9 changed files with 1 additions and 534 deletions
--- a/SOURCES/0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch
+++ b/SOURCES/0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch
@ -1,37 +0,0 @@
 From b7bc0d684cee380f7497cb095a115361dbabef71 Mon Sep 17 00:00:00 2001
 From: Even Rouault <even.rouault@mines-paris.org>
 Date: Tue, 13 Mar 2018 14:39:30 +0000
 Subject: [PATCH] (CVE-2018-15209) Merge branch
 'avoid_memory_exhaustion_in_ChopUpSingleUncompressedStrip' into 'master'
 ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)
 See merge request libtiff/libtiff!26
 (cherry picked from commit 0a2e5e98b353a987ea69985d2283bba569a7e063)
 ---
 libtiff/tif_dirread.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
 diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
 index b72e6a3b..bc1ab083 100644
 --- a/libtiff/tif_dirread.c
 +++ b/libtiff/tif_dirread.c
@@ -5765,6 +5765,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
         if( nstrips == 0 )
             return;
 +        /* If we are going to allocate a lot of memory, make sure that the */
 +        /* file is as big as needed */
 +        if( tif->tif_mode == O_RDONLY &&
 +            nstrips > 1000000 &&
 +            (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||
 +             tif->tif_dir.td_stripbytecount[0] >
 +                    TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )
 +        {
 +            return;
 +        }
 +
 	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
 				"for chopped \"StripByteCounts\" array");
 	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
--- a/SOURCES/0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch
+++ b/SOURCES/0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch
@ -1,172 +0,0 @@
 From 83f6ae4cce52cd4feaebf2bc4fc2d5077a10677c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
 Date: Thu, 16 May 2024 14:43:44 +0200
 Subject: [PATCH] (CVE-2023-25433) Merge branch
 'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master'
 tiffcrop correctly update buffersize after rotateImage() fix#520
 Closes #520
 See merge request libtiff/libtiff!467
 (cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3)
 ---
 tools/tiffcrop.c | 72 ++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 58 insertions(+), 14 deletions(-)
 diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
 index 77923cf3..8b761874 100644
 --- a/tools/tiffcrop.c
 +++ b/tools/tiffcrop.c
@@ -529,7 +529,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
 static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, 
                                      uint32,   uint32, uint8 *, uint8 *);
 static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
 - 		       unsigned char **);
 + 		       unsigned char **, tsize_t *);
 static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
 		       unsigned char *);
 static int invertImage(uint16, uint16, uint16, uint32, uint32,
@@ -6358,7 +6358,7 @@ static int  correct_orientation(struct image_data *image, unsigned char **work_b
       return (-1);
       }
 -    if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
 +    if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
       {
       TIFFError ("correct_orientation", "Unable to rotate image");
       return (-1);
@@ -7578,16 +7578,20 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
     if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
       {
 +      /* rotateImage() set up a new buffer and calculates its size
 +       * individually. Therefore, seg_buffs size  needs to be updated
 +       * accordingly. */
 +
 +      tsize_t rot_buf_size = 0;
       if (rotateImage(crop->rotation, image, &crop->combined_width, 
 -                      &crop->combined_length, &crop_buff))
 +                      &crop->combined_length, &crop_buff, &rot_buf_size))
         {
         TIFFError("processCropSelections", 
                   "Failed to rotate composite regions by %d degrees", crop->rotation);
         return (-1);
         }
       seg_buffs[0].buffer = crop_buff;
 -      seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
 -                            * image->spp) * crop->combined_length; 
 +      seg_buffs[0].size = rot_buf_size;
       }
     }
   else  /* Separated Images */
@@ -7684,8 +7688,18 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
       if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
         {
 -	if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, 
 -			&crop->regionlist[i].length, &crop_buff))
 +        /* rotateImage() changes image->width, ->length, ->xres and
 +         * ->yres, what it schouldn't do here, when more than one
 +         * section is processed. ToDo: Therefore rotateImage() and its
 +         * usage has to be reworked (e.g. like mirrorImage()) !!
