diff --git a/RHEL-112542.patch b/RHEL-112542.patch deleted file mode 100644 index c8f7d8e4ef48024062b67a862d34198cd0e073bd..0000000000000000000000000000000000000000 --- a/RHEL-112542.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 713269dcf24faec847643f3ed82c22948ec587b7 Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Wed, 11 Jun 2025 19:45:19 +0000 -Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster - rows at TIFFReadRGBAImageOriented() - ---- - libtiff/tif_getimage.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index 9a2e0c5..7110bfd 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h) - "No \"put\" routine setupl; probably can not handle image format"); - return (0); - } -+ /* Verify raster width and height against image width and height. */ -+ if (h > img->height) -+ { -+ /* Adapt parameters to read only available lines and put image at -+ * the bottom of the raster. */ -+ raster += (size_t)(h - img->height) * w; -+ h = img->height; -+ } -+ if (w > img->width) -+ { -+ TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif), -+ "Raster width of %d shall not be larger than image " -+ "width of %d -> raster width adapted for reading", -+ w, img->width); -+ w = img->width; -+ } - return (*img->get)(img, raster, w, h); - } - -@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif, - - if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) { - img.req_orientation = (uint16_t)orientation; -- /* XXX verify rwidth and rheight against width and height */ -- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth, -- rwidth, img.height); -+ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight); - TIFFRGBAImageEnd(&img); - } else { - TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg); --- -2.47.3 - diff --git a/RHEL-120243.patch b/RHEL-120243.patch deleted file mode 100644 index 80d10c30869419240a2d22fbf366345110dab261..0000000000000000000000000000000000000000 --- a/RHEL-120243.patch +++ /dev/null @@ -1,70 +0,0 @@ -From c91a4216678bd6692b4195f5c3257605f6d39a18 Mon Sep 17 00:00:00 2001 -From: Lee Howard -Date: Mon, 19 May 2025 10:53:30 -0700 -Subject: [PATCH] Don't skip the first line of the input image. Addresses issue - #703 - ---- - tools/tiffdither.c | 4 ++-- - tools/tiffmedian.c | 9 ++++++--- - 2 files changed, 8 insertions(+), 5 deletions(-) - -diff --git a/tools/tiffdither.c b/tools/tiffdither.c -index f3f9672..42ad079 100644 ---- a/tools/tiffdither.c -+++ b/tools/tiffdither.c -@@ -95,7 +95,7 @@ fsdither(TIFF* in, TIFF* out) - nextptr = nextline; - for (j = 0; j < imagewidth; ++j) - *nextptr++ = *inptr++; -- for (i = 1; i < imagelength; ++i) { -+ for (i = 0; i < imagelength; ++i) { - tmpptr = thisline; - thisline = nextline; - nextline = tmpptr; -@@ -138,7 +138,7 @@ fsdither(TIFF* in, TIFF* out) - nextptr[0] += v / 16; - } - } -- if (TIFFWriteScanline(out, outline, i-1, 0) < 0) -+ if (TIFFWriteScanline(out, outline, i, 0) < 0) - goto skip_on_error; - } - goto exit_label; -diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c -index 90c4c6a..8fc2674 100644 ---- a/tools/tiffmedian.c -+++ b/tools/tiffmedian.c -@@ -386,7 +386,10 @@ get_histogram(TIFF* in, Colorbox* box) - } - for (i = 0; i < imagelength; i++) { - if (TIFFReadScanline(in, inputline, i, 0) <= 0) -- break; -+ { -+ fprintf(stderr, "Error reading scanline\n"); -+ exit(EXIT_FAILURE); -+ } - inptr = inputline; - for (j = imagewidth; j-- > 0;) { - red = (*inptr++) & 0xff >> COLOR_SHIFT; -@@ -845,7 +848,7 @@ quant_fsdither(TIFF* in, TIFF* out) - outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out)); - - GetInputLine(in, 0, goto bad); /* get first line */ -- for (i = 1; i <= imagelength; ++i) { -+ for (i = 0; i < imagelength; ++i) { - SWAP(short *, thisline, nextline); - lastline = (i >= imax); - if (i <= imax) -@@ -916,7 +919,7 @@ quant_fsdither(TIFF* in, TIFF* out) - nextptr += 3; - } - } -- if (TIFFWriteScanline(out, outline, i-1, 0) < 0) -+ if (TIFFWriteScanline(out, outline, i, 0) < 0) - break; - } - bad: --- -2.47.3 - diff --git a/dist b/dist index 1f9f8c9bbdfdaf483d0bfdf0bf3c48d3cad6b1b9..89c1faffc18349bb12eee2371e9dc43bf419b95c 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an9_6 +an9 diff --git a/0023-fix-cve-2023-52356.patch b/libtiff-4.4.0-CVE-2023-52356.patch similarity index 50% rename from 0023-fix-cve-2023-52356.patch rename to libtiff-4.4.0-CVE-2023-52356.patch index c4a418c9d6ef61ed691b1f64e36af44342b882ce..8fc43443c9f752d673d0908f612169d9c34775a5 100644 --- a/0023-fix-cve-2023-52356.patch +++ b/libtiff-4.4.0-CVE-2023-52356.patch @@ -1,40 +1,39 @@ -From 98db84ec639ab06cbbe1525f08c1e57a011c373e Mon Sep 17 00:00:00 2001 -From: Yang_X_Y -Date: Thu, 8 Aug 2024 13:42:48 +0800 -Subject: [PATCH] fix-cve-2023-52356 +From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 31 Oct 2023 15:58:41 +0100 +Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of + col/row (fixes #622) --- - libtiff/tif_getimage.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) + libtiff/tif_getimage.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index 9a2e0c5..f7a8d2c 100644 +index 41f7dfd77..6fee35db2 100644 --- a/libtiff/tif_getimage.c +++ b/libtiff/tif_getimage.c -@@ -2943,7 +2943,15 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t row, uint32_t * raster, int stop_on_err +@@ -2943,6 +2943,14 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) { -- img.row_offset = row; + if (row >= img.height) + { -+ TIFFErrorExt(tif, TIFFFileName(tif), ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), + "Invalid row passed to TIFFReadRGBAStrip()."); + TIFFRGBAImageEnd(&img); + return (0); + } + -+ img.row_offset = row; + img.row_offset = row; img.col_offset = 0; - if( row + rowsperstrip > img.height ) -@@ -3018,6 +3026,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in +@@ -3018,6 +3026,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t return( 0 ); } -+ if (col >= img.width || row >= img.height) ++ if (col >= img.width || row >= img.height) + { -+ TIFFErrorExt(tif, TIFFFileName(tif), ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), + "Invalid row/col passed to TIFFReadRGBATile()."); + TIFFRGBAImageEnd(&img); + return (0); @@ -43,6 +42,3 @@ index 9a2e0c5..f7a8d2c 100644 /* * The TIFFRGBAImageGet() function doesn't allow us to get off the * edge of the image, even to fill an otherwise valid tile. So we --- -2.33.0 - diff --git a/libtiff-4.4.0-cve2023-52355.patch b/libtiff-4.4.0-cve2023-52355.patch new file mode 100644 index 0000000000000000000000000000000000000000..96fa881c00485b901dc158ab96608bde64be7a88 --- /dev/null +++ b/libtiff-4.4.0-cve2023-52355.patch @@ -0,0 +1,596 @@ +diff -up tiff-4.4.0/html/libtiff.html.cvedoc tiff-4.4.0/html/libtiff.html +--- tiff-4.4.0/html/libtiff.html.cvedoc 2022-02-19 16:33:54.000000000 +0100 ++++ tiff-4.4.0/html/libtiff.html 2025-05-05 15:46:15.541350830 +0200 +@@ -127,11 +127,16 @@ +

