diff --git a/0019-fix-cve-2023-6228.patch b/0019-fix-cve-2023-6228.patch new file mode 100644 index 0000000000000000000000000000000000000000..77a3bfe6456b93f99c84b2b7b77899a138ba90b4 --- /dev/null +++ b/0019-fix-cve-2023-6228.patch @@ -0,0 +1,25 @@ +From 229246942412c1347dcc3cd063f68302bec4bb81 Mon Sep 17 00:00:00 2001 +From: Yang_X_Y +Date: Thu, 8 Aug 2024 13:32:42 +0800 +Subject: [PATCH] fix-cve-2023-6228 + +--- + tools/tiffcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 07ed0eb..f098f62 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -732,6 +732,8 @@ tiffcp(TIFF* in, TIFF* out) + if( !TIFFIsCODECConfigured(compression) ) + return FALSE; + TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression); ++ if (!TIFFIsCODECConfigured(input_compression)) ++ return FALSE; + TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric); + if (input_compression == COMPRESSION_JPEG) { + /* Force conversion to RGB */ +-- +2.33.0 + diff --git a/0020-fix-cve-2023-52356.patch b/0020-fix-cve-2023-52356.patch new file mode 100644 index 0000000000000000000000000000000000000000..4c465fe1dd6edb995943e074a880e8c3bf8565f4 --- /dev/null +++ b/0020-fix-cve-2023-52356.patch @@ -0,0 +1,48 @@ +From 98db84ec639ab06cbbe1525f08c1e57a011c373e Mon Sep 17 00:00:00 2001 +From: Yang_X_Y +Date: Thu, 8 Aug 2024 13:42:48 +0800 +Subject: [PATCH] fix-cve-2023-52356 + +--- + libtiff/tif_getimage.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 9a2e0c5..f7a8d2c 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -2943,7 +2943,15 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t row, uint32_t * raster, int stop_on_err + + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) { + +- img.row_offset = row; ++ if (row >= img.height) ++ { ++ TIFFErrorExtR(tif, TIFFFileName(tif), ++ "Invalid row passed to TIFFReadRGBAStrip()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } ++ ++ img.row_offset = row; + img.col_offset = 0; + + if( row + rowsperstrip > img.height ) +@@ -3018,6 +3026,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in + return( 0 ); + } + ++ if (col >= img.width || row >= img.height) ++ { ++ TIFFErrorExtR(tif, TIFFFileName(tif), ++ "Invalid row/col passed to TIFFReadRGBATile()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } ++ + /* + * The TIFFRGBAImageGet() function doesn't allow us to get off the + * edge of the image, even to fill an otherwise valid tile. So we +-- +2.33.0 + diff --git a/libtiff.spec b/libtiff.spec index 95cbfc0a761e964845b112a2c4e7cb0c593b5585..162309caaa04eff62b9926bd1d139ae113499a35 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.1 +%define anolis_release .0.2 Summary: Library of functions for manipulating TIFF format image files Name: libtiff @@ -34,7 +34,10 @@ Patch0016: 0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch Patch0017: 0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch Patch0018: 0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch - +#https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a +Patch0019: 0019-fix-cve-2023-6228.patch +#https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a +Patch0020: 0020-fix-cve-2023-52356.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel @@ -197,6 +200,9 @@ find html -name 'Makefile*' | xargs rm %doc README.md RELEASE-DATE VERSION %changelog +* Thu Aug 08 2024 yangxinyu - 4.4.0-10.0.2 +- fix cve-2023-6228 cve-2023-52356 + * Wed Dec 06 2023 Zhao Hang - 4.4.0-10.0.1 - Add doc sub package