 +         * Furthermore, rotateImage() set up a new buffer and calculates
 +         * its size individually. Therefore, seg_buffs size  needs to be
 +         * updated accordingly. */
 +          tsize_t rot_buf_size = 0;
 +          if (rotateImage(
 +                      crop->rotation, image, &crop->regionlist[i].width,
 +                      &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
 +
           {
           TIFFError("processCropSelections", 
                     "Failed to rotate crop region by %d degrees", crop->rotation);
@@ -7696,8 +7710,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
         crop->combined_width = total_width;
         crop->combined_length = total_length;
         seg_buffs[i].buffer = crop_buff;
 -        seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
 -                               * image->spp) * crop->regionlist[i].length; 
 +        seg_buffs[i].size = rot_buf_size;
         }
       }
     }
@@ -7813,7 +7826,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
     {
     if (rotateImage(crop->rotation, image, &crop->combined_width, 
 -                    &crop->combined_length, crop_buff_ptr))
 +                    &crop->combined_length, crop_buff_ptr, NULL))
       {
       TIFFError("createCroppedImage", 
                 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
@@ -8476,13 +8489,14 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
 /* Rotate an image by a multiple of 90 degrees clockwise */
 static int
 rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, 
 -            uint32 *img_length, unsigned char **ibuff_ptr)
 +            uint32 *img_length, unsigned char **ibuff_ptr, tsize_t *rot_buf_size)
   {
   int      shift_width;
   uint32   bytes_per_pixel, bytes_per_sample;
   uint32   row, rowsize, src_offset, dst_offset;
   uint32   i, col, width, length;
 -  uint32   colsize, buffsize, col_offset, pix_offset;
 +  uint32   colsize,  col_offset, pix_offset;
 +  tmsize_t buffsize;
   unsigned char *ibuff;
   unsigned char *src;
   unsigned char *dst;
@@ -8495,12 +8509,40 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
   spp = image->spp;
   bps = image->bps;
 +  if ((spp != 0 && bps != 0 &&
 +       width > (uint32)((UINT32_MAX - 7) / spp / bps)) ||
 +      (spp != 0 && bps != 0 &&
 +       length > (uint32)((UINT32_MAX - 7) / spp / bps)))
 +  {
 +      TIFFError("rotateImage", "Integer overflow detected.");
 +      return (-1);
 +  }
   rowsize = ((bps * spp * width) + 7) / 8;
   colsize = ((bps * spp * length) + 7) / 8;
   if ((colsize * width) > (rowsize * length))
 -    buffsize = (colsize + 1) * width;
 +  {
 +      if (((tmsize_t)colsize + 1) != 0 &&
 +          (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - 3) /
 +                             ((tmsize_t)colsize + 1)))
 +      {
 +          TIFFError("rotateImage",
 +                    "Integer overflow when calculating buffer size.");
 +          return (-1);
 +      }
 +      buffsize = ((tmsize_t)colsize + 1) * width;
 +  }
   else
 -    buffsize = (rowsize + 1) * length;
 +  {
 +      if (((tmsize_t)rowsize + 1) != 0 &&
 +          (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - 3) /
 +                              ((tmsize_t)rowsize + 1)))
 +      {
 +          TIFFError("rotateImage",
 +                    "Integer overflow when calculating buffer size.");
 +          return (-1);
 +      }
 +      buffsize = (rowsize + 1) * length;
 +  }
   bytes_per_sample = (bps + 7) / 8;
   bytes_per_pixel  = ((bps * spp) + 7) / 8;
@@ -8526,6 +8568,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
     return (-1);
     }
   _TIFFmemset(rbuff, '\0', buffsize);
 +  if (rot_buf_size != NULL)
 +      *rot_buf_size = buffsize;
   ibuff = *ibuff_ptr;
   switch (rotation)
--- a/SOURCES/0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch
+++ b/SOURCES/0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch
@ -1,50 +0,0 @@
 From df8410cee20798b1d63c291c1bf106e3a52d59b1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
 Date: Thu, 16 May 2024 14:54:52 +0200
 Subject: [PATCH] (CVE-2023-52356) Merge branch 'fix_622' into 'master'
 TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of col/row (fixes #622)
 Closes #622
 See merge request libtiff/libtiff!546
 (cherry picked from commit dfacff5a84d153d7febdfcbcb341b38c1f03b34e)
 ---
 libtiff/tif_getimage.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
 index 00cd5510..4f32b3a4 100644
 --- a/libtiff/tif_getimage.c
 +++ b/libtiff/tif_getimage.c
@@ -2929,6 +2929,14 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 row, uint32 * raster, int stop_on_error)
     if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
 +        if (row >= img.height)
 +        {
 +            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
 +                          "Invalid row passed to TIFFReadRGBAStrip().");
 +            TIFFRGBAImageEnd(&img);
 +            return (0);
 +        }
 +
         img.row_offset = row;
         img.col_offset = 0;
@@ -3004,6 +3012,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
 	    return( 0 );
     }
 +    if (col >= img.width || row >= img.height)
 +    {
 +        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
 +                      "Invalid row/col passed to TIFFReadRGBATile().");
 +        TIFFRGBAImageEnd(&img);
 +        return (0);
 +    }
 +
     /*
      * The TIFFRGBAImageGet() function doesn't allow us to get off the
      * edge of the image, even to fill an otherwise valid tile.  So we
--- a/SOURCES/0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
+++ b/SOURCES/0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
@ -1,30 +0,0 @@
 From 32346d49db890969d7de19e8eebff00400280926 Mon Sep 17 00:00:00 2001
 From: Even Rouault <even.rouault@spatialys.com>
 Date: Sat, 9 Sep 2023 15:11:42 +0000
 Subject: [PATCH] (CVE-2023-6228) Merge branch
 'fix_606_tiffcp_check_also_input_compression_codec' into 'master'
 tiffcp: Fixes #606. Check also codec of input image, not only from output image.