+

+ To deal with segmented pointer issues libtiff also provides +- _TIFFmemcpy, _TIFFmemset, and _TIFFmemmove ++ _TIFFmemcpy, _TIFFmemset, and _TIFFmemcmp + routines that mimic the equivalent ANSI C routines, but that are + intended for use with memory allocated through _TIFFmalloc + and _TIFFrealloc. +

++

++ With libtiff 4.5 a method was introduced to limit the internal ++ memory allocation that functions are allowed to request per call ++ (see TIFFOpenOptionsSetMaxSingleMemAlloc and TIFFOpenExt). ++

+
+

Error Handling

+

+@@ -143,6 +148,11 @@ + Likewise warning messages are directed to a single handler routine + that can be specified with a call to TIFFSetWarningHandler +

++

++ Further application-specific and per-TIFF handle (re-entrant) error handler ++ and warning handler can be set. Please refer to TIFFError ++ and TIFFOpenOptions. ++

+
+

Basic File Handling

+

+@@ -155,7 +165,7 @@ + main()
+ {
+     TIFF* tif = TIFFOpen("foo.tif", "r");
+-     ... do stuff ...
++     /* ... do stuff ... */
+     TIFFClose(tif);
+ } +

+@@ -196,6 +206,27 @@ + buffered information to a file. Note that if you call TIFFClose + you do not need to call TIFFFlush. +

++

++ ++ ++ ++ ++ ++
In order to prevent out-of-memory issues when opening a TIFF file ++ TIFFOpenExt can be used and then the maximum single memory ++ limit in byte that libtiff internal memory allocation functions ++ are allowed to request per call can be set with ++ TIFFOpenOptionsSetMaxSingleMemAlloc.
++

++Example: ++

++ tmsize_t limit = (256 * 1024 * 1024);
++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit);
++ TIFF *tif = TIFFOpenExt("foo.tif", "w", opts);
++ TIFFOpenOptionsFree(opts);
++ /* ... go on here ... */
++

