From c62fd2e884efe9f370d7750c3c0507162d03c6ab Mon Sep 17 00:00:00 2001 From: zhuhongbo Date: Tue, 9 Dec 2025 17:56:15 +0800 Subject: [PATCH] fix cve CVE-2025-8176 CVE-2025-8177 CVE-2025-9900 --- libtiff-CVE-2025-8176.patch | 27 ++++++++++++++++++++ libtiff-CVE-2025-8177.patch | 33 ++++++++++++++++++++++++ libtiff-CVE-2025-9900.patch | 50 +++++++++++++++++++++++++++++++++++++ libtiff.spec | 11 +++++++- 4 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 libtiff-CVE-2025-8176.patch create mode 100644 libtiff-CVE-2025-8177.patch create mode 100644 libtiff-CVE-2025-9900.patch diff --git a/libtiff-CVE-2025-8176.patch b/libtiff-CVE-2025-8176.patch new file mode 100644 index 0000000..f238805 --- /dev/null +++ b/libtiff-CVE-2025-8176.patch @@ -0,0 +1,27 @@ +From 464a0ff0866923214c29d20596b4f1743c8e3956 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Tue, 9 Dec 2025 17:22:34 +0800 +Subject: [PATCH] fix cve CVE-2025-8176 + +--- + tools/tiffmedian.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c +index 6501494..e6b3b04 100644 +--- a/tools/tiffmedian.c ++++ b/tools/tiffmedian.c +@@ -369,6 +369,10 @@ get_histogram(TIFF* in, Colorbox* box) + for (i = 0; i < imagelength; i++) { + if (TIFFReadScanline(in, inputline, i, 0) <= 0) + break; ++ { ++ fprintf(stderr, "Error reading scanline\n"); ++ exit(EXIT_FAILURE); ++ } + inptr = inputline; + for (j = imagewidth; j-- > 0;) { + red = *inptr++ >> COLOR_SHIFT; +-- +2.39.3 + diff --git a/libtiff-CVE-2025-8177.patch b/libtiff-CVE-2025-8177.patch new file mode 100644 index 0000000..06bcac6 --- /dev/null +++ b/libtiff-CVE-2025-8177.patch @@ -0,0 +1,33 @@ +From dc3b094aa2d7d706badab2d8b402be7263ac699d Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Tue, 9 Dec 2025 17:27:58 +0800 +Subject: [PATCH] fix cve CVE-2025-8177 + +--- + tools/thumbnail.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/tools/thumbnail.c b/tools/thumbnail.c +index 9a9c439..95c5bcb 100644 +--- a/tools/thumbnail.c ++++ b/tools/thumbnail.c +@@ -522,6 +522,16 @@ setrow(uint8* row, uint32 nrows, const uint8* rows[]) + acc += bits[*src & mask1]; + } + *row++ = cmap[(255*acc)/area]; ++ if (255 * acc / area < 256) ++ { ++ *row++ = cmap[(255*acc)/area]; ++ } ++ else ++ { ++ fprintf(stderr, "acc=%d, area=%d\n", acc, area); ++ *row++ = cmap[0]; ++ } ++ + } + } + +-- +2.39.3 + diff --git a/libtiff-CVE-2025-9900.patch b/libtiff-CVE-2025-9900.patch new file mode 100644 index 0000000..b0b253b --- /dev/null +++ b/libtiff-CVE-2025-9900.patch @@ -0,0 +1,50 @@ +From 12b403965eb783fbd2f7a981c6b75239672395c1 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Tue, 9 Dec 2025 17:31:53 +0800 +Subject: [PATCH] fix cve CVE-2025-9900 + +--- + libtiff/tif_getimage.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 4c79479..7838377 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -497,6 +497,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + "No \"put\" routine setupl; probably can not handle image format"); + return (0); + } ++ /* Verify raster width and height against image width and height. */ ++ if (h > img->height) ++ { ++ /* Adapt parameters to read only available lines and put image at ++ * the bottom of the raster. */ ++ raster += (size_t)(h - img->height) * w; ++ h = img->height; ++ } ++ if (w > img->width) ++ { ++ TIFFWarningExt(img->tif, TIFFFileName(img->tif), ++ "Raster width of %d shall not be larger than image " ++ "width of %d -> raster width adapted for reading", ++ w, img->width); ++ w = img->width; ++ } + return (*img->get)(img, raster, w, h); + } + +@@ -515,9 +531,7 @@ TIFFReadRGBAImageOriented(TIFF* tif, + + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) { + img.req_orientation = orientation; +- /* XXX verify rwidth and rheight against width and height */ +- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth, +- rwidth, img.height); ++ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight); + TIFFRGBAImageEnd(&img); + } else { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg); +-- +2.39.3 + diff --git a/libtiff.spec b/libtiff.spec index b2d6c52..22c5e62 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.3 -Release: 35%{?dist} +Release: 35%{?dist}.1 License: libtiff Group: System Environment/Libraries @@ -55,6 +55,9 @@ Patch42: libtiff-CVE-2018-18661.patch Patch43: libtiff-coverity.patch Patch44: libtiff-CVE-2019-14973.patch Patch45: libtiff-CVE-2019-17546.patch +Patch46: libtiff-CVE-2025-8176.patch +Patch47: libtiff-CVE-2025-8177.patch +Patch48: libtiff-CVE-2025-9900.patch BuildRequires: zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -151,6 +154,9 @@ image files using the libtiff library. %patch43 -p1 %patch44 -p1 %patch45 -p1 +%patch46 -p1 +%patch47 -p1 +%patch48 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -255,6 +261,9 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Tue Dec 09 2025 zhuhongbo - 4.0.3-35.1 +- cve: fix cve CVE-2025-8176 CVE-2025-8177 CVE-2025-9900 + * Mon Apr 06 2020 Nikola Forró - 4.0.3-35 - Fix two resource leaks Related: #1771371 -- Gitee