fix CVE-2022-22844

backport-0001-CVE-2022-22844.patch

@@ -0,0 +1,42 @@
+From 49b81e99704bd199a24ccce65f974cc2d78cccc4 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 4 Jan 2022 11:01:37 +0000
+Subject: [PATCH] fixing global-buffer-overflow in tiffset
+
+Conflict:NA
+Reference:https://gitlab.com/libtiff/libtiff/-/commit/49b81e99704bd199a24ccce65f974cc2d78cccc4
+
+---
+ tools/tiffset.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiffset.c b/tools/tiffset.c
+index 8c9e23c..b7badd9 100644
+--- a/tools/tiffset.c
++++ b/tools/tiffset.c
+@@ -146,9 +146,19 @@ main(int argc, char* argv[])
+ 
+             arg_index++;
+             if (TIFFFieldDataType(fip) == TIFF_ASCII) {
+-                if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
+-                    fprintf( stderr, "Failed to set %s=%s\n",
+-                             TIFFFieldName(fip), argv[arg_index] );
++                if(TIFFFieldPassCount( fip )) {
++                    size_t len;
++                    len = (uint32_t)(strlen(argv[arg_index] + 1));
++                    if (TIFFSetField(tiff, TIFFFieldTag(fip),
++                            (uint16_t)len, argv[arg_index]) != 1)
++                        fprintf( stderr, "Failed to set %s=%s",
++                            TIFFFieldName(fip), argv[arg_index] );
++                } else {
++                    if (TIFFSetField(tiff, TIFFFieldTag(fip),
++                            argv[arg_index]) != 1)
++                        fprintf( stderr, "Failed to set %s=%s",
++                            TIFFFieldName(fip), argv[arg_index] );
++                }
+             } else if (TIFFFieldWriteCount(fip) > 0
+ 		       || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
+                 int     ret = 1;
+-- 
+2.33.0
+

backport-0002-CVE-2022-22844.patch

@@ -0,0 +1,39 @@
+From 0cf67888e32e36b45828dd467920684c93f2b22d Mon Sep 17 00:00:00 2001
+From: Timothy Lyanguzov <theta682@gmail.com>
+Date: Tue, 25 Jan 2022 04:27:28 +0000
+Subject: [PATCH] Apply 4 suggestion(s) to 1 file(s)
+
+Conflict:NA
+Reference:https://gitlab.com/libtiff/libtiff/-/commit/0cf67888e32e36b45828dd467920684c93f2b22d
+
+---
+ tools/tiffset.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiffset.c b/tools/tiffset.c
+index b7badd9..b8b52c0 100644
+--- a/tools/tiffset.c
++++ b/tools/tiffset.c
+@@ -148,15 +148,15 @@ main(int argc, char* argv[])
+             if (TIFFFieldDataType(fip) == TIFF_ASCII) {
+                 if(TIFFFieldPassCount( fip )) {
+                     size_t len;
+-                    len = (uint32_t)(strlen(argv[arg_index] + 1));
+-                    if (TIFFSetField(tiff, TIFFFieldTag(fip),
++                    len = strlen(argv[arg_index] + 1);
++                    if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
+                             (uint16_t)len, argv[arg_index]) != 1)
+-                        fprintf( stderr, "Failed to set %s=%s",
++                        fprintf( stderr, "Failed to set %s=%s\n",
+                             TIFFFieldName(fip), argv[arg_index] );
+                 } else {
+                     if (TIFFSetField(tiff, TIFFFieldTag(fip),
+                             argv[arg_index]) != 1)
+-                        fprintf( stderr, "Failed to set %s=%s",
++                        fprintf( stderr, "Failed to set %s=%s\n",
+                             TIFFFieldName(fip), argv[arg_index] );
+                 }
+             } else if (TIFFFieldWriteCount(fip) > 0
+-- 
+2.33.0
+

backport-0003-CVE-2022-22844.patch

@@ -0,0 +1,28 @@
+From 0a827a985f891d6df481a6f581c723640fad7874 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 25 Jan 2022 04:30:38 +0000
+Subject: [PATCH] fix a small typo in strlen
+
+Conflict:NA
+Reference:https://gitlab.com/libtiff/libtiff/-/commit/0a827a985f891d6df481a6f581c723640fad7874
+
+---
+ tools/tiffset.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/tiffset.c b/tools/tiffset.c
+index b8b52c0..e7a88c0 100644
+--- a/tools/tiffset.c
++++ b/tools/tiffset.c
+@@ -148,7 +148,7 @@ main(int argc, char* argv[])
+             if (TIFFFieldDataType(fip) == TIFF_ASCII) {
+                 if(TIFFFieldPassCount( fip )) {
+                     size_t len;
+-                    len = strlen(argv[arg_index] + 1);
++                    len = strlen(argv[arg_index]) + 1;
+                     if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
+                             (uint16_t)len, argv[arg_index]) != 1)
+                         fprintf( stderr, "Failed to set %s=%s\n",
+-- 
+2.33.0
+

libtiff.spec

@@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.3.0
-Release:        3
+Release:        4
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@@ -8,6 +8,9 @@ Source0:        https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
 
 Patch6000:	backport-CVE-2022-0561.patch
 Patch6001:	backport-CVE-2022-0562.patch
+Patch6002:	backport-0001-CVE-2022-22844.patch
+Patch6003:	backport-0002-CVE-2022-22844.patch
+Patch6004:	backport-0003-CVE-2022-22844.patch
 
 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires:  libtool automake autoconf pkgconfig 
@@ -128,6 +131,12 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html
 
 %changelog
+* Tue Mar 08 2022 dongyuzhen <dongyuzhen@h-partners.com> - 4.3.0-4
+- Type:cves
+- ID:CVE-2022-22844 
+- SUG:NA
+- DESC:fix CVE-2022-22844 
+
 * Wed Feb 23 2022 liuyumeng <liuyumeng5@h-partners.com> -4.3.0-3
 - Type:cves
 - ID:CVE-2022-0561CVE-2022-0562