Fix CVE-2022-0561 (#2054499) and CVE-2022-0562 (#2054498)

2022-02-15 18:46:11 +01:00 · 2022-02-15 18:46:11 +01:00 · f298c7e204
commit f298c7e204
parent 2612345bea
3 changed files with 65 additions and 1 deletions
--- a/libtiff-CVE-2022-0561.patch
+++ b/libtiff-CVE-2022-0561.patch
@ -0,0 +1,29 @@
+From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 6 Feb 2022 13:08:38 +0100
+Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 23194ced..50ebf8ac 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
+ 			_TIFFfree(data);
+ 			return(0);
+ 		}
+-                _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
+-                _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
+		if( dir->tdir_count )
+			_TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
+		_TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
+ 		_TIFFfree(data);
+ 		data=resizeddata;
+ 	}
+-- 
+GitLab
+
--- a/libtiff-CVE-2022-0562.patch
+++ b/libtiff-CVE-2022-0562.patch
@ -0,0 +1,27 @@
+From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 5 Feb 2022 20:36:41 +0100
+Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 2bbc4585..23194ced 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif)
+                     goto bad;
+                 }
+ 
+-                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
+                if (old_extrasamples > 0)
+                    memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
+                 _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+                 _TIFFfree(new_sampleinfo);
+         }
+-- 
+GitLab
+
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.3.0
-Release:       3%{?dist}
+Release:       4%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/

@ -11,6 +11,9 @@ Patch0:        libtiff-am-version.patch
 Patch1:        libtiff-make-check.patch
 # https://gitlab.com/libtiff/libtiff/-/merge_requests/287
 Patch2:        libtiff-CVE-2022-22844.patch
+# https://gitlab.com/libtiff/libtiff/-/issues/362
+Patch3:        libtiff-CVE-2022-0561.patch
+Patch4:        libtiff-CVE-2022-0562.patch

 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel
@ -63,6 +66,8 @@ image files using the libtiff library.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1

 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@ -167,6 +172,9 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Tue Feb 15 2022 Nikola Forró <nforro@redhat.com> - 4.3.0-4
+- Fix CVE-2022-0561 (#2054499) and CVE-2022-0562 (#2054498)
+
 * Thu Jan 20 2022 Nikola Forró <nforro@redhat.com> - 4.3.0-3
 - Fix CVE-2022-22844 (#2042604)