From 1b46f2d32b7cd9c266d74f14e01453733faaf918 Mon Sep 17 00:00:00 2001 From: liuyumeng Date: Wed, 23 Feb 2022 10:41:38 +0800 Subject: [PATCH] fix CVE-2022-0561 CVE-2022-0562 (cherry picked from commit a3d577c7fdc338b5d4db0ff343631fdb47158ac2) --- backport-CVE-2022-0561.patch | 28 ++++++++++++++++++++++++++++ backport-CVE-2022-0562.patch | 26 ++++++++++++++++++++++++++ libtiff.spec | 10 +++++++++- 3 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-0561.patch create mode 100644 backport-CVE-2022-0562.patch diff --git a/backport-CVE-2022-0561.patch b/backport-CVE-2022-0561.patch new file mode 100644 index 0000000..d74c5e5 --- /dev/null +++ b/backport-CVE-2022-0561.patch @@ -0,0 +1,28 @@ +From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 6 Feb 2022 13:08:38 +0100 +Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +--- + libtiff/tif_dirread.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 23194ced..50ebf8ac 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); +- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); ++ if( dir->tdir_count ) ++ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); ++ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); + _TIFFfree(data); + data=resizeddata; + } +-- +GitLab \ No newline at end of file diff --git a/backport-CVE-2022-0562.patch b/backport-CVE-2022-0562.patch new file mode 100644 index 0000000..98a72fd --- /dev/null +++ b/backport-CVE-2022-0562.patch @@ -0,0 +1,26 @@ +From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 5 Feb 2022 20:36:41 +0100 +Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +--- + libtiff/tif_dirread.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 2bbc4585..23194ced 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif) + goto bad; + } + +- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); ++ if (old_extrasamples > 0) ++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); + _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); + _TIFFfree(new_sampleinfo); + } +-- +GitLab diff --git a/libtiff.spec b/libtiff.spec index eef746d..d2cd129 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,11 +1,13 @@ Name: libtiff Version: 4.3.0 -Release: 5 +Release: 6 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz +Patch6000: backport-CVE-2022-0561.patch +Patch6001: backport-CVE-2022-0562.patch Patch9000: fix-raw2tiff-floating-point-exception.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel @@ -127,6 +129,12 @@ find html -name 'Makefile*' | xargs rm %exclude %{_datadir}/html/man/tiffgt.1.html %changelog +* Wed Feb 23 2022 liuyumeng - 4.3.0-6 +- Type:cves +- ID:CVE-2022-0561 CVE-2022-0562 +- SUG:NA +- DESC:fix CVE-2022-0561 CVE-2022-0562 + * Fri Dec 24 2021 liuyumeng - 4.3.0-5 - fix the dependency package connot find TIFF_SSIZE_T in tiffio.h