+
+

TIFF Directories

+

+diff -up tiff-4.4.0/html/man/Makefile.am.cvedoc tiff-4.4.0/html/man/Makefile.am +--- tiff-4.4.0/html/man/Makefile.am.cvedoc 2025-05-05 15:46:15.492346180 +0200 ++++ tiff-4.4.0/html/man/Makefile.am 2025-05-05 15:49:32.759368119 +0200 +@@ -38,6 +38,7 @@ docfiles = \ + TIFFcodec.3tiff.html \ + TIFFcolor.3tiff.html \ + TIFFDataWidth.3tiff.html \ ++ TIFFDeferStrileArrayWriting.3tiff.html \ + TIFFError.3tiff.html \ + TIFFFieldDataType.3tiff.html \ + TIFFFieldName.3tiff.html \ +@@ -49,6 +50,7 @@ docfiles = \ + TIFFGetField.3tiff.html \ + TIFFmemory.3tiff.html \ + TIFFOpen.3tiff.html \ ++ TIFFOpenOptions.3tiff.html \ + TIFFPrintDirectory.3tiff.html \ + TIFFquery.3tiff.html \ + TIFFReadDirectory.3tiff.html \ +@@ -66,6 +68,7 @@ docfiles = \ + TIFFSetField.3tiff.html \ + TIFFsize.3tiff.html \ + TIFFstrip.3tiff.html \ ++ TIFFStrileQuery.3tiff.html \ + TIFFswab.3tiff.html \ + TIFFtile.3tiff.html \ + TIFFWarning.3tiff.html \ +diff -up tiff-4.4.0/man/Makefile.am.cvedoc tiff-4.4.0/man/Makefile.am +--- tiff-4.4.0/man/Makefile.am.cvedoc 2025-05-05 15:46:42.027712039 +0200 ++++ tiff-4.4.0/man/Makefile.am 2025-05-05 15:48:31.730675076 +0200 +@@ -51,6 +51,7 @@ dist_man3_MANS = \ + TIFFcodec.3tiff \ + TIFFcolor.3tiff \ + TIFFDataWidth.3tiff \ ++ TIFFDeferStrileArrayWriting.3tiff \ + TIFFError.3tiff \ + TIFFFieldDataType.3tiff \ + TIFFFieldName.3tiff \ +@@ -62,6 +63,7 @@ dist_man3_MANS = \ + TIFFGetField.3tiff \ + TIFFmemory.3tiff \ + TIFFOpen.3tiff \ ++ TIFFOpenOptions.3tiff \ + TIFFPrintDirectory.3tiff \ + TIFFquery.3tiff \ + TIFFReadDirectory.3tiff \ +@@ -79,6 +81,7 @@ dist_man3_MANS = \ + TIFFSetField.3tiff \ + TIFFsize.3tiff \ + TIFFstrip.3tiff \ ++ TIFFStrileQuery.3tiff \ + TIFFswab.3tiff \ + TIFFtile.3tiff \ + TIFFWarning.3tiff \ +diff -up tiff-4.4.0/man/TIFFDeferStrileArrayWriting.3tiff.cvedoc tiff-4.4.0/man/TIFFDeferStrileArrayWriting.3tiff +--- tiff-4.4.0/man/TIFFDeferStrileArrayWriting.3tiff.cvedoc 2025-05-05 15:46:15.541666402 +0200 ++++ tiff-4.4.0/man/TIFFDeferStrileArrayWriting.3tiff 2025-05-05 15:46:15.541666402 +0200 +@@ -0,0 +1,108 @@ ++.\" Man page generated from reStructuredText. ++. ++. ++.nr rst2man-indent-level 0 ++. ++.de1 rstReportMargin ++\\$1 \\n[an-margin] ++level \\n[rst2man-indent-level] ++level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] ++- ++\\n[rst2man-indent0] ++\\n[rst2man-indent1] ++\\n[rst2man-indent2] ++.. ++.de1 INDENT ++.\" .rstReportMargin pre: ++. RS \\$1 ++. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] ++. nr rst2man-indent-level +1 ++.\" .rstReportMargin post: ++.. ++.de UNINDENT ++. RE ++.\" indent \\n[an-margin] ++.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.nr rst2man-indent-level -1 ++.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.in \\n[rst2man-indent\\n[rst2man-indent-level]]u ++.. ++.TH "TIFFDEFERSTRILEARRAYWRITING" "3tiff" "Apr 30, 2025" "4.7" "LibTIFF" ++.SH NAME ++TIFFDeferStrileArrayWriting \- defer strile array writing ++.SH SYNOPSIS ++.INDENT 0.0 ++.INDENT 3.5 ++.sp ++.nf ++.ft C ++#include ++.ft P ++.fi ++.UNINDENT ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B int TIFFDeferStrileArrayWriting(TIFF *tif) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B int TIFFForceStrileArrayWriting(TIFF *tif) ++.UNINDENT ++.SH DESCRIPTION ++.sp ++\fI\%TIFFDeferStrileArrayWriting()\fP is an advanced writing function ++that must be used in a particular sequence, and