diff --git a/backport-CVE-2023-1916-CVE-2023-3164.patch b/backport-CVE-2023-1916-CVE-2023-3164.patch new file mode 100644 index 0000000..eda7975 --- /dev/null +++ b/backport-CVE-2023-1916-CVE-2023-3164.patch @@ -0,0 +1,114 @@ +From a20298c4785c369469510613dfbc5bf230164fed Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Fri, 17 May 2024 15:11:10 +0000 +Subject: [PATCH] tiffcrop: fixes #542, #550, #552 (buffer overflows, use after + free) + +Reference:https://gitlab.com/libtiff/libtiff/-/commit/a20298c4785c369469510613dfbc5bf230164fed +Conflict:Adapt context + +--- + tools/tiffcrop.c | 31 +++++++++++++++++++++++++++++-- + 1 file changed, 29 insertions(+), 2 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index b11fec93..aaf6bb28 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -451,6 +451,7 @@ static uint16_t defcompression = (uint16_t) -1; + static uint16_t defpredictor = (uint16_t) -1; + static int pageNum = 0; + static int little_endian = 1; ++static tmsize_t check_buffsize = 0; + + /* Functions adapted from tiffcp with additions or significant modifications */ + static int readContigStripsIntoBuffer (TIFF*, uint8_t*); +@@ -2084,6 +2085,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + TIFFError ("Limit for subdivisions, ie rows x columns, exceeded", "%d", MAX_SECTIONS); + exit (EXIT_FAILURE); + } ++ if ((page->cols * page->rows) < 1) ++ { ++ TIFFError("No subdivisions", "%d", (page->cols * page->rows)); ++ exit(EXIT_FAILURE); ++ } + page->mode |= PAGE_MODE_ROWSCOLS; + break; + case 'U': /* units for measurements and offsets */ +@@ -4438,7 +4444,7 @@ combineSeparateTileSamplesBytes (unsigned char *srcbuffs[], unsigned char *out, + dst = out + (row * dst_rowsize); + src_offset = row * src_rowsize; + #ifdef DEVELMODE +- TIFFError("","Tile row %4d, Src offset %6d Dst offset %6d", ++ TIFFError("","Tile row %4d, Src offset %6d Dst offset %6zd", + row, src_offset, dst - out); + #endif + for (col = 0; col < cols; col++) +@@ -5033,7 +5039,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt + break; + } + #ifdef DEVELMODE +- TIFFError("", "Strip %2"PRIu32", read %5"PRId32" bytes for %4"PRIu32" scanlines, shift width %d", ++ TIFFError("", "Strip %2"PRIu32", read %5zd"" bytes for %4"PRIu32" scanlines, shift width %d", + strip, bytes_read, rows_this_strip, shift_width); + #endif + } +@@ -6434,6 +6440,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFError("loadImage", "Unable to allocate read buffer"); + return (-1); + } ++ check_buffsize = buffsize + NUM_BUFF_OVERSIZE_BYTES; + + read_buff[buffsize] = 0; + read_buff[buffsize+1] = 0; +@@ -7064,6 +7071,11 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + TIFFError ("", "Src offset: %8"PRIu32", Dst offset: %8"PRIu32, src_offset, dst_offset); + #endif ++ if (src_offset + full_bytes >= check_buffsize) ++ { ++ printf("Bad input. Preventing reading outside of input buffer.\n"); ++ return(-1); ++ } + _TIFFmemcpy (sect_buff + dst_offset, src_buff + src_offset, full_bytes); + dst_offset += full_bytes; + } +@@ -7098,6 +7110,11 @@ extractImageSection(struct image_data *image, struct pageseg *section, + bytebuff1 = bytebuff2 = 0; + if (shift1 == 0) /* the region is byte and sample aligned */ + { ++ if (offset1 + full_bytes >= check_buffsize) ++ { ++ printf("Bad input. Preventing reading outside of input buffer.\n"); ++ return(-1); ++ } + _TIFFmemcpy (sect_buff + dst_offset, src_buff + offset1, full_bytes); + + #ifdef DEVELMODE +@@ -7117,6 +7134,11 @@ extractImageSection(struct image_data *image, struct pageseg *section, + if (trailing_bits != 0) + { + /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ ++ if (offset1 + full_bytes >= check_buffsize) ++ { ++ printf("Bad input. Preventing reading outside of input buffer.\n"); ++ return(-1); ++ } + bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); + sect_buff[dst_offset] = bytebuff2; + #ifdef DEVELMODE +@@ -7142,6 +7164,11 @@ extractImageSection(struct image_data *image, struct pageseg *section, + { + /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ + /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ ++ if (offset1 + j + 1 >= check_buffsize) ++ { ++ printf("Bad input. Preventing reading outside of input buffer.\n"); ++ return(-1); ++ } + bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); + bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); + sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); +-- +GitLab + diff --git a/libtiff.spec b/libtiff.spec index 66afa35..5cf06de 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,6 +1,6 @@ Name: libtiff Version: 4.3.0 -Release: 36 +Release: 37 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ @@ -48,6 +48,7 @@ Patch6038: backport-CVE-2023-3618.patch Patch6039: backport-CVE-2022-40090.patch Patch6040: backport-CVE-2022-34526.patch Patch6041: backport-CVE-2023-6228.patch +Patch6042: backport-CVE-2023-1916-CVE-2023-3164.patch Patch9000: fix-raw2tiff-floating-point-exception.patch Patch9001: backport-0001-CVE-2023-6277.patch @@ -174,6 +175,12 @@ find html -name 'Makefile*' | xargs rm %exclude %{_datadir}/html/man/tiffgt.1.html %changelog +* Mon May 20 2024 lingsheng - 4.3.0-37 +- Type:CVE +- ID:CVE-2023-1916,CVE-2023-3164 +- SUG:NA +- DESC:fix CVE-2023-1916 CVE-2023-3164 + * Wed Nov 29 2023 liningjie - 4.3.0-36 - backport patch for fix CVE-2023-6277 issue