diff --git a/tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799.patch b/tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799.patch new file mode 100644 index 0000000..da130a9 --- /dev/null +++ b/tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799.patch @@ -0,0 +1,187 @@ +Index: tiff-4.5.0/tools/tiffcrop.c +=================================================================== +--- tiff-4.5.0.orig/tools/tiffcrop.c ++++ tiff-4.5.0/tools/tiffcrop.c +@@ -296,7 +296,6 @@ struct region + uint32_t width; /* width in pixels */ + uint32_t length; /* length in pixels */ + uint32_t buffsize; /* size of buffer needed to hold the cropped region */ +- unsigned char *buffptr; /* address of start of the region */ + }; + + /* Cropping parameters from command line and image data +@@ -577,7 +576,7 @@ static int rotateContigSamples24bits(uin + static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, + uint32_t, uint32_t, uint8_t *, uint8_t *); + static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, +- unsigned char **); ++ unsigned char **, size_t *, int); + static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, + unsigned char *); + static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +@@ -5779,7 +5778,6 @@ static void initCropMasks(struct crop_ma + cps->regionlist[i].width = 0; + cps->regionlist[i].length = 0; + cps->regionlist[i].buffsize = 0; +- cps->regionlist[i].buffptr = NULL; + cps->zonelist[i].position = 0; + cps->zonelist[i].total = 0; + } +@@ -7241,9 +7239,13 @@ static int correct_orientation(struct im + (uint16_t)(image->adjustments & ROTATE_ANY)); + return (-1); + } +- +- if (rotateImage(rotation, image, &image->width, &image->length, +- work_buff_ptr)) ++ /* Dummy variable in order not to switch two times the ++ * image->width,->length within rotateImage(), ++ * but switch xres, yres there. */ ++ uint32_t width = image->width; ++ uint32_t length = image->length; ++ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, ++ TRUE)) + { + TIFFError("correct_orientation", "Unable to rotate image"); + return (-1); +@@ -7312,7 +7314,6 @@ static int extractCompositeRegions(struc + /* These should not be needed for composite images */ + crop->regionlist[i].width = crop_width; + crop->regionlist[i].length = crop_length; +- crop->regionlist[i].buffptr = crop_buff; + + src_rowsize = ((img_width * bps * spp) + 7) / 8; + dst_rowsize = (((crop_width * bps * count) + 7) / 8); +@@ -7573,7 +7574,6 @@ static int extractSeparateRegion(struct + + crop->regionlist[region].width = crop_width; + crop->regionlist[region].length = crop_length; +- crop->regionlist[region].buffptr = crop_buff; + + src = read_buff; + dst = crop_buff; +@@ -8563,8 +8563,13 @@ static int processCropSelections(struct + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can + reallocate the buffer */ + { ++ /* rotateImage() set up a new buffer and calculates its size ++ * individually. Therefore, seg_buffs size needs to be updated ++ * accordingly. */ ++ size_t rot_buf_size = 0; + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, &crop_buff)) ++ &crop->combined_length, &crop_buff, &rot_buf_size, ++ FALSE)) + { + TIFFError("processCropSelections", + "Failed to rotate composite regions by %" PRIu32 +@@ -8573,9 +8578,7 @@ static int processCropSelections(struct + return (-1); + } + seg_buffs[0].buffer = crop_buff; +- seg_buffs[0].size = +- (((crop->combined_width * image->bps + 7) / 8) * image->spp) * +- crop->combined_length; ++ seg_buffs[0].size = rot_buf_size; + } + } + else /* Separated Images */ +@@ -8686,10 +8689,14 @@ static int processCropSelections(struct + * ->yres, what it schouldn't do here, when more than one + * section is processed. ToDo: Therefore rotateImage() and its + * usage has to be reworked (e.g. like mirrorImage()) !! +- */ ++ * Furthermore, rotateImage() set up a new buffer and calculates ++ * its size individually. Therefore, seg_buffs size needs to