667d0feb8d38571bc482390fc6dd20b93a798ab3a8b5cc7d5ab00b44a37f67eb8f19421e4ab33ad89ab40e382128f8a4bbdf097e0efb6d9fca5ac6f9e SHA512 (tiff-4.5.0.tar.gz) = 02b94e355ac96ac2ecce717aff2b1e04b1bfe95bcd0cfa72e09cbd580c45de0afe341170daad0cf560064b5a8910b3e56ef260484c69919bb0545df90abe7fa9