diff --git a/backport-CVE-2023-25433.patch b/backport-CVE-2023-25433.patch new file mode 100644 index 0000000..0f2bd57 --- /dev/null +++ b/backport-CVE-2023-25433.patch @@ -0,0 +1,84 @@ +From 688012dca2c39033aa2dc7bcea9796787cfd1b44 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 4 Feb 2023 23:24:21 +0100 +Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage() + fix#520 -- enlarge buffsize and check integer overflow within rotateImage(). + +Reference:https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44 +Conflict:Adaptation Context + +--- + tools/tiffcrop.c | 38 +++++++++++++++++++++++++++++++++++--- + 1 file changed, 35 insertions(+), 3 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 3f839d1..e2f8b83 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -8680,7 +8680,8 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + uint32_t bytes_per_pixel, bytes_per_sample; + uint32_t row, rowsize, src_offset, dst_offset; + uint32_t i, col, width, length; +- uint32_t colsize, buffsize, col_offset, pix_offset; ++ uint32_t colsize, col_offset, pix_offset; ++ tmsize_t buffsize; + unsigned char *ibuff; + unsigned char *src; + unsigned char *dst; +@@ -8693,12 +8694,40 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + spp = image->spp; + bps = image->bps; + ++ if ((spp != 0 && bps != 0 && ++ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) || ++ (spp != 0 && bps != 0 && ++ length > (uint32_t)((UINT32_MAX - 7) / spp / bps))) ++ { ++ TIFFError("rotateImage", "Integer overflow detected."); ++ return (-1); ++ } + rowsize = ((bps * spp * width) + 7) / 8; + colsize = ((bps * spp * length) + 7) / 8; + if ((colsize * width) > (rowsize * length)) +- buffsize = (colsize + 1) * width; ++ { ++ if (((tmsize_t)colsize + 1) != 0 && ++ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / ++ ((tmsize_t)colsize + 1))) ++ { ++ TIFFError("rotateImage", ++ "Integer overflow when calculating buffer size."); ++ return (-1); ++ } ++ buffsize = ((tmsize_t)colsize + 1) * width; ++ } + else ++ { ++ if (((tmsize_t)rowsize + 1) != 0 && ++ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / ++ ((tmsize_t)rowsize + 1))) ++ { ++ TIFFError("rotateImage", ++ "Integer overflow when calculating buffer size."); ++ return (-1); ++ } + buffsize = (rowsize + 1) * length; ++ } + + bytes_per_sample = (bps + 7) / 8; + bytes_per_pixel = ((bps * spp) + 7) / 8; +@@ -8721,7 +8750,10 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + /* Add 3 padding bytes for extractContigSamplesShifted32bits */ + if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) + { +- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); ++ TIFFError("rotateImage", ++ "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT ++ " bytes ", ++ buffsize + NUM_BUFF_OVERSIZE_BYTES); + return (-1); + } + _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); +-- +2.27.0 + diff --git a/backport-CVE-2023-26966.patch b/backport-CVE-2023-26966.patch new file mode 100644 index 0000000..077f971 --- /dev/null +++ b/backport-CVE-2023-26966.patch @@ -0,0 +1,37 @@ +From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Thu, 16 Feb 2023 12:03:16 +0100 +Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode(). + +Closes #530 + +See merge request !473 + +Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/473/diffs +Conflict:Adaptation Context + +--- + libtiff/tif_luv.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c +index 13765ea..e511a46 100644 +--- a/libtiff/tif_luv.c ++++ b/libtiff/tif_luv.c +@@ -908,6 +908,13 @@ uv_encode(double u, double v, int em) /* encode (u',v') coordinates */ + { + register int vi, ui; + ++ /* check for NaN */ ++ if (u != u || v != v) ++ { ++ u = U_NEU; ++ v = V_NEU; ++ } ++ + if (v < UV_VSTART) + return oog_encode(u, v); + vi = tiff_itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em); +-- +2.27.0 + diff --git a/backport-CVE-2023-2908.patch b/backport-CVE-2023-2908.patch new file mode 100644 index 0000000..367edbd --- /dev/null +++ b/backport-CVE-2023-2908.patch @@ -0,0 +1,32 @@ +From 64105057d03df64841e3aaaaf05e84c069969f55 Mon Sep 17 00:00:00 2001 +From: zhailiangliang +Date: Thu, 20 Apr 2023 20:06:20 +0800 +Subject: [PATCH] fix runtime error: applying zero offset to null pointer + +Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/479/diffs +Conflict:Adaptation Context + +--- + libtiff/tif_dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 349dfe4..8a9ac7d 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -145,10 +145,10 @@ static uint16_t + countInkNamesString(TIFF *tif, uint32_t slen, const char *s) + { + uint16_t i = 0; +- const char *ep = s + slen; +- const char *cp = s; + + if (slen > 0) { ++ const char *ep = s + slen; ++ const char *cp = s; + do { + for (; cp < ep && *cp != '\0'; cp++) {} + if (cp >= ep) +-- +2.27.0 + diff --git a/libtiff.spec b/libtiff.spec index 645e239..cec9d9e 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,6 +1,6 @@ Name: libtiff Version: 4.3.0 -Release: 27 +Release: 28 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ @@ -38,6 +38,9 @@ Patch6028: backport-CVE-2023-0800-0801-0802-0803-0804.patch Patch6029: backport-CVE-2023-2731.patch Patch6030: backport-CVE-2023-26965.patch Patch6031: backport-CVE-2023-3316.patch +Patch6032: backport-CVE-2023-25433.patch +Patch6033: backport-CVE-2023-26966.patch +Patch6034: backport-CVE-2023-2908.patch Patch9000: fix-raw2tiff-floating-point-exception.patch @@ -161,6 +164,9 @@ find html -name 'Makefile*' | xargs rm %exclude %{_datadir}/html/man/tiffgt.1.html %changelog +* Tue Jul 04 2023 zhangpan - 4.3.0-28 +- fix CVE-2023-25433 CVE-2023-26966 CVE-2023-2908 + * Sun Jun 25 2023 zhangpan - 4.3.0-27 - fix CVE-2023-3316