diff --git a/CVE-2023-6228.patch b/CVE-2023-6228.patch index 09f259283913b0a13cdd4053923c5a939f6e19b6..00d2a89347bbc4acd6ec2cc269662ce00ed963f5 100644 --- a/CVE-2023-6228.patch +++ b/CVE-2023-6228.patch @@ -1,7 +1,19 @@ -diff -Nurw tiff-4.5.1/tools/tiffcp.c tiff-4.5.1_new/tools/tiffcp.c ---- tiff-4.5.1/tools/tiffcp.c 2023-05-22 21:49:02.000000000 +0800 -+++ tiff-4.5.1_new/tools/tiffcp.c 2024-01-04 18:06:46.495692411 +0800 -@@ -850,6 +850,8 @@ +From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 9 Sep 2023 15:45:47 +0200 +Subject: [PATCH] Check also if codec of input image is available, + independently from codec check of output image and return with error if not. + Fixes #606. + +--- + tools/tiffcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index aff06260e..2628bdbb9 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -846,6 +846,8 @@ static int tiffcp(TIFF *in, TIFF *out) if (!TIFFIsCODECConfigured(compression)) return FALSE; TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression); @@ -10,3 +22,5 @@ diff -Nurw tiff-4.5.1/tools/tiffcp.c tiff-4.5.1_new/tools/tiffcp.c TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric); if (input_compression == COMPRESSION_JPEG) { +-- +GitLab diff --git a/Fix-CVE-2023-1916.patch b/Fix-CVE-2023-1916.patch deleted file mode 100644 index c1cf5cff95449bda53f001eb6bfb8e4c78b5aa3b..0000000000000000000000000000000000000000 --- a/Fix-CVE-2023-1916.patch +++ /dev/null @@ -1,112 +0,0 @@ -diff -Nurw tiff-4.5.1/tools/tiffcrop.c tiff-4.5.1_new/tools/tiffcrop.c ---- tiff-4.5.1/tools/tiffcrop.c 2023-05-22 22:03:41.000000000 +0800 -+++ tiff-4.5.1_new/tools/tiffcrop.c 2023-10-31 11:55:41.210369592 +0800 -@@ -6307,6 +6307,15 @@ - crop->combined_width += (uint32_t)zwidth; - else - crop->combined_width = (uint32_t)zwidth; -+ -+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */ -+ if (((crop->rotation == 90) || (crop->rotation == 270)) -+ && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) -+ { -+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); -+ return -1; -+ } -+ - break; - case EDGE_BOTTOM: /* width from left, zones from bottom to top */ - zwidth = offsets.crop_width; -@@ -6354,6 +6363,15 @@ - else - crop->combined_length = (uint32_t)zlength; - crop->combined_width = (uint32_t)zwidth; -+ -+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */ -+ if (((crop->rotation == 90) || (crop->rotation == 270)) -+ && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) -+ { -+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); -+ return -1; -+ } -+ - break; - case EDGE_RIGHT: /* zones from right to left, length from top */ - zlength = offsets.crop_length; -@@ -6403,6 +6421,15 @@ - crop->combined_width += (uint32_t)zwidth; - else - crop->combined_width = (uint32_t)zwidth; -+ -+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */ -+ if (((crop->rotation == 90) || (crop->rotation == 270)) -+ && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) -+ { -+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); -+ return -1; -+ } -+ - break; - case EDGE_TOP: /* width from left, zones from top to bottom */ - default: -@@ -6463,6 +6490,15 @@ - else - crop->combined_length = (uint32_t)zlength; - crop->combined_width = (uint32_t)zwidth; -+ -+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */ -+ if (((crop->rotation == 90) || (crop->rotation == 270)) -+ && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) -+ { -+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); -+ return -1; -+ } -+ - break; - } /* end switch statement */ - -@@ -7768,13 +7804,9 @@ - * the input file. Furthermore, bytes and bits are arranged in buffer - * according to COMPRESSION=1 and FILLORDER=1 - */ -- img_rowsize = (((img_width * spp * bps) + 7) / -- 8); /* row size in full bytes of source image */ -- full_bytes = (sect_width * spp * bps) / -- 8; /* number of COMPLETE bytes per row in section */ -- trailing_bits = -- (sect_width * spp * bps) % -- 8; /* trailing bits within the last byte of destination buffer */ -+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ -+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ -+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ - - #ifdef DEVELMODE - TIFFError("", -@@ -7810,15 +7842,12 @@ - } - else - { /* bps != 8 */ -- shift1 = -- ((first_col * spp * bps) % -- 8); /* shift1 = bits to skip in the first byte