From a8719fcf666deffce41f0c1ed1fd97e40cc55b40 Mon Sep 17 00:00:00 2001 From: Jacob Wang Date: Wed, 29 Oct 2025 09:16:10 +0800 Subject: [PATCH 1/2] [CVE]update to libtiff-4.4.0-13.2 to #ID3X6W update to libtiff-4.4.0-13.2 for CVE-2025-8176 CVE-2025-9900 Project: TC2024080204 Signed-off-by: Jacob Wang --- RHEL-112542.patch | 51 ++++++++++++++ RHEL-120243.patch | 70 +++++++++++++++++++ dist | 2 +- ...patch => libtiff-4.6.0-CVE-2024-7006.patch | 18 +++-- libtiff.spec | 45 ++++++------ 5 files changed, 152 insertions(+), 34 deletions(-) create mode 100644 RHEL-112542.patch create mode 100644 RHEL-120243.patch rename 0024-fix-cve-2024-7006.patch => libtiff-4.6.0-CVE-2024-7006.patch (73%) diff --git a/RHEL-112542.patch b/RHEL-112542.patch new file mode 100644 index 0000000..c8f7d8e --- /dev/null +++ b/RHEL-112542.patch @@ -0,0 +1,51 @@ +From 713269dcf24faec847643f3ed82c22948ec587b7 Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Wed, 11 Jun 2025 19:45:19 +0000 +Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster + rows at TIFFReadRGBAImageOriented() + +--- + libtiff/tif_getimage.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 9a2e0c5..7110bfd 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h) + "No \"put\" routine setupl; probably can not handle image format"); + return (0); + } ++ /* Verify raster width and height against image width and height. */ ++ if (h > img->height) ++ { ++ /* Adapt parameters to read only available lines and put image at ++ * the bottom of the raster. */ ++ raster += (size_t)(h - img->height) * w; ++ h = img->height; ++ } ++ if (w > img->width) ++ { ++ TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif), ++ "Raster width of %d shall not be larger than image " ++ "width of %d -> raster width adapted for reading", ++ w, img->width); ++ w = img->width; ++ } + return (*img->get)(img, raster, w, h); + } + +@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif, + + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) { + img.req_orientation = (uint16_t)orientation; +- /* XXX verify rwidth and rheight against width and height */ +- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth, +- rwidth, img.height); ++ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight); + TIFFRGBAImageEnd(&img); + } else { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg); +-- +2.47.3 + diff --git a/RHEL-120243.patch b/RHEL-120243.patch new file mode 100644 index 0000000..80d10c3 --- /dev/null +++ b/RHEL-120243.patch @@ -0,0 +1,70 @@ +From c91a4216678bd6692b4195f5c3257605f6d39a18 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Mon, 19 May 2025 10:53:30 -0700 +Subject: [PATCH] Don't skip the first line of the input image. Addresses issue + #703 + +--- + tools/tiffdither.c | 4 ++-- + tools/tiffmedian.c | 9 ++++++--- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffdither.c b/tools/tiffdither.c +index f3f9672..42ad079 100644 +--- a/tools/tiffdither.c ++++ b/tools/tiffdither.c +@@ -95,7 +95,7 @@ fsdither(TIFF* in, TIFF* out) + nextptr = nextline; + for (j = 0; j < imagewidth; ++j) + *nextptr++ = *inptr++; +- for (i = 1; i < imagelength; ++i) { ++ for (i = 0; i < imagelength; ++i) { + tmpptr = thisline; + thisline = nextline; + nextline = tmpptr; +@@ -138,7 +138,7 @@ fsdither(TIFF* in, TIFF* out) + nextptr[0] += v / 16; + } + } +- if (TIFFWriteScanline(out, outline, i-1, 0) < 0) ++ if (TIFFWriteScanline(out, outline, i, 0) < 0) + goto skip_on_error; + } + goto exit_label; +diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c +index 90c4c6a..8fc2674 