generally together ++with \fI\%TIFFForceStrileArrayWriting()\fP, to achieve its intended ++effect. Their aim is to control when and where the ++\fBStripOffsets\fP / \fBStripByteCounts\fP or \fBTileOffsets\fP / \fBTileByteCounts\fP ++arrays are written into the file. ++.sp ++The purpose of this is to generate \(aqcloud\-optimized geotiff\(aq files where ++the first KB of the file only contain the IFD entries without the potentially ++large strile arrays. Those are written afterwards. ++.sp ++More precisely, when TIFFWriteCheck() is called, the tag entries for ++those arrays will be written with type = count = offset = 0 as a temporary value. ++.sp ++Its effect is only valid for the current directory, and before ++TIFFWriteDirectory() is first called, and will be reset ++when changing directory. ++.sp ++The typical sequence of calls is: ++.INDENT 0.0 ++.INDENT 3.5 ++.sp ++.nf ++.ft C ++TIFFOpen() ++/* or TIFFCreateDirectory(tif) */ ++/* Set fields with calls to TIFFSetField(tif, ...) */ ++TIFFDeferStrileArrayWriting(tif) ++TIFFWriteCheck(tif, ...) ++TIFFWriteDirectory(tif) ++/* ... potentially create other directories and come back to the above directory */ ++TIFFForceStrileArrayWriting(tif) /* emit the arrays at the end of file */ ++.ft P ++.fi ++.UNINDENT ++.UNINDENT ++.SH RETURNS ++.sp ++1 in case of success, 0 otherwise. ++.SH DIAGNOSTICS ++.sp ++All error messages are directed to the TIFFErrorExtR() routine. ++Likewise, warning messages are directed to the TIFFWarningExtR() routine. ++.SH NOTE ++.sp ++This functionality was introduced with libtiff 4.1. ++.SH SEE ALSO ++.sp ++\fI\%libtiff\fP (3tiff) ++.SH AUTHOR ++LibTIFF contributors ++.SH COPYRIGHT ++1988-2025, LibTIFF contributors ++.\" Generated by docutils manpage writer. ++. +diff -up tiff-4.4.0/man/TIFFError.3tiff.cvedoc tiff-4.4.0/man/TIFFError.3tiff +--- tiff-4.4.0/man/TIFFError.3tiff.cvedoc 2022-02-19 16:33:55.000000000 +0100 ++++ tiff-4.4.0/man/TIFFError.3tiff 2025-05-05 15:46:15.541755008 +0200 +@@ -56,6 +56,11 @@ to override the default error handler. + A + .SM NULL + (0) error handling function may be installed to suppress error messages. ++.PP ++Please refer to ++.IR TIFFOpenOptions ++for how to setup the ++application-specific handler introduced with libtiff 4.5. + .SH "RETURN VALUES" + .IR TIFFSetErrorHandler + returns a reference to the previous error handling function. +diff -up tiff-4.4.0/man/TIFFOpen.3tiff.cvedoc tiff-4.4.0/man/TIFFOpen.3tiff +--- tiff-4.4.0/man/TIFFOpen.3tiff.cvedoc 2022-02-19 16:33:55.000000000 +0100 ++++ tiff-4.4.0/man/TIFFOpen.3tiff 2025-05-05 15:46:15.541863922 +0200 +@@ -94,6 +94,27 @@ To alter these values, or to define valu + .IR TIFFSetField (3TIFF) + must be used. + .PP ++.IR TIFFOpenExt ++(added in libtiff 4.5) is like ++.IR TIFFOpen ++, but options, such as re-entrant error and warning handlers and a limit in byte ++that libtiff internal memory allocation functions are allowed to request per call ++may be passed with the opts argument. The opts argument may be NULL. ++Refer to ++.IR TIFFOpenOptions ++for allocating and filling the opts argument ++parameters. The allocated memory for ++.IR TIFFOpenOptions ++can be released straight after successful execution of the related ++"TIFFOpenExt" functions. ++.PP ++.IR TIFFFdOpenExt ++(added in libtiff 4.5) is like ++.IR TIFFFdOpen ++, but options argument opts like for ++.IR TIFFOpenExt ++can be passed. ++.PP + .IR TIFFFdOpen + is like + .IR TIFFOpen +diff -up tiff-4.4.0/man/TIFFOpenOptions.3tiff.cvedoc tiff-4.4.0/man/TIFFOpenOptions.3tiff +--- tiff-4.4.0/man/TIFFOpenOptions.3tiff.cvedoc 2025-05-05 15:46:15.541984178 +0200 ++++ tiff-4.4.0/man/TIFFOpenOptions.3tiff 2025-05-05 15:46:15.541984178 +0200 +@@ -0,0 +1,189 @@ ++.