diff --git a/backport-CVE-2022-0909.patch b/backport-CVE-2022-0909.patch new file mode 100644 index 0000000..9d33170 --- /dev/null +++ b/backport-CVE-2022-0909.patch @@ -0,0 +1,35 @@ +From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Tue, 8 Mar 2022 16:22:04 +0000 +Subject: [PATCH] fix the FPE in tiffcrop (#393) + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/commit/32ea0722ee68f503b7a3f9b2d557acb293fc8cde + +--- + libtiff/tif_dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index a6c254f..77da6ea 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) + break; + case TIFFTAG_XRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_YRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); + break; +-- +2.27.0 + diff --git a/backport-CVE-2022-0924.patch b/backport-CVE-2022-0924.patch new file mode 100644 index 0000000..4eff659 --- /dev/null +++ b/backport-CVE-2022-0924.patch @@ -0,0 +1,56 @@ +From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Thu, 10 Mar 2022 08:48:00 +0000 +Subject: [PATCH] fix heap buffer overflow in tiffcp (#278) + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/commit/88d79a45a31c74cba98c697892fed5f7db8b963a + +--- + tools/tiffcp.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 1f88951..552d8fa 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) + tdata_t obuf; + tstrip_t strip = 0; + tsample_t s; ++ uint16_t bps = 0, bytes_per_sample; + + obuf = limitMalloc(stripsize); + if (obuf == NULL) + return (0); + _TIFFmemset(obuf, 0, stripsize); + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); ++ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ bytes_per_sample = bps/8; + for (s = 0; s < spp; s++) { + uint32_t row; + for (row = 0; row < imagelength; row += rowsperstrip) { +@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) + + cpContigBufToSeparateBuf( + obuf, (uint8_t*) buf + row * rowsize + s, +- nrows, imagewidth, 0, 0, spp, 1); ++ nrows, imagewidth, 0, 0, spp, bytes_per_sample); + if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { + TIFFError(TIFFFileName(out), + "Error, can't write strip %"PRIu32, +-- +2.27.0 + diff --git a/libtiff.spec b/libtiff.spec index e417da9..468030e 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,6 +1,6 @@ Name: libtiff Version: 4.3.0 -Release: 8 +Release: 9 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ @@ -15,6 +15,8 @@ Patch6005: backport-CVE-2022-0891.patch Patch6006: backport-CVE-2022-0907.patch Patch6007: backport-CVE-2022-0908.patch Patch6008: backport-CVE-2022-0865.patch +Patch6009: backport-CVE-2022-0909.patch +Patch6010: backport-CVE-2022-0924.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -135,6 +137,9 @@ find html -name 'Makefile*' | xargs rm %exclude %{_datadir}/html/man/tiffgt.1.html %changelog +* Fri Apr 01 2022 dongyuzhen - 4.3.0-9 +- fix CVE-2022-0909,CVE-2022-0924 + * Tue Mar 29 2022 yangcheng - 4.3.0-8 - fix CVE-2022-0865