be ++ * updated accordingly. */ ++ size_t rot_buf_size = 0; + if (rotateImage(crop->rotation, image, + &crop->regionlist[i].width, +- &crop->regionlist[i].length, &crop_buff)) ++ &crop->regionlist[i].length, &crop_buff, ++ &rot_buf_size, FALSE)) + { + TIFFError("processCropSelections", + "Failed to rotate crop region by %" PRIu16 +@@ -8702,10 +8709,7 @@ static int processCropSelections(struct + crop->combined_width = total_width; + crop->combined_length = total_length; + seg_buffs[i].buffer = crop_buff; +- seg_buffs[i].size = +- (((crop->regionlist[i].width * image->bps + 7) / 8) * +- image->spp) * +- crop->regionlist[i].length; ++ seg_buffs[i].size = rot_buf_size; + } + } /* for crop->selections loop */ + } /* Separated Images (else case) */ +@@ -8836,7 +8840,7 @@ static int createCroppedImage(struct ima + CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, crop_buff_ptr)) ++ &crop->combined_length, crop_buff_ptr, NULL, TRUE)) + { + TIFFError("createCroppedImage", + "Failed to rotate image or cropped selection by %" PRIu16 +@@ -9552,7 +9556,8 @@ static int rotateContigSamples32bits(uin + /* Rotate an image by a multiple of 90 degrees clockwise */ + static int rotateImage(uint16_t rotation, struct image_data *image, + uint32_t *img_width, uint32_t *img_length, +- unsigned char **ibuff_ptr) ++ unsigned char **ibuff_ptr, size_t *rot_buf_size, ++ int rot_image_params) + { + int shift_width; + uint32_t bytes_per_pixel, bytes_per_sample; +@@ -9610,6 +9615,8 @@ static int rotateImage(uint16_t rotation + return (-1); + } + _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); ++ if (rot_buf_size != NULL) ++ *rot_buf_size = buffsize; + + ibuff = *ibuff_ptr; + switch (rotation) +@@ -9768,11 +9775,15 @@ static int rotateImage(uint16_t rotation + + *img_width = length; + *img_length = width; +- image->width = length; +- image->length = width; +- res_temp = image->xres; +- image->xres = image->yres; +- image->yres = res_temp; ++ /* Only toggle image parameters if whole input image is rotated. */ ++ if (rot_image_params) ++ { ++ image->width = length; ++ image->length = width; ++ res_temp = image->xres; ++ image->xres = image->yres; ++ image->yres = res_temp; ++ } + break; + + case 270: +@@ -9855,11 +9866,15 @@ static int rotateImage(uint16_t rotation + + *img_width = length; + *img_length = width; +- image->width = length; +- image->length = width; +- res_temp = image->xres; +- image->xres = image->yres; +- image->yres = res_temp; ++ /* Only toggle image parameters if whole input image is rotated. */ ++ if (rot_image_params) ++ { ++ image->width = length; ++ image->length = width; ++ res_temp = image->xres; ++ image->xres = image->yres; ++ image->yres = res_temp; ++ } + break; + default: + break; diff --git a/tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch b/tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch new file mode 100644 index 0000000..7356f79 --- /dev/null +++ b/tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch @@ -0,0 +1,112 @@ +Index: tiff-4.5.0/tools/tiffcrop.c +=================================================================== +--- tiff-4.5.0.orig/tools/tiffcrop.c ++++ tiff-4.5.0/tools/tiffcrop.c +@@ -5930,18 +5930,40 @@ static int computeInputPixelOffsets(stru + + crop->regionlist[i].buffsize = buffsize; + crop->bufftotal += buffsize; ++ ++ /* For composite images with more than one region, the ++ * combined_length or combined_width always needs to be equal, ++ * respectively. ++ * Otherwise, even the first section/region copy ++ * action might cause buffer overrun. */ + if (crop->img_mode == COMPOSITE_IMAGES) + { + switch (crop->edge_ref) + { + case EDGE_LEFT: + case EDGE_RIGHT: ++ if (i > 0 && zlength != crop->combined_length) ++ { ++ TIFFError( ++ "computeInputPixelOffsets", ++ "Only equal length regions can be combined for " ++ "-E left or right"); ++ return (-1); ++ } + crop->combined_length = zlength; + crop->combined_width += zwidth; + break; + case EDGE_BOTTOM: + case EDGE_TOP: /* width from left, length from top */ + default: ++ if (i > 0 && zwidth != crop->combined_width) ++ { ++ TIFFError("computeInputPixelOffsets", ++ "Only equal width regions can be " ++ "combined for -E " ++ "top or bottom"); ++ return (-1); ++ } + crop->combined_width = zwidth; + crop->combined_length += zlength; + break; +@@ -7300,6 +7322,46 @@ static int extractCompositeRegions(struc + crop->combined_width = 0; + crop->combined_length = 0; + ++ /* If there is more than one region, check beforehand whether all the width ++ * and length values of the regions are the same, respectively. */ ++ switch (crop->edge_ref) ++ { ++ default: ++ case EDGE_TOP: ++ case EDGE_BOTTOM: ++ for (i = 1; i < crop->selections; i++) ++ { ++ uint32_t crop_width0 = ++ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1; ++ uint32_t crop_width1 = ++ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ if (crop_width0 != crop_width1) ++ { ++ TIFFError("extractCompositeRegions", ++ "Only equal width regions can be combined for -E " ++ "top or bottom"); ++ return (1); ++ } ++ } ++ break; ++ case EDGE_LEFT: ++ case EDGE_RIGHT: ++ for (i = 1; i < crop->selections; i++) ++ { ++ uint32_t crop_length0 = ++ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1; ++ uint32_t crop_length1 = ++ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ if (crop_length0 != crop_length1) ++ { ++ TIFFError("extractCompositeRegions", ++ "Only equal length regions can be combined for " ++ "-E left or right"); ++ return (1); ++ } ++ } ++ } ++ + for (i = 0; i < crop->selections; i++) + { + /* rows, columns, width, length are expressed in pixels */ +@@ -7323,7 +7385,8 @@ static int extractCompositeRegions(struc + default: + case EDGE_TOP: + case EDGE_BOTTOM: +- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width)) ++ if ((crop->selections > i + 1) && ++ (crop_width != crop->regionlist[i + 1].width)) + { + TIFFError("extractCompositeRegions", + "Only equal width regions can be combined for -E " +@@ -7416,7 +7479,8 @@ static int extractCompositeRegions(struc + case EDGE_LEFT: /* splice the pieces of each row together, side by + side */ + case EDGE_RIGHT: +- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length)) ++ if ((crop->selections > i + 1) && ++ (crop_length != crop->regionlist[i + 1].length)) + { + TIFFError("extractCompositeRegions", + "Only equal length regions can be combined for " diff --git a/tiff.changes b/tiff.changes index bf1d8ce..f224320 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Wed Feb 22 15:05:33 UTC 2023 - Michael Vetter + +- security update: + * CVE-2023-0795 [bsc#1208226] + * CVE-2023-0796 [bsc#1208227] + * CVE-2023-0797 [bsc#1208228] + * CVE-2023-0798 [bsc#1208229] + * CVE-2023-0799 [bsc#1208230] + + tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799.patch + * CVE-2023-0800 [bsc#1208231] + * CVE-2023-0801 [bsc#1208232] + * CVE-2023-0802 [bsc#1208233] + * CVE-2023-0803 [bsc#1208234] + * CVE-2023-0804 [bsc#1208236] + + tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch + ------------------------------------------------------------------- Thu Jan 26 07:41:55 UTC 2023 - Michael Vetter diff --git a/tiff.spec b/tiff.spec index 8a51e70..f9adb5a 100644 --- a/tiff.spec +++ b/tiff.spec @@ -35,6 +35,10 @@ Patch0: tiff-4.0.3-seek.patch Patch1: tiff-4.0.3-compress-warning.patch # PATCH-FIX-UPSTREAM mvetter@suse.com tiff-CVE-2022-48281.patch -- bsc#1207413 Patch2: tiff-CVE-2022-48281.patch +# PATCH-FIX-UPSTREAM mvetter@suse.com -- bsc#1208226 bsc#1208227 bsc#1208228 bsc#1208229 bsc#1208230 +Patch3: tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799.patch +# PATCH-FIX-UPSTREAM mvetter@suse.com -- bsc#1208231 bsc#1208232 bsc#1208233 bsc#1208234 bsc#1208236 +Patch4: tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch BuildRequires: gcc-c++ BuildRequires: libjbig-devel BuildRequires: libjpeg-devel