\" Man page generated from reStructuredText. ++. ++. ++.nr rst2man-indent-level 0 ++. ++.de1 rstReportMargin ++\\$1 \\n[an-margin] ++level \\n[rst2man-indent-level] ++level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] ++- ++\\n[rst2man-indent0] ++\\n[rst2man-indent1] ++\\n[rst2man-indent2] ++.. ++.de1 INDENT ++.\" .rstReportMargin pre: ++. RS \\$1 ++. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] ++. nr rst2man-indent-level +1 ++.\" .rstReportMargin post: ++.. ++.de UNINDENT ++. RE ++.\" indent \\n[an-margin] ++.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.nr rst2man-indent-level -1 ++.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.in \\n[rst2man-indent\\n[rst2man-indent-level]]u ++.. ++.TH "TIFFOPENOPTIONS" "3tiff" "Apr 30, 2025" "4.7" "LibTIFF" ++.SH NAME ++TIFFOpenOptions \- open a TIFF file for reading or writing ++.SH SYNOPSIS ++.INDENT 0.0 ++.INDENT 3.5 ++.sp ++.nf ++.ft C ++#include ++.ft P ++.fi ++.UNINDENT ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B typedef \fI\%TIFFOpenOptions\fP TIFFOpenOptions ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B \fI\%TIFFOpenOptions\fP *TIFFOpenOptionsAlloc(void) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B void TIFFOpenOptionsFree(\fI\%TIFFOpenOptions\fP*) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B void TIFFOpenOptionsSetMaxSingleMemAlloc(\fI\%TIFFOpenOptions\fP *opts, tmsize_t max_single_mem_alloc) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B void TIFFOpenOptionsSetMaxCumulatedMemAlloc(\fI\%TIFFOpenOptions\fP *opts, tmsize_t max_cumulated_mem_alloc) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B void TIFFOpenOptionsSetErrorHandlerExtR(\fI\%TIFFOpenOptions\fP *opts, \X'tty: link #c.TIFFErrorHandlerExtR'\fI\%TIFFErrorHandlerExtR\fP\X'tty: link' handler, void *errorhandler_user_data) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B void TIFFOpenOptionsSetWarningHandlerExtR(\fI\%TIFFOpenOptions\fP *opts, \X'tty: link #c.TIFFErrorHandlerExtR'\fI\%TIFFErrorHandlerExtR\fP\X'tty: link' handler, void *warnhandler_user_data) ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B void TIFFOpenOptionsSetWarnAboutUnknownTags(\fI\%TIFFOpenOptions\fP *opts, int warn_about_unknown_tags) ++.UNINDENT ++.SH DESCRIPTION ++.sp ++\fI\%TIFFOpenOptions\fP is an opaque structure which can be passed ++to the TIFF open\(dqExt\(dq functions to define some \fBlibtiff\fP internal settings. ++The settings are the maximum single memory allocation limit and ++per\-TIFF handle (re\-entrant) error handler and warning handler functions. ++For those handler a pointer to a \fBcustom defined data structure\fP \fIuser_data\fP ++can be given along. ++.sp ++\fI\%TIFFOpenOptionsAlloc()\fP allocates memory for the \fI\%TIFFOpenOptions\fP ++opaque structure and returns a \fI\%TIFFOpenOptions\fP pointer. ++.sp ++\fI\%TIFFOpenOptionsFree()\fP releases the allocated memory for ++\fI\%TIFFOpenOptions\fP\&. The allocated memory for \fI\%TIFFOpenOptions\fP ++can be released straight after successful execution of the related ++TIFFOpen\(dqExt\(dq functions like \X'tty: link #c.TIFFOpenExt'\fI\%TIFFOpenExt()\fP\X'tty: link'\&. ++.sp ++\fI\%TIFFOpenOptionsSetMaxSingleMemAlloc()\fP (added in libtiff 4.5.0) sets ++the value for the maximum single memory limit in byte that \fBlibtiff\fP internal ++memory allocation functions are allowed to request per call. ++.sp ++\fBNOTE:\fP ++.INDENT 0.0 ++.INDENT 3.5 ++However, the \fBlibtiff\fP external functions \X'tty: link #c._TIFFmalloc'\fI\%_TIFFmalloc()\fP\X'tty: link' ++and \X'tty: link #c._TIFFrealloc'\fI\%_TIFFrealloc()\fP\X'tty: link' \fBdo not apply\fP this internal memory ++allocation limit set by \fI\%TIFFOpenOptionsSetMaxSingleMemAlloc()\fP! ++.UNINDENT ++.UNINDENT ++.sp ++\fI\%TIFFOpenOptionsSetMaxCumulatedMemAlloc()\fP (added in libtiff 4.6.1) sets ++the maximum cumulated memory allocations in byte, for a given TIFF handle, ++that \fBlibtiff\fP internal memory allocation functions are allowed. ++.sp ++\fBNOTE:\fP ++.INDENT 0.0 ++.INDENT 3.5 ++However, the \fBlibtiff\fP external functions \X'tty: link #c._TIFFmalloc'\fI\%_TIFFmalloc()\fP\X'tty: link' ++and \X'tty: link #c._TIFFrealloc'\fI\%_TIFFrealloc()\fP\X'tty: link' \fBdo not apply\fP this internal memory ++allocation limit set by \fI\%TIFFOpenOptionsSetMaxCumulatedMemAlloc()\fP! ++.UNINDENT ++.UNINDENT ++.sp ++\fI\%TIFFOpenOptionsSetErrorHandlerExtR()\fP sets the function pointer to ++an application\-specific and per\-TIFF handle (re\-entrant) error handler. ++Furthermore, a pointer to a \fBcustom defined data structure\fP \fIerrorhandler_user_data\fP ++can be passed. This error handler is invoked through \X'tty: link #c.TIFFErrorExtR'\fI\%TIFFErrorExtR()\fP\X'tty: link' ++and the \fIerrorhandler_user_data\fP pointer is given along. ++The \fIerrorhandler_user_data\fP argument may be NULL. ++.sp ++\fI\%TIFFOpenOptionsSetWarningHandlerExtR()\fP works like ++\fI\%TIFFOpenOptionsSetErrorHandlerExtR()\fP but for the warning handler, ++which is invoked through \X'tty: link #c.TIFFWarningExtR'\fI\%TIFFWarningExtR()\fP\X'tty: link' ++.sp ++\fI\%TIFFOpenOptionsSetWarnAboutUnknownTags()\fP sets whether libtiff should ++emit a warning when encountering a unknown tag. This function has been added in ++libtiff 4.7.1 and the default value is FALSE (change of behaviour compared to ++earlier versions). ++.SH EXAMPLE ++.INDENT 0.0 ++.INDENT 3.5 ++.sp ++.nf ++.ft C ++#include \(dqtiffio.h\(dq ++ ++typedef struct MyErrorHandlerUserDataStruct ++{ ++ /* ... any user data structure ... */ ++} MyErrorHandlerUserDataStruct; ++ ++static int myErrorHandler(TIFF *tiff, void *user_data, const char *module, ++ const char *fmt, va_list ap) ++{ ++ MyErrorHandlerUserDataStruct *errorhandler_user_data = ++ (MyErrorHandlerUserDataStruct *)user_data; ++ /*... code of myErrorHandler ...*/ ++ return 1; ++} ++ ++ ++main() ++{ ++ tmsize_t limit = (256 * 1024 * 1024); ++ MyErrorHandlerUserDataStruct user_data = { /* ... any data ... */}; ++ ++ TIFFOpenOptions *opts = TIFFOpenOptionsAlloc(); ++ TIFFOpenOptionsSetMaxSingleMemAlloc(opts, limit); ++ TIFFOpenOptionsSetErrorHandlerExtR(opts, myErrorHandler, &user_data); ++ TIFF *tif = TIFFOpenExt(\(dqfoo.tif\(dq, \(dqr\(dq, opts); ++ TIFFOpenOptionsFree(opts); ++ /* ... go on here ... */ ++ ++ TIFFClose(tif); ++} ++.ft P ++.fi ++.UNINDENT ++.UNINDENT ++.SH NOTE ++.sp ++This functionality was introduced with libtiff 4.5. ++.SH SEE ALSO ++.sp ++\fI\%libtiff\fP (3tiff), ++\fI\%TIFFOpen\fP (3tiff), ++\fI\%TIFFError\fP (3tiff), ++\fI\%TIFFWarning\fP (3tiff) ++.SH AUTHOR ++LibTIFF contributors ++.SH COPYRIGHT ++1988-2025, LibTIFF contributors ++.