import libtiff-4.0.9-20.el8

2021-11-09 04:49:49 -05:00 · 2021-11-09 04:49:49 -05:00 · fc3854500b
parent f75cedfefe
commit fc3854500b
4 changed files with 191 additions and 1 deletions
--- a/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch
+++ b/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch
@ -0,0 +1,86 @@
+From 1205e9800a359b4bb4f35b2a7ff5821986e74f19 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:02:51 +0100
+Subject: [PATCH 1/3] enforce (configurable) memory limit in tiff2rgba
+
+fixes #207
+fixes #209
+---
+ tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index 4de96ae..e6de220 100644
+--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
+@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
+ int process_by_block = 0; /* default is whole image at once */
+ int no_alpha = 0;
+ int bigtiff_output = 0;
+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
+/* malloc size limit (in bytes)
+ * disabled when set to 0 */
+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
+ 
+ 
+ static int tiffcvt(TIFF* in, TIFF* out);
+@@ -70,8 +74,11 @@ main(int argc, char* argv[])
+ 	extern char *optarg;
+ #endif
+ 
+-	while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
+	while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1)
+ 		switch (c) {
+			case 'M':
+				maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
+				break;
+ 			case 'b':
+ 				process_by_block = 1;
+ 				break;
+@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
+ 		  (unsigned long)width, (unsigned long)height);
+         return 0;
+     }
+    if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
+	TIFFError(TIFFFileName(in),
+		  "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
+		  (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
+        return 0;
+    }
+ 
+     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out)
+ 	TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
+ 	CopyField(TIFFTAG_DOCUMENTNAME, stringv);
+ 
+	if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
+	{
+		TIFFError(TIFFFileName(in),
+			  "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
+			  (uint64)TIFFStripSize(in), (uint64)maxMalloc);
+		return 0;
+	}
+         if( process_by_block && TIFFIsTiled( in ) )
+             return( cvt_by_tile( in, out ) );
+         else if( process_by_block )
+@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ }
+ 
+ static char* stuff[] = {
+-    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
+     "where comp is one of the following compression algorithms:",
+     " jpeg\t\tJPEG encoding",
+     " zip\t\tZip/Deflate encoding",
+@@ -543,6 +563,7 @@ static char* stuff[] = {
+     " -b (progress by block rather than as a whole image)",
+     " -n don't emit alpha component.",
+     " -8 write BigTIFF file instead of ClassicTIFF",
+    " -M set the memory allocation limit in MiB. 0 to disable limit",
+     NULL
+ };
+ 
+-- 
+2.31.1
+
--- a/SOURCES/libtiff-CVE-2020-35523.patch
+++ b/SOURCES/libtiff-CVE-2020-35523.patch
@ -0,0 +1,50 @@
+From 058e0d9c5822a912fe75ab3bd2d24b3350f4e44d Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 10 Nov 2020 01:54:30 +0100
+Subject: [PATCH 2/3] gtTileContig(): check Tile width for overflow
+
+fixes #211
+---
+ libtiff/tif_getimage.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index c6edd27..b1f7cc9 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -31,6 +31,7 @@
+  */
+ #include "tiffiop.h"
+ #include <stdio.h>
+#include <limits.h>
+ 
+ static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
+ static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
+@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 
+     flip = setorientation(img);
+     if (flip & FLIP_VERTICALLY) {
+-	    y = h - 1;
+-	    toskew = -(int32)(tw + w);
+        if ((tw + w) > INT_MAX) {
+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+            return (0);
+        }
+        y = h - 1;
+        toskew = -(int32)(tw + w);
+     }
+     else {
+-	    y = 0;
+-	    toskew = -(int32)(tw - w);
+        if (tw > (INT_MAX + w)) {
+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+            return (0);
+        }
+        y = 0;
+        toskew = -(int32)(tw - w);
+     }
+      
+     /*
+-- 
+2.31.1
+
--- a/SOURCES/libtiff-CVE-2020-35524.patch
+++ b/SOURCES/libtiff-CVE-2020-35524.patch
@ -0,0 +1,39 @@
+From f74e26a36dd32050774f1c4a9256147fb25ae595 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sat, 14 Nov 2020 12:53:01 +0000
+Subject: [PATCH 3/3] tiff2pdf.c: properly calculate datasize when saving to
+ JPEG YCbCr
+
+fixes #220
+---
+ tools/tiff2pdf.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index a15a3ef..db380ec 100644
+--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
+@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
+ #endif
+ 		(void) 0;
+ 	}
+-	k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+-	if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+-		k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+#ifdef JPEG_SUPPORT
+	if(t2p->pdf_compression == T2P_COMPRESS_JPEG
+	   && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
+		k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
+	} else
+#endif
+	{
+		k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+		if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+			k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+		}
+ 	}
+ 	if (k == 0) {
+ 		/* Assume we had overflow inside TIFFScanlineSize */
+-- 
+2.31.1
+
--- a/SPECS/libtiff.spec
+++ b/SPECS/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.9
-Release:       18%{?dist}
+Release:       20%{?dist}
 License:       libtiff
 Group:         System Environment/Libraries
 URL:           http://www.simplesystems.org/libtiff/
@ -23,6 +23,9 @@ Patch11:       libtiff-CVE-2018-18661.patch
 Patch12:       libtiff-CVE-2018-12900.patch
 Patch13:       libtiff-CVE-2019-14973.patch
 Patch14:       libtiff-CVE-2019-17546.patch
+Patch15:       libtiff-CVE-2020-35521_CVE-2020-35522.patch
+Patch16:       libtiff-CVE-2020-35523.patch
+Patch17:       libtiff-CVE-2020-35524.patch

 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -89,6 +92,9 @@ image files using the libtiff library.
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1

 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@ -192,6 +198,15 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Thu Apr 29 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-20
+- Rebuild for fixed binutils (#1954437)
+
+* Fri Apr 09 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-19
+- Fix CVE-2020-35521 (#1945539)
+- Fix CVE-2020-35522 (#1945555)
+- Fix CVE-2020-35523 (#1945542)
+- Fix CVE-2020-35524 (#1945546)
+
 * Thu Feb 20 2020 Nikola Forró <nforro@redhat.com> - 4.0.9-18
 - Fix CVE-2019-17546 (#1771372)