 Closes #606
 See merge request libtiff/libtiff!533
 (cherry picked from commit 668d2c1a52fa48658bbf69615924b42b5a059f9e)
 ---
 tools/tiffcp.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/tools/tiffcp.c b/tools/tiffcp.c
 index fb98bd57..81ec6bbd 100644
 --- a/tools/tiffcp.c
 +++ b/tools/tiffcp.c
@@ -622,6 +622,8 @@ tiffcp(TIFF* in, TIFF* out)
 	else
 		CopyField(TIFFTAG_COMPRESSION, compression);
 	TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
 +    if (!TIFFIsCODECConfigured(input_compression))
 +        return FALSE;
 	TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
 	if (input_compression == COMPRESSION_JPEG) {
 		/* Force conversion to RGB */
--- a/SOURCES/RHEL-112533.patch
+++ b/SOURCES/RHEL-112533.patch
@ -1,51 +0,0 @@
 From 3e164d0fa9c48dbdc76620442ffbb02de9e5724e Mon Sep 17 00:00:00 2001
 From: Su Laus <sulau@freenet.de>
 Date: Wed, 11 Jun 2025 19:45:19 +0000
 Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
 rows at TIFFReadRGBAImageOriented()
 ---
 libtiff/tif_getimage.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)
 diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
 index 4f32b3a..70a0362 100644
 --- a/libtiff/tif_getimage.c
 +++ b/libtiff/tif_getimage.c
@@ -511,6 +511,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
 		"No \"put\" routine setupl; probably can not handle image format");
 		return (0);
     }
 +    /* Verify raster width and height against image width and height. */
 +    if (h > img->height)
 +    {
 +        /* Adapt parameters to read only available lines and put image at
 +         * the bottom of the raster. */
 +        raster += (size_t)(h - img->height) * w;
 +        h = img->height;
 +    }
 +    if (w > img->width)
 +    {
 +        TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif),
 +                        "Raster width of %d shall not be larger than image "
 +                        "width of %d -> raster width adapted for reading",
 +                        w, img->width);
 +        w = img->width;
 +    }
     return (*img->get)(img, raster, w, h);
 }
@@ -529,9 +545,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
 	if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
 		img.req_orientation = (uint16)orientation;
 -		/* XXX verify rwidth and rheight against width and height */
 -		ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
 -			rwidth, img.height);
 +		ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
 		TIFFRGBAImageEnd(&img);
 	} else {
 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
 -- 
 2.47.3
--- a/SOURCES/RHEL-120230.patch
+++ b/SOURCES/RHEL-120230.patch
@ -1,70 +0,0 @@
 From 0117a16f9c0b6e3462b8547fa56ea90f3e198b10 Mon Sep 17 00:00:00 2001
 From: Lee Howard <faxguy@howardsilvan.com>
 Date: Mon, 19 May 2025 10:53:30 -0700
 Subject: [PATCH] Don't skip the first line of the input image. Addresses issue
 #703
 ---
 tools/tiffdither.c | 4 ++--
 tools/tiffmedian.c | 9 ++++++---
 2 files changed, 8 insertions(+), 5 deletions(-)