\" Generated by docutils manpage writer. ++. +diff -up tiff-4.4.0/man/TIFFStrileQuery.3tiff.cvedoc tiff-4.4.0/man/TIFFStrileQuery.3tiff +--- tiff-4.4.0/man/TIFFStrileQuery.3tiff.cvedoc 2025-05-05 15:46:15.542083764 +0200 ++++ tiff-4.4.0/man/TIFFStrileQuery.3tiff 2025-05-05 15:46:15.542083764 +0200 +@@ -0,0 +1,117 @@ ++.\" Man page generated from reStructuredText. ++. ++. ++.nr rst2man-indent-level 0 ++. ++.de1 rstReportMargin ++\\$1 \\n[an-margin] ++level \\n[rst2man-indent-level] ++level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] ++- ++\\n[rst2man-indent0] ++\\n[rst2man-indent1] ++\\n[rst2man-indent2] ++.. ++.de1 INDENT ++.\" .rstReportMargin pre: ++. RS \\$1 ++. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] ++. nr rst2man-indent-level +1 ++.\" .rstReportMargin post: ++.. ++.de UNINDENT ++. RE ++.\" indent \\n[an-margin] ++.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.nr rst2man-indent-level -1 ++.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.in \\n[rst2man-indent\\n[rst2man-indent-level]]u ++.. ++.TH "TIFFSTRILEQUERY" "3tiff" "Apr 30, 2025" "4.7" "LibTIFF" ++.SH NAME ++TIFFStrileQuery \- get strile byte count and offset ++.SH SYNOPSIS ++.INDENT 0.0 ++.INDENT 3.5 ++.sp ++.nf ++.ft C ++#include ++.ft P ++.fi ++.UNINDENT ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B uint64_t TIFFGetStrileByteCount(TIFF *tif, uint32_t strile); ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B uint64_t TIFFGetStrileOffset(TIFF *tif, uint32_t strile); ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B uint64_t TIFFGetStrileByteCountWithErr(TIFF *tif, uint32_t strile, int *pbErr); ++.UNINDENT ++.INDENT 0.0 ++.TP ++.B uint64_t TIFFGetStrileOffsetWithErr(TIFF *tif, uint32_t strile, int *pbErr); ++.UNINDENT ++.SH DESCRIPTION ++.sp ++Make defer strile offset/bytecount loading available at runtime ++and add per\-strile offset/bytecount loading capabilities. Part of ++this commit makes the behaviour that was previously met when \fBlibtiff\fP ++was compiled with \fB\-DDEFER_STRILE_LOAD\fP available for default builds. ++.sp ++When specifying the new \fBD\fP (Deferred) \X'tty: link #c.TIFFOpen'\fI\%TIFFOpen()\fP\X'tty: link' flag, ++the loading of strile offset/bytecount is defered. ++In that mode, the \fBStripOffsets\fP / \fBStripByteCounts\fP or ++\fBTileOffsets\fP / \fBTileByteCounts\fP arrays are only loaded when first ++accessed. This can speed\-up the opening of files stored on the network ++when just metadata retrieval is needed. ++.sp ++Another addition is the capability of loading only the values of ++the offset/bytecount of the strile of interest instead of the ++whole array. This is enabled with the new \fBO\fP (Ondemand) flag of ++\X'tty: link #c.TIFFOpen'\fI\%TIFFOpen()\fP\X'tty: link' (which implies \fBD\fP). ++.sp ++The public \fI\%TIFFGetStrileOffset()\fP, \fI\%TIFFGetStrileOffsetWithErr()\fP, ++\fI\%TIFFGetStrileByteCount()\fP and \fI\%TIFFGetStrileByteCountWithErr()\fP ++functions have been added to API. ++They are of particular interest when using sparse files (with ++\fBoffset == bytecount == 0\fP) and you want to detect if a strile is ++present or not without decompressing the data, or updating an ++existing sparse file. ++.sp ++\fI\%TIFFGetStrileByteCount()\fP returns the value of the TileByteCounts / ++StripByteCounts