pool/tiff
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
...
pull from: pool:slfo-main
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

1 Commits
factory ... slfo-main

Author SHA256 Message Date
Fridrich Štrba
03720b151a bsc#1250413, CVE-2025-9900 2025-10-13 11:53:47 +02:00
7 changed files with 195 additions and 182 deletions
Expand all files Collapse all files

167
tiff-4.7.0-test_directory.patch
View File

@@ -1,167 +0,0 @@
From ea6f6bd7bccbe9a80327810993b8aae5587e1307 Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 19 Nov 2024 18:34:02 +0000
Subject: [PATCH] Update test/test_directory.c not to fail on big-endian
machines. Fix memory leaks
Closes #652 et #656
---
test/test_directory.c | 67 ++++++++++++++++++++++++++++++++++++-------
1 file changed, 56 insertions(+), 11 deletions(-)
diff --git a/test/test_directory.c b/test/test_directory.c
index 0556da1ec..8cc376958 100644
--- a/test/test_directory.c
+++ b/test/test_directory.c
@@ -1365,6 +1365,7 @@ int test_rewrite_lastdir_offset(unsigned int openMode)
filename, N_DIRECTORIES, count);
goto failure;
}
+ /* hint: file was closed by count_directories() */
unlink(filename);
return 0;
@@ -1511,6 +1512,8 @@ int test_lastdir_offset(unsigned int openMode)
}
}
}
+ /* hint: files are always closed by count_directories() and
+ * get_dir_offsets() */
unlink(filename_optimized);
unlink(filename_non_optimized);
return 0;
@@ -1977,8 +1980,8 @@ int test_current_dirnum_incrementing(int testcase, unsigned int openMode)
TIFFSetSubDirectory(tif, 0);
CHECKCURDIRNUM_M(tif, (tdir_t)(-1), __LINE__);
-/*-- Patch offset of IFD2 to not existing IFD3 without entries.
- * Thus TIFFFetchDirectory() will fail. --*/
+ /*-- Patch offset of IFD2 to not existing IFD3 without entries.
+ * Thus TIFFFetchDirectory() will fail. --*/
#define TIFFReadFile_M(tif, buf, size) \
((*TIFFGetReadProc(tif))(TIFFClientdata(tif), (buf), (size)));
#define TIFFWriteFile_M(tif, buf, size) \
@@ -1986,51 +1989,90 @@ int test_current_dirnum_incrementing(int testcase, unsigned int openMode)
#define TIFFSeekFile_M(tif, off, whence) \
((*TIFFGetSeekProc(tif))(TIFFClientdata(tif), (off), (whence)));
- /* Code below does only handle Classic-TIFF without swapping". */
- if (!(TIFFIsByteSwapped(tif) || TIFFIsBigTIFF(tif)))
- {
+ /* ---------------------------------------------------------------------
+ * Test IFD index incrementing in case the functions return with certain
+ * errors. To provoke that errors, the file is patched by writing bytes
+ * directly into the file. Therefore, code below does only handle
+ * Classic-TIFF and little-endian files.
+ * The code works also on big endian machines, which have to swap some
+ * directly read/written values.
+ * --------------------------------------------------------------------- */
+ if (!(TIFFIsBigEndian(tif) || TIFFIsBigTIFF(tif)))
+ {
+ /* Patch nextIFDOffset of IFD2, which is 0, with offset to itself.
+ * This generates an IFD3 without any elements at the end of file.
+ * Reading IFD3 should provoke reading error. */
uint64_t ss = TIFFSeekFile_M(tif, offsetBase[2], 0);
uint16_t cnt = 0;
uint64_t rr = TIFFReadFile_M(tif, &cnt, 2);
+ if (TIFFIsByteSwapped(tif))
+ TIFFSwabShort(&cnt);
ss = TIFFSeekFile_M(tif, offsetBase[2] + cnt * 12 + 2, 0);
uint32_t wt = (uint32_t)ss;
+ if (TIFFIsByteSwapped(tif))
+ TIFFSwabLong(&wt);
rr = TIFFWriteFile_M(tif, &wt, 4);
(void)rr;
/* Now there are offsets to four IFDs in the file, where the last one is
- * not existing and has a non-valid dircount and entries behind EOF. */
+ * not existing and has a non-valid dircount and entries behind EOF.
+ * (dircount is 458 (as offset) */
fprintf(stderr, "----- Expect error messages about 'Error fetching "
"directory link.' -----\n");
- /* TIFFNumberOfDirectories() returns 3 */
+ /* TIFFNumberOfDirectories() returns 3 and omits the invalid fourth IFD.
+ */
lastdir = TIFFNumberOfDirectories(tif);
TIFFSetDirectory(tif, 0);
CHECKCURDIRNUM_M(tif, 0, __LINE__);
+
+ /* TIFFSetDirectory(3) fails with error messages:
+ * TIFFFetchDirectory: test_current_dirnum_incrementing_wl.tif:
+ * Can not read TIFF directory.
+ * TIFFReadDirectory: Failed to read directory at offset 458. */
fprintf(stderr, "----- Expect error messages about 'Cannot read TIFF "
"directory.' -----\n");
if (TIFFSetDirectory(tif, 3))
{
fprintf(stderr,
- "TIFFSetDirectory(3) for IFD4 was expected to fail but "
+ "TIFFSetDirectory(3) for IFD3 was expected to fail but "
"succeeded for %s "
"at %d\n",
filename, __LINE__);
goto failure;
}
+
/* Fails in 4.6.0 */
+ /* Reading invalid IFD 3 leads to an error and was not read in.
+ * Therefore, curdir shall be 65535 (non-existing directory) */
CHECKCURDIRNUM_M(tif, (tdir_t)(-1), __LINE__);
offsetBase[3] = TIFFCurrentDirOffset(tif);
- /* Point IFD3 to a location within the file, where it has now a
- * non-valid dircount=0. */
+ /* Point IFD3 to a location within the file, where it has now for
+ * little-endian TIFF files a non-valid dircount=0, which leads also to
+ * an error and the IFD is not read in. */
ss = TIFFSeekFile_M(tif, offsetBase[2] + cnt * 12 + 2, 0);
wt = (uint32_t)(offsetBase[1] + 8);
+ // wt = (uint32_t)(ss + 400);
+ if (TIFFIsByteSwapped(tif))
+ TIFFSwabLong(&wt);
rr = TIFFWriteFile_M(tif, &wt, 4);
+
fprintf(stderr, "----- Expect error messages about 'Error fetching "
"directory link.' -----\n");
- /* TIFFNumberOfDirectories() returns now 4 */
+ /* TIFFNumberOfDirectories() returns now 4, because for an IFD linked
+ * list dircount=0 is not treated as an error and there is an offset
+ * (=1) to a next IFD. Then, at the fifth IFD a link error occurs. */
lastdir = TIFFNumberOfDirectories(tif);
TIFFSetDirectory(tif, 0);
CHECKCURDIRNUM_M(tif, 0, __LINE__);
+
+ /* TIFFSetDirectory(3) fails with error messages:
+ * test_current_dirnum_incrementing_wl.tif: Failed to allocate
+ * memory for to read TIFF directory (0 elements of 12 bytes each).
+ * TIFFReadDirectory: Failed to read directory at offset 178.
+ * The IFD 3 is not read in and curdir is set to 65535 (non-existing
+ * directory).
+ */
fprintf(stderr,
"----- Expect error messages about 'Failed to allocate "
"memory for to read TIFF directory.' AND 'Failed to read "
@@ -2044,10 +2086,12 @@ int test_current_dirnum_incrementing(int testcase, unsigned int openMode)
filename, __LINE__);
goto failure;
}
+
/* Fails in 4.6.0 */
CHECKCURDIRNUM_M(tif, (tdir_t)(-1), __LINE__);
}
+ TIFFClose(tif);
unlink(filename);
return 0;
@@ -2136,6 +2180,7 @@ int test_curdircount_setting(unsigned int openMode)
CHECKCURDIRNUM_M(tif, (tdir_t)(-1), __LINE__);
}
+ TIFFClose(tif);
unlink(filename);
return 0;
--
GitLab

BIN
tiff-4.7.0.tar.xz LFS
View File

Binary file not shown.

BIN
tiff-4.7.0.tar.xz.sig
View File

Binary file not shown.

BIN
tiff-4.7.1.tar.xz LFS Normal file
View File

Binary file not shown.

BIN
tiff-4.7.1.tar.xz.sig Normal file
View File

Binary file not shown.

184
tiff.changes
View File

@@ -1,3 +1,187 @@
-------------------------------------------------------------------
Thu Sep 18 19:11:37 UTC 2025 - Michael Vetter <mvetter@suse.com>
- Update to 4.7.1:
Software configuration changes:
* Define HAVE_JPEGTURBO_DUAL_MODE_8_12 and LERC_STATIC in tif_config.h.
* CMake: define WORDS_BIGENDIAN via tif_config.h
* doc/CMakeLists.txt: remove useless cmake_minimum_required()
* CMake: fix build with LLVM/Clang 17 (fixes issue #651)
* CMake: set CMP0074 new policy
* Set LINKER_LANGUAGE for C targets with C deps
* Export tiffxx cmake target (fixes issue #674)
* autogen.sh: Enable verbose wget.
* configure.ac: Syntax updates for Autoconf 2.71
* autogen.sh: Re-implement based on autoreconf. Failure to update
config.guess/config.sub does not return error (fixes issue #672)
* CMake: fix CMake 4.0 warning when minimum required version is < 3.10.
* CMake: Add build option tiff-static (fixes issue #709)
Library changes:
* Add TIFFOpenOptionsSetWarnAboutUnknownTags() for explicit control
about emitting warnings for unknown tags. No longer emit warnings
about unknown tags by default
* tif_predict.c: speed-up decompression in some cases.
Bug fixes:
* tif_fax3: For fax group 3 data if no EOL is detected, reading is
retried without synchronisation for EOLs. (fixes issue #54)
* Updating TIFFMergeFieldInfo() with read_count=write_count=0 for
FIELD_IGNORE. Updating TIFFMergeFieldInfo() with read_count=write_count=0 for
FIELD_IGNORE. Improving handling when field_name = NULL. (fixes issue #532)
* tiff.h: add COMPRESSION_JXL_DNG_1_7=52546 as used for JPEGXL compression in
the DNG 1.7 specification
* TIFFWriteDirectorySec: Increment string length for ASCII tags for codec tags
defined with FIELD_xxx bits, as it is done for FIELD_CUSTOM tags. (fixes issue #648)
* Do not error out on a tag whose tag count value is zero, just issue a warning.
Fix parsing a private tag 0x80a6 (fixes issue #647)
* TIFFDefaultTransferFunction(): give up beyond td_bitspersample = 24
Fixes https://github.com/OSGeo/gdal/issues/10875)
* tif_getimage.c: Remove unnecessary calls to TIFFRGBAImageOK() (fixes issue #175)
* Fix writing a Predictor=3 file with non-native endianness
* _TIFFVSetField(): fix potential use of unallocated memory (out-of-bounds
* read / nullptr dereference) in case of out-of-memory situation when dealing with
custom tags (fixes issue #663)
* tif_fax3.c: Error out for CCITT fax encoding if SamplesPerPixel is not equal 1 and
PlanarConfiguration = Contiguous (fixes issue #26)
* tif_fax3.c: error out after a number of times end-of-line or unexpected bad code
words have been reached. (fixes issue #670)
* Fix memory leak in TIFFSetupStrips() (fixes issue #665)
* tif_zip.c: Provide zlib allocation functions. Otherwise for zlib built with
-DZ_SOLO inflating will fail.
* Fix memory leak in _TIFFSetDefaultCompressionState. (fixes issue #676)
* tif_predict.c: Dont overwrite input buffer of TIFFWriteScanline() if "prediction"
is enabled. Use extra working buffer in PredictorEncodeRow(). (fixes issue #5)
* tif_getimage.c: update some integer overflow checks (fixes issue #79)
* tif_getimage.c: Fix buffer underflow crash for less raster rows at
TIFFReadRGBAImageOriented() (fixes issue #704, bsc#1250413, CVE-2025-9900)
* TIFFReadRGBAImage(): several fixes to avoid buffer overflows.
* Correct passing arguments to TIFFCvtIEEEFloatToNative() and TIFFCvtIEEEDoubleToNative()
if HAVE_IEEEFP is not defined. (fixes issue #699)
* LZWDecode(): avoid nullptr dereference when trying to read again after EOI marker
has been found with remaining output bytes (fixes issue #698)
* TIFFSetSubDirectory(): check _TIFFCheckDirNumberAndOffset() return.
* TIFFUnlinkDirectory() and TIFFWriteDirectorySec(): clear tif_rawcp when clearing
tif_rawdata (fixes issue #711)
* JPEGEncodeRaw(): error out if a previous scanline failed to be written, to avoid
out-of-bounds access (fixes issue #714)
* tif_jpeg: Fix bug in JPEGDecodeRaw() if JPEG_LIB_MK1_OR_12BIT is defined for 8/12bit
dual mode, introduced in libjpeg-turbo 2.2, which was actually released as 3.0.
Fixes issue #717
* add assert for TIFFReadCustomDirectory infoarray check.
* ppm2tiff: Fix bug in pack_words trailing bytes, where last two bytes of each line
were written wrongly. (fixes issue #467)
* fax2ps: fix regression of commit 28c38d648b64a66c3218778c4745225fe3e3a06d where
TIFFTAG_FAXFILLFUNC is being used rather than an output buffer (fixes issue #649)
* tiff2pdf: Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH (fixes issue #650)
* tiff2pdf: check h_samp and v_samp for range 1 to 4 to avoid division by zero.
Fixes issue #654
* tiff2pdf: avoid null pointer dereference. (fixes issue #741)
* Improve non-secure integer overflow check (comparison of division result with
multiplicant) at compiler optimisation in tiffcp, rgb2ycbcr and tiff2rgba.
Fixes issue #546
* tiff2rgba: fix some "a partial expression can generate an overflow before it is
assigned to a broader type" warnings. (fixes issue #682)
* tiffdither/tiffmedian: Don't skip the first line of the input image. (fixes issue #703)
* tiffdither: avoid out-of-bounds read identified in issue #733
* tiffmedian: error out if TIFFReadScanline() fails (fixes issue #707)
* tiffmedian: close input file. (fixes issue #735)
* thumbail: avoid potential out of bounds access (fixes issue #715)
* tiffcrop: close open TIFF files and release allocated buffers before exiting in case
of error to avoid memory leaks. (fixes issue #716)
* tiffcrop: fix double-free and memory leak exposed by issue #721
* tiffcrop: avoid buffer overflow. (fixes issue #740)
* tiffcrop: avoid nullptr dereference. (fixes issue #734)
* tiffdump: Fix coverity scan issue CID 1373365: Passing tainted expression *datamem
to PrintData, which uses it as a divisor or modulus.
* tiff2ps: check return of TIFFGetFiled() for TIFFTAG_STRIPBYTECOUNTS and
TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer dereference. (fixes issue #718)
* tiffcmp: fix memory leak when second file cannot be opened. (fixes issue #718 and issue #729)
* tiffcp: fix setting compression level for lossless codecs. (fixes issue #730)
* raw2tiff: close input file before exit (fixes issue #742)
Tools changes:
* tiffinfo: add a -W switch to warn about unknown tags.
* tiffdither: process all pages in input TIFF file.
Documentation:
* TIFFRGBAImage.rst note added for incorrect saving of images with TIFF orientation
from 5 (LeftTop) to 8 (LeftBottom) in the raster.
* TIFFRGBAImage.rst note added about un-associated alpha handling (fixes issue #67)
* Update "Defining New TIFF Tags" description. (fixes issue #642)
* Fix return type of TIFFReadEncodedTile()
* Update the documentation to reflect deprecated typedefs.
* TIFFWriteDirectory.rst: Clarify TIFFSetWriteOffset() only sets offset for image
data and not for IFD data.
* Update documentation on re-entrancy and thread safety.
* Remove dead links to no more existing Awaresystems web-site.
* Updating BigTIFF specification and some miscelaneous editions.
* Replace some last links and remove last todos.
* Added hints for correct allocation of TIFFYCbCrtoRGB structure and its
associated buffers. (fixes issue #681)
* Added chapter to "Using the TIFF Library" with links to handling multi-page TIFF
and custom directories. (fixes issue #43)
* update TIFFOpen.rst with the return values of mapproc and unmapproc. (fixes issue #12)
- Drop upstreamed patches:
* tiff-4.7.0-test_directory.patch
* tiff-CVE-2025-8176.patch
* tiff-CVE-2025-8177.patch
* tiff-4.7.0-bsc1243503.patch
* tiff-CVE-2025-8534.patch
* tiff-CVE-2025-9165.patch
* tiff-CVE-2024-13978.patch
* tiff-CVE-2025-8961.patch
-------------------------------------------------------------------
Mon Sep 8 12:34:59 UTC 2025 - Michael Vetter <mvetter@suse.com>
- security update:
* CVE-2025-8961 [bsc#1248117]
Fix segmentation fault via main function of tiffcrop utility
+ tiff-CVE-2025-8961.patch
-------------------------------------------------------------------
Thu Aug 21 10:31:39 UTC 2025 - Michael Vetter <mvetter@suse.com>
- security update:
* CVE-2025-8534 [bsc#1247582]
Fix null pointer dereference in function PS_Lvl2page
+ tiff-CVE-2025-8534.patch
* CVