!174 [sync] PR-170: fix CVE-2023-25433 CVE-2023-26966 CVE-2023-2908

From: @openeuler-sync-bot Reviewed-by: @t_feng Signed-off-by: @t_feng
2023-07-04 09:38:15 +00:00 · 2023-07-04 09:38:15 +00:00 · 695bc4a166
commit 695bc4a166
parent cb741ce6bf 33aedfc39a
4 changed files with 160 additions and 1 deletions
--- a/backport-CVE-2023-25433.patch
+++ b/backport-CVE-2023-25433.patch
@ -0,0 +1,84 @@
+From 688012dca2c39033aa2dc7bcea9796787cfd1b44 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 4 Feb 2023 23:24:21 +0100
+Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage()
+ fix#520  -- enlarge buffsize and check integer overflow within rotateImage().
+
+Reference:https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44
+Conflict:Adaptation Context
+
+---
+ tools/tiffcrop.c | 38 +++++++++++++++++++++++++++++++++++---
+ 1 file changed, 35 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 3f839d1..e2f8b83 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -8680,7 +8680,8 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
+   uint32_t   bytes_per_pixel, bytes_per_sample;
+   uint32_t   row, rowsize, src_offset, dst_offset;
+   uint32_t   i, col, width, length;
+-  uint32_t   colsize, buffsize, col_offset, pix_offset;
+  uint32_t   colsize, col_offset, pix_offset;
+  tmsize_t   buffsize;
+   unsigned char *ibuff;
+   unsigned char *src;
+   unsigned char *dst;
+@@ -8693,12 +8694,40 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
+   spp = image->spp;
+   bps = image->bps;
+ 
+  if ((spp != 0 && bps != 0 &&
+       width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
+      (spp != 0 && bps != 0 &&
+       length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
+  {
+    TIFFError("rotateImage", "Integer overflow detected.");
+    return (-1);
+  }
+   rowsize = ((bps * spp * width) + 7) / 8;
+   colsize = ((bps * spp * length) + 7) / 8;
+   if ((colsize * width) > (rowsize * length))
+-    buffsize = (colsize + 1) * width;
+  {
+    if (((tmsize_t)colsize + 1) != 0 &&
+        (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+                           ((tmsize_t)colsize + 1)))
+    {
+        TIFFError("rotateImage",
+                  "Integer overflow when calculating buffer size.");
+        return (-1);
+    }
+    buffsize = ((tmsize_t)colsize + 1) * width;
+  }
+   else
+  {
+    if (((tmsize_t)rowsize + 1) != 0 &&
+        (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+                            ((tmsize_t)rowsize + 1)))
+    {
+        TIFFError("rotateImage",
+                  "Integer overflow when calculating buffer size.");
+        return (-1);
+    }
+     buffsize = (rowsize + 1) * length;
+  }
+ 
+   bytes_per_sample = (bps + 7) / 8;
+   bytes_per_pixel  = ((bps * spp) + 7) / 8;
+@@ -8721,7 +8750,10 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
+   /* Add 3 padding bytes for extractContigSamplesShifted32bits */
+   if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
+     {
+-    TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
+    TIFFError("rotateImage",
+              "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT
+              " bytes ",
+              buffsize + NUM_BUFF_OVERSIZE_BYTES);
+     return (-1);
+     }
+   _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-- 
+2.27.0
+
--- a/backport-CVE-2023-26966.patch
+++ b/backport-CVE-2023-26966.patch
@ -0,0 +1,37 @@
+From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Thu, 16 Feb 2023 12:03:16 +0100
+Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode().
+
+Closes #530
+
+See merge request !473
+
+Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/473/diffs
+Conflict:Adaptation Context
+
+---
+ libtiff/tif_luv.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index 13765ea..e511a46 100644
+--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
+@@ -908,6 +908,13 @@ uv_encode(double u, double v, int em)	/* encode (u',v') coordinates */
+ {
+ 	register int	vi, ui;
+ 
+	/* check for NaN */
+	if (u != u || v != v)
+	{
+		u = U_NEU;
+		v = V_NEU;
+	}
+
+ 	if (v < UV_VSTART)
+ 		return oog_encode(u, v);
+ 	vi = tiff_itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em);
+-- 
+2.27.0
+
--- a/backport-CVE-2023-2908.patch
+++ b/backport-CVE-2023-2908.patch
@ -0,0 +1,32 @@
+From 64105057d03df64841e3aaaaf05e84c069969f55 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Thu, 20 Apr 2023 20:06:20 +0800
+Subject: [PATCH] fix runtime error: applying zero offset to null pointer
+
+Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/479/diffs
+Conflict:Adaptation Context
+
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 349dfe4..8a9ac7d 100644
+--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
+@@ -145,10 +145,10 @@ static uint16_t
+ countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
+ {
+ 	uint16_t i = 0;
+-	const char *ep = s + slen;
+-	const char *cp = s;
+ 
+ 	if (slen > 0) {
+		const char *ep = s + slen;
+		const char *cp = s;
+ 		do {
+ 			for (; cp < ep && *cp != '\0'; cp++) {}
+ 			if (cp >= ep)
+-- 
+2.27.0
+
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.3.0
-Release:        27
+Release:        28
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@ -38,6 +38,9 @@ Patch6028:      backport-CVE-2023-0800-0801-0802-0803-0804.patch
 Patch6029:      backport-CVE-2023-2731.patch
 Patch6030:      backport-CVE-2023-26965.patch
 Patch6031:      backport-CVE-2023-3316.patch
+Patch6032:      backport-CVE-2023-25433.patch
+Patch6033:      backport-CVE-2023-26966.patch
+Patch6034:      backport-CVE-2023-2908.patch

 Patch9000:	fix-raw2tiff-floating-point-exception.patch

@ -161,6 +164,9 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html

 %changelog
+* Tue Jul 04 2023 zhangpan <zhangpan103@h-partners.com> - 4.3.0-28
+- fix CVE-2023-25433 CVE-2023-26966 CVE-2023-2908
+
 * Sun Jun 25 2023 zhangpan <zhangpan103@h-partners.com> - 4.3.0-27
 - fix CVE-2023-3316