array for the specified tile/strile. ++.sp ++\fI\%TIFFGetStrileByteCountWithErr()\fP additionally provides \fIpbErr\fP ++as an \fIint\fP pointer to an error return variable, ++which is set to \(dq0\(dq for successful return or to \(dq1\(dq for an error return. ++.sp ++\fI\%TIFFGetStrileOffset()\fP returns the value of the TileOffsets / ++StripOffsets array for the specified tile/strile. ++.sp ++\fI\%TIFFGetStrileOffsetWithErr()\fP additionally provides \fIpbErr\fP ++as an \fIint\fP pointer to an error return variable, ++which is set to \(dq0\(dq for successful return or to \(dq1\(dq for an error return. ++.SH DIAGNOSTICS ++.sp ++All error messages are directed to the \X'tty: link #c.TIFFErrorExtR'\fI\%TIFFErrorExtR()\fP\X'tty: link' routine. ++Likewise, warning messages are directed to the \X'tty: link #c.TIFFWarningExtR'\fI\%TIFFWarningExtR()\fP\X'tty: link' routine. ++.SH NOTE ++.sp ++This functionality was introduced with libtiff 4.1. ++.SH SEE ALSO ++.sp ++\fI\%libtiff\fP (3tiff), ++\fI\%TIFFOpen\fP (3tiff), ++\fI\%TIFFDeferStrileArrayWriting\fP (3tiff) ++.SH AUTHOR ++LibTIFF contributors ++.SH COPYRIGHT ++1988-2025, LibTIFF contributors ++.\" Generated by docutils manpage writer. ++. diff --git a/libtiff.spec b/libtiff.spec index 6ad19f8108cbbfca74bfc8e510fb5154dcb7c4e6..27f9e8643da3c4bb0ab0dc471fe760210356ae64 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -3,7 +3,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.4.0 -Release: 13%{anolis_release}%{?dist}.2 +Release: 15%{anolis_release}%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -41,15 +41,10 @@ Patch0022: 0022-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch # from upstream, for <=4.6.0, RHEL-52931 # https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779 Patch23: libtiff-4.6.0-CVE-2024-7006.patch - -# CVE-2025-9900 -Patch24: RHEL-112542.patch - -# CVE-2025-8176 -Patch25: RHEL-120243.patch - -#https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a -Patch0026: 0023-fix-cve-2023-52356.patch +# from upstream, for <=4.6.0, RHEL-17337 +# https://gitlab.com/libtiff/libtiff/-/merge_requests/546.patch +Patch24: libtiff-4.4.0-CVE-2023-52356.patch +Patch25: libtiff-4.4.0-cve2023-52355.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel @@ -119,6 +114,12 @@ autoheader %build export CFLAGS="%{optflags} -fno-strict-aliasing" %configure --enable-ld-version-script + +# have to regenerate missing/patched htmldoc before calling make +pushd html/man +make htmldoc +popd + %make_build %install @@ -212,17 +213,14 @@ find html -name 'Makefile*' | xargs rm %doc README.md RELEASE-DATE VERSION %changelog -* Wed Oct 29 2025 Zhao Hang - 4.4.0-13.0.1.2 +* Wed Nov 12 2025 Zhao Hang - 4.4.0-15.0.1 - Add doc sub package -* Mon Oct 20 2025 RHEL Packaging Agent - 4.4.0-13.2 -- fix CVE-2025-8176 off-by-one error skipping first line in tiffdither - and tiffmedian -- Resolves: RHEL-120243 +* Mon May 05 2025 Michal Hlavinka - 4.4.0-15 +- backport documentation change for CVE-2023-52355 (RHEL-17328) -* Fri Oct 10 2025 RHEL Packaging Agent - 4.4.0-13.1 -- fix CVE-2025-9900 buffer underflow in TIFFReadRGBAImageOriented -- Resolves: RHEL-112542 +* Tue Apr 22 2025 Michal Hlavinka - 4.4.0-14 +- fix CVE-2023-52356: libtiff could crash in TIFFReadRGBATileExt when parsing crafted tiff file (RHEL-17337) * Wed Aug 21 2024 Michal Hlavinka - 4.4.0-13 - fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52931)