100644 +--- a/tools/tiffmedian.c ++++ b/tools/tiffmedian.c +@@ -386,7 +386,10 @@ get_histogram(TIFF* in, Colorbox* box) + } + for (i = 0; i < imagelength; i++) { + if (TIFFReadScanline(in, inputline, i, 0) <= 0) +- break; ++ { ++ fprintf(stderr, "Error reading scanline\n"); ++ exit(EXIT_FAILURE); ++ } + inptr = inputline; + for (j = imagewidth; j-- > 0;) { + red = (*inptr++) & 0xff >> COLOR_SHIFT; +@@ -845,7 +848,7 @@ quant_fsdither(TIFF* in, TIFF* out) + outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out)); + + GetInputLine(in, 0, goto bad); /* get first line */ +- for (i = 1; i <= imagelength; ++i) { ++ for (i = 0; i < imagelength; ++i) { + SWAP(short *, thisline, nextline); + lastline = (i >= imax); + if (i <= imax) +@@ -916,7 +919,7 @@ quant_fsdither(TIFF* in, TIFF* out) + nextptr += 3; + } + } +- if (TIFFWriteScanline(out, outline, i-1, 0) < 0) ++ if (TIFFWriteScanline(out, outline, i, 0) < 0) + break; + } + bad: +-- +2.47.3 + diff --git a/dist b/dist index 89c1faf..1f9f8c9 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an9 +an9_6 diff --git a/0024-fix-cve-2024-7006.patch b/libtiff-4.6.0-CVE-2024-7006.patch similarity index 73% rename from 0024-fix-cve-2024-7006.patch rename to libtiff-4.6.0-CVE-2024-7006.patch index 2066cf8..e953fea 100644 --- a/0024-fix-cve-2024-7006.patch +++ b/libtiff-4.6.0-CVE-2024-7006.patch @@ -1,8 +1,7 @@ -diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c -index c30f569..c2df6cf 100644 ---- a/libtiff/tif_dirinfo.c -+++ b/libtiff/tif_dirinfo.c -@@ -824,7 +824,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, TIFFDataType dt) +diff -up tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 tiff-4.4.0/libtiff/tif_dirinfo.c +--- tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 2024-08-16 00:35:35.339965778 +0200 ++++ tiff-4.4.0/libtiff/tif_dirinfo.c 2024-08-16 00:54:58.255221954 +0200 +@@ -824,7 +824,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint fld = TIFFFindField(tif, tag, dt); if (fld == NULL) { fld = _TIFFCreateAnonField(tif, tag, dt); @@ -11,10 +10,9 @@ index c30f569..c2df6cf 100644 return NULL; } -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 32653f0..58c1c2a 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c +diff -up tiff-4.4.0/libtiff/tif_dirread.c.CVE-2024-7006 tiff-4.4.0/libtiff/tif_dirread.c +--- tiff-4.4.0/libtiff/tif_dirread.c.CVE-2024-7006 2024-08-16 00:35:35.341965797 +0200 ++++ tiff-4.4.0/libtiff/tif_dirread.c 2024-08-16 00:59:02.455017380 +0200 @@ -4038,11 +4038,10 @@ TIFFReadDirectory(TIFF* tif) dp->tdir_tag,dp->tdir_tag); /* the following knowingly leaks the @@ -31,7 +29,7 @@ index 32653f0..58c1c2a 100644 TIFFWarningExt(tif->tif_clientdata, module, "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed", -@@ -4805,10 +4804,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_t diroff, +@@ -4805,10 +4804,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_ TIFFWarningExt(tif->tif_clientdata, module, "Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered", dp->tdir_tag, dp->tdir_tag); diff --git a/libtiff.spec b/libtiff.spec index 06d0499..31f990d 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,9 +1,7 @@ -%define anolis_release .0.3 - Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.4.0 -Release: 12%{anolis_release}%{?dist} +Release: 13%{?dist}.2 License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -38,10 +36,18 @@ Patch0020: 0020-CVE-2023-3618-tiffcrop-fix-553-by-considering-error-.patch Patch0021: 0021-CVE-2023-40745-CVE-2023-41175-raw2tiff-fix-integer-o.patch