of source buffer*/ -+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ - for (row = first_row; row <= last_row; row++) - { - /* pull out the first byte */ - row_offset = row * img_rowsize; -- offset1 = row_offset + ((first_col * spp * bps) / -- 8); /* offset1 = offset into source of byte -+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte - with first bits to be extracted */ - - #ifdef DEVELMODE -@@ -8906,8 +8935,7 @@ - } - } - -- if (crop_buff == -- read_buff) /* we used the read buffer for the crop buffer */ -+ if (crop_buff == read_buff) /* we used the read buffer for the crop buffer */ - *read_buff_ptr = NULL; /* so we don't try to free it later */ - - return (0); diff --git a/Fix-CVE-2023-40745.patch b/Fix-CVE-2023-40745.patch deleted file mode 100644 index 903ea4e8689e55f3b48027014bb459d42f8b3ca4..0000000000000000000000000000000000000000 --- a/Fix-CVE-2023-40745.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -1754,6 +1754,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) - "Width * Samples/Pixel)"); - return 0; - } -+ -+ if ( (imagew - tilew * spp) > INT_MAX ){ -+ TIFFError(TIFFFileName(in), -+ "Error, image raster scan line size is too large"); -+ return 0; -+ } -+ - iskew = imagew - tilew * spp; - tilebuf = limitMalloc(tilesize); - if (tilebuf == 0) diff --git a/Fix-CVE-2023-41175.patch b/Fix-CVE-2023-41175.patch deleted file mode 100644 index 3fc81d6789764ef2bd0b8400f02176106fe1436f..0000000000000000000000000000000000000000 --- a/Fix-CVE-2023-41175.patch +++ /dev/null @@ -1,44 +0,0 @@ ---- a/tools/raw2tiff.c -+++ b/tools/raw2tiff.c -@@ -101,6 +101,7 @@ int main(int argc, char *argv[]) - int fd; - char *outfilename = NULL; - TIFF *out; -+ uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/ - - uint32_t row, col, band; - int c; -@@ -221,6 +222,33 @@ int main(int argc, char *argv[]) - if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0) - return EXIT_FAILURE; - -+ /* check for integer overflow in */ -+ /* hdr_size + (*width) * (*length) * nbands * depth */ -+ -+ if ((width == 0) || (length == 0) ){ -+ fprintf(stderr, "Too large nbands value specified.\n"); -+ return (EXIT_FAILURE); -+ } -+ -+ temp_limit_check = nbands * depth; -+ -+ if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) { -+ fprintf(stderr, "Too large length size specified.\n"); -+ return (EXIT_FAILURE); -+ } -+ temp_limit_check = temp_limit_check * length; -+ -+ if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) { -+ fprintf(stderr, "Too large width size specified.\n"); -+ return (EXIT_FAILURE); -+ } -+ temp_limit_check = temp_limit_check * width; -+ -+ if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) { -+ fprintf(stderr, "Too large header size specified.\n"); -+ return (EXIT_FAILURE); -+ } -+ - if (outfilename == NULL) - outfilename = argv[optind + 1]; - out = TIFFOpen(outfilename, "w"); diff --git a/libtiff-4.6.0-CVE-2024-7006.patch b/libtiff-4.6.0-CVE-2024-7006.patch new file mode 100644 index 0000000000000000000000000000000000000000..ccb432b3b12ff9f0e60199a99070307303cc63f7 --- /dev/null +++ b/libtiff-4.6.0-CVE-2024-7006.patch @@ -0,0 +1,61 @@ +From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 1 Dec 2023 20:12:25 +0100 +Subject: [PATCH] Check return value of _TIFFCreateAnonField(). + +Fixes #624 +--- + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirread.c | 16 ++++++---------- + 2 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index bff7592a8..2338ca21c 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, + if (fld == NULL) + { + fld = _TIFFCreateAnonField(tif, tag, dt); +- if (!_TIFFMergeFields(tif, fld, 1)) ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index c79694145..242912f3b 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4278,11 +4278,9 @@ int TIFFReadDirectory(TIFF *tif) + dp->tdir_tag, dp->tdir_tag); + /* the following knowingly leaks the + anonymous field structure */ +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR( + tif, module, +@@ -5156,11 +5154,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff, + "Unknown field with tag %" PRIu16 " (0x%" PRIx16 + ") encountered", + dp->tdir_tag, dp->tdir_tag); +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR(tif, module, + "Registering anonymous field with tag %" PRIu16 +-- +GitLab + diff --git a/libtiff.spec b/libtiff.spec index