 diff --git a/tools/tiffdither.c b/tools/tiffdither.c
 index 247553c..cc41c51 100644
 --- a/tools/tiffdither.c
 +++ b/tools/tiffdither.c
@@ -93,7 +93,7 @@ fsdither(TIFF* in, TIFF* out)
 	nextptr = nextline;
 	for (j = 0; j < imagewidth; ++j)
 		*nextptr++ = *inptr++;
 -	for (i = 1; i < imagelength; ++i) {
 +	for (i = 0; i < imagelength; ++i) {
 		tmpptr = thisline;
 		thisline = nextline;
 		nextline = tmpptr;
@@ -136,7 +136,7 @@ fsdither(TIFF* in, TIFF* out)
 					nextptr[0] += v / 16;
 			}
 		}
 -		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
 +		if (TIFFWriteScanline(out, outline, i, 0) < 0)
 			goto skip_on_error;
 	}
 	goto exit_label;
 diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
 index f0c892e..99fd1f2 100644
 --- a/tools/tiffmedian.c
 +++ b/tools/tiffmedian.c
@@ -370,7 +370,10 @@ get_histogram(TIFF* in, Colorbox* box)
 	}
 	for (i = 0; i < imagelength; i++) {
 		if (TIFFReadScanline(in, inputline, i, 0) <= 0)
 -			break;
 +		{
 +			fprintf(stderr, "Error reading scanline\n");
 +			exit(EXIT_FAILURE);
 +		}
 		inptr = inputline;
 		for (j = imagewidth; j-- > 0;) {
 			red = (*inptr++) & 0xff >> COLOR_SHIFT;
@@ -829,7 +832,7 @@ quant_fsdither(TIFF* in, TIFF* out)
 	outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out));
 	GetInputLine(in, 0, goto bad);		/* get first line */
 -	for (i = 1; i <= imagelength; ++i) {
 +	for (i = 0; i < imagelength; ++i) {
 		SWAP(short *, thisline, nextline);
 		lastline = (i >= imax);
 		if (i <= imax)
@@ -900,7 +903,7 @@ quant_fsdither(TIFF* in, TIFF* out)
 				nextptr += 3;
 			}
 		}
 -		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
 +		if (TIFFWriteScanline(out, outline, i, 0) < 0)
 			break;
 	}
 bad:
 -- 
 2.47.3
--- a/SOURCES/libtiff-4.0.9-CVE-2017-17095.patch
+++ b/SOURCES/libtiff-4.0.9-CVE-2017-17095.patch
@ -1,40 +0,0 @@
 From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001
 From: Nathan Baker <elitebadger@gmail.com>
 Date: Thu, 25 Jan 2018 21:28:15 +0000
 Subject: [PATCH] Add workaround to pal2rgb buffer overflow.
 ---
 tools/pal2rgb.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)
 diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
 index 0423598f0..01fcf9411 100644
 --- a/tools/pal2rgb.c
 +++ b/tools/pal2rgb.c
@@ -182,8 +182,21 @@ main(int argc, char* argv[])
 	{ unsigned char *ibuf, *obuf;
 	  register unsigned char* pp;
 	  register uint32 x;
 -	  ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
 -	  obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
 +	  tmsize_t tss_in = TIFFScanlineSize(in);
 +	  tmsize_t tss_out = TIFFScanlineSize(out);
 +	  if (tss_out / tss_in < 3) {
 +		/*
 +		 * BUG 2750: The following code does not know about chroma
 +		 * subsampling of JPEG data. It assumes that the output buffer is 3x
 +		 * the length of the input buffer due to exploding the palette into
 +		 * RGB tuples. If this assumption is incorrect, it could lead to a
 +		 * buffer overflow. Go ahead and fail now to prevent that.
 +		 */
 +		fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
 +		return -1;
 +      }
 +	  ibuf = (unsigned char*)_TIFFmalloc(tss_in);
 +	  obuf = (unsigned char*)_TIFFmalloc(tss_out);
 	  switch (config) {
 	  case PLANARCONFIG_CONTIG:
 		for (row = 0; row < imagelength; row++) {
 -- 
 GitLab
--- a/SOURCES/libtiff-4.6.0-CVE-2024-7006.patch
+++ b/SOURCES/libtiff-4.6.0-CVE-2024-7006.patch
@ -1,46 +0,0 @@
 diff -up tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 tiff-4.4.0/libtiff/tif_dirinfo.c
 --- tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006	2024-08-16 00:35:35.339965778 +0200
 +++ tiff-4.4.0/libtiff/tif_dirinfo.c	2024-08-16 00:54:58.255221954 +0200
@@ -824,7 +824,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint
 	fld = TIFFFindField(tif, tag, dt);
 	if (fld == NULL) {
 		fld = _TIFFCreateAnonField(tif, tag, dt);
 -		if (!_TIFFMergeFields(tif, fld, 1))
 +		if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
 			return NULL;
 	}
 diff -up tiff-4.0.9/libtiff/tif_dirread.c~ tiff-4.0.9/libtiff/tif_dirread.c
 --- tiff-4.0.9/libtiff/tif_dirread.c~	2024-08-29 23:31:19.884308223 +0200
 +++ tiff-4.0.9/libtiff/tif_dirread.c	2024-08-29 23:31:19.909308479 +0200
@@ -3667,11 +3667,10 @@ TIFFReadDirectory(TIFF* tif)
 				    dp->tdir_tag,dp->tdir_tag);
                                 /* the following knowingly leaks the 
                                    anonymous field structure */
 -				if (!_TIFFMergeFields(tif,
 -					_TIFFCreateAnonField(tif,
 -						dp->tdir_tag,
 -						(TIFFDataType) dp->tdir_type),
 -					1)) {
 +				const TIFFField *fld = _TIFFCreateAnonField(
 +					tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
 +				if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
 +				{
 					TIFFWarningExt(tif->tif_clientdata,
 					    module,
 					    "Registering anonymous field with tag %d (0x%x) failed",
@@ -4392,10 +4391,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_
 			TIFFWarningExt(tif->tif_clientdata, module,
 			    "Unknown field with tag %d (0x%x) encountered",
 			    dp->tdir_tag, dp->tdir_tag);
 -			if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
 -						dp->tdir_tag,
 -						(TIFFDataType) dp->tdir_type),
 -					     1)) {
 +		const TIFFField *fld = _TIFFCreateAnonField(
 +				tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
 +			if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
 +			{
 				TIFFWarningExt(tif->tif_clientdata, module,
 				    "Registering anonymous field with tag %d (0x%x) failed",
 				    dp->tdir_tag, dp->tdir_tag);
--- a/SPECS/libtiff.spec
+++ b/SPECS/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.9
-Release:       36%{?dist}
+Release:       31%{?dist}
 License:       libtiff
 Group:         System Environment/Libraries
 URL:           http://www.simplesystems.org/libtiff/
@ -50,26 +50,7 @@ Patch0036: 0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
 Patch0037: 0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch
 Patch0038: 0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
 Patch0039: 0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch
 Patch0040: 0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch
 Patch0041: 0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch
 Patch0042: 0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch
 Patch0043: 0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
 # from upstream, for <=4.6.0, RHEL-52927
 # https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779
 Patch44:       libtiff-4.6.0-CVE-2024-7006.patch
 # from upstream, for < 4.0.10, RHEL-87363
 # https://gitlab.com/libtiff/libtiff/-/commit/9171da596c88e6a2dadcab4a3a89dddd6e1b4655
 Patch45:       libtiff-4.0.9-CVE-2017-17095.patch
 # Fix buffer underflow crash for less raster rows at TIFFReadRGBAImageOriented(), RHEL-112533
 # CVE-2025-9900
 Patch46:       RHEL-112533.patch
 # Fix skipping first line of input image in tiffdither and tiffmedian, RHEL-120230
 # CVE-2025-8176
 Patch47:       RHEL-120230.patch
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -223,24 +204,6 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*
 %changelog
 * Mon Nov 03 2025 RHEL Packaging Agent <jotnar@redhat.com> - 4.0.9-36
 - fix CVE-2025-8176: prevent skipping first line in tiffdither and
  tiffmedian tools (RHEL-120230)
 * Tue Oct 14 2025 RHEL Packaging Agent <jotnar@redhat.com> - 4.0.9-35
 - fix CVE-2025-9900: buffer underflow crash in TIFFReadRGBAImageOriented()
  (RHEL-112533)
 * Tue Apr 22 2025 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-34
 - fix CVE-2017-17095: heap-based buffer overflow in pal2rgb (RHEL-87363)
 * Thu Aug 29 2024 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-33
 - fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52927)
 * Thu May 16 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-32
 - Fix CVE-2023-6228 CVE-2023-52356 CVE-2023-25433 CVE-2018-15209
 - Resolves: RHEL-30682 RHEL-30520 RHEL-30474 RHEL-5406
 * Fri Jan 05 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-31
 - Fix CVE-2022-3599 CVE-2022-4645
 - Resolves: RHEL-5399