Patch0022: 0022-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch -#https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a -Patch0023: 0023-fix-cve-2023-52356.patch +# from upstream, for <=4.6.0, RHEL-52931 +# https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779 +Patch23: libtiff-4.6.0-CVE-2024-7006.patch + +# CVE-2025-9900 +Patch24: RHEL-112542.patch -Patch0024: 0024-fix-cve-2024-7006.patch +# CVE-2025-8176 +Patch25: RHEL-120243.patch + +#https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a +Patch0026: 0023-fix-cve-2023-52356.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel @@ -88,14 +94,6 @@ Requires: %{name}%{?_isa} = %{version}-%{release} This package contains command-line programs for manipulating TIFF format image files using the libtiff library. -%package doc -Summary: Documents for %{name} -BuildArch: noarch -Requires: %{name} = %{version}-%{release} - -%description doc -Doc pages for %{name}. - %prep %autosetup -p1 -n tiff-%{version} @@ -187,6 +185,7 @@ find html -name 'Makefile*' | xargs rm %{_libdir}/libtiffxx.so.* %files devel +%doc TODO ChangeLog html %{_includedir}/* %{_libdir}/libtiff.so %{_libdir}/libtiffxx.so @@ -200,18 +199,18 @@ find html -name 'Makefile*' | xargs rm %{_bindir}/* %{_mandir}/man1/* -%files doc -%doc README.md RELEASE-DATE VERSION - %changelog -* Thu Nov 07 2024 Xulin Gao - 4.4.0-12.0.3 -- fix cve-2024-7006 +* Mon Oct 20 2025 RHEL Packaging Agent - 4.4.0-13.2 +- fix CVE-2025-8176 off-by-one error skipping first line in tiffdither + and tiffmedian +- Resolves: RHEL-120243 -* Thu Aug 08 2024 yangxinyu - 4.4.0-10.0.2 -- fix cve-2023-52356 +* Fri Oct 10 2025 RHEL Packaging Agent - 4.4.0-13.1 +- fix CVE-2025-9900 buffer underflow in TIFFReadRGBAImageOriented +- Resolves: RHEL-112542 -* Wed May 15 2024 Zhao Hang - 4.4.0-12.0.1 -- Add doc sub package +* Wed Aug 21 2024 Michal Hlavinka - 4.4.0-13 +- fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52931) * Thu Nov 23 2023 Matej Mužila - 4.4.0-12 - Fix CVE-2023-6228 -- Gitee From c2276312b317bef06ffac41b5c6cb4a085527fea Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Tue, 19 Jul 2022 10:20:56 +0800 Subject: [PATCH 2/2] spec: add doc sub package Signed-off-by: Zhao Hang --- libtiff.spec | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/libtiff.spec b/libtiff.spec index 31f990d..6ad19f8 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,9 @@ +%define anolis_release .0.1 + Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.4.0 -Release: 13%{?dist}.2 +Release: 13%{anolis_release}%{?dist}.2 License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -94,6 +96,14 @@ Requires: %{name}%{?_isa} = %{version}-%{release} This package contains command-line programs for manipulating TIFF format image files using the libtiff library. +%package doc +Summary: Documents for %{name} +BuildArch: noarch +Requires: %{name} = %{version}-%{release} + +%description doc +Doc pages for %{name}. + %prep %autosetup -p1 -n tiff-%{version} @@ -185,7 +195,6 @@ find html -name 'Makefile*' | xargs rm %{_libdir}/libtiffxx.so.* %files devel -%doc TODO ChangeLog html %{_includedir}/* %{_libdir}/libtiff.so %{_libdir}/libtiffxx.so @@ -199,7 +208,13 @@ find html -name 'Makefile*' | xargs rm %{_bindir}/* %{_mandir}/man1/* +%files doc +%doc README.md RELEASE-DATE VERSION + %changelog +* Wed Oct 29 2025 Zhao Hang - 4.4.0-13.0.1.2 +- Add doc sub package + * Mon Oct 20 2025 RHEL Packaging Agent - 4.4.0-13.2 - fix CVE-2025-8176 off-by-one error skipping first line in tiffdither and tiffmedian -- Gitee