ab8c3816213c2dbc3b35b9b911b7b720e62ed0c0..3abb129220e3c8a986a7255bb5333e4632f42863 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,22 +1,25 @@ -%define anolis_release 5 +%define anolis_release 1 Summary: Library of functions for manipulating TIFF format image files Name: libtiff -Version: 4.5.1 +Version: 4.6.0 Release: %{anolis_release}%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ -Source: http://download.osgeo.org/libtiff/tiff-%{version}.tar.xz +Source: http://download.osgeo.org/libtiff/tiff-%{version}.tar.gz + BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel glut-devel xz-devel BuildRequires: python3-sphinx BuildRequires: cmake -Patch0: Fix-CVE-2023-40745.patch -Patch1: Fix-CVE-2023-41175.patch -Patch2: Fix-CVE-2023-1916.patch -Patch3: CVE-2023-6277.patch -Patch4: CVE-2023-6228.patch +# https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779 +Patch0: libtiff-4.6.0-CVE-2024-7006.patch + +# https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a +Patch1: CVE-2023-6277.patch +# https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a +Patch2: CVE-2023-6228.patch %description The libtiff package contains a library of functions for manipulating @@ -65,15 +68,6 @@ Requires: %{name} = %{version}-%{release} This package contains command-line programs for manipulating TIFF format image files using the libtiff library. -%package opengl -Summary: Command-line utility programs for manipulating TIFF files -Requires: %{name} = %{version}-%{release} - -%description opengl -This package contains command-line programs for manipulating TIFF format -image files using the libtiff library. It complements the libtiff-tools -package, which contains the libtiff tools that don't depend upon opengl. - %prep %autosetup -p1 -n tiff-%{version} @@ -114,66 +108,32 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/ %{_mandir}/man3/* %files tools -%{_bindir}/fax2ps -%{_bindir}/fax2tiff -%{_bindir}/pal2rgb -%{_bindir}/ppm2tiff -%{_bindir}/raw2tiff -%{_bindir}/tiff2bw -%{_bindir}/tiff2pdf -%{_bindir}/tiff2ps -%{_bindir}/tiff2rgba -%{_bindir}/tiffcmp %{_bindir}/tiffcp -%{_bindir}/tiffcrop -%{_bindir}/tiffdither %{_bindir}/tiffdump %{_bindir}/tiffinfo -%{_bindir}/tiffmedian %{_bindir}/tiffset %{_bindir}/tiffsplit -%{abidir}/fax2ps-option.list -%{abidir}/fax2tiff-option.list -%{abidir}/pal2rgb-option.list -%{abidir}/ppm2tiff-option.list -%{abidir}/raw2tiff-option.list -%{abidir}/tiff2bw-option.list -%{abidir}/tiff2pdf-option.list -%{abidir}/tiff2rgba-option.list -%{abidir}/tiffcmp-option.list %{abidir}/tiffcp-option.list -%{abidir}/tiffcrop-option.list -%{abidir}/tiffdither-option.list %{abidir}/tiffinfo-option.list -%{abidir}/tiffmedian-option.list %{abidir}/tiffsplit-option.list -%{_mandir}/man1/fax2ps.1* -%{_mandir}/man1/fax2tiff.1* -%{_mandir}/man1/pal2rgb.1* -%{_mandir}/man1/ppm2tiff.1* -%{_mandir}/man1/raw2tiff.1* -%{_mandir}/man1/rgb2ycbcr.1* -%{_mandir}/man1/thumbnail.1* -%{_mandir}/man1/tiff2bw.1* -%{_mandir}/man1/tiff2pdf.1* -%{_mandir}/man1/tiff2ps.1* -%{_mandir}/man1/tiff2rgba.1* -%{_mandir}/man1/tiffcmp.1* %{_mandir}/man1/tiffcp.1* -%{_mandir}/man1/tiffcrop.1* -%{_mandir}/man1/tiffdither.1* %{_mandir}/man1/tiffdump.1* %{_mandir}/man1/tiffinfo.1* -%{_mandir}/man1/tiffmedian.1* %{_mandir}/man1/tiffset.1* %{_mandir}/man1/tiffsplit.1* -%files opengl -%{_bindir}/tiffgt -%{abidir}/tiffgt-option.list -%{_mandir}/man1/tiffgt.1* - %changelog +* Wed Feb 19 2025 mgb01105731 - 4.6.0-1 +- Update to 4.6.0 from 4.5.1 +- Remove libtiff-opengl by reason of tiffgt been removed +- Fix CVE-2023-52355 +- Add patches to fix CVE-2024-7006 +- Remove patch as the new version of tarball already includes changes. +- Remove patches as this version removes a big number of utilities that + have suffered from lack of maintenance over the years + [Patches cherry-pick from c10s. Original changelog: + - fix CVE-2024-7006 a null pointer dereference in tif_dirinfo(4.6.0-4)] + * Thu Jan 04 2024 mgb01105731 - 4.5.1-5 - Fix CVE-2023-6228 diff --git a/tiff-4.5.1.tar.xz b/tiff-4.5.1.tar.xz deleted file mode 100644 index 1e17d68fe04d129e5c3f9fd17f9966b628c40a94..0000000000000000000000000000000000000000 Binary files a/tiff-4.5.1.tar.xz and /dev/null differ diff --git a/tiff-4.6.0.tar.gz b/tiff-4.6.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..97d12cf2b7b8629001b4412595d4155e878ec035 Binary files /dev/null and b/tiff-4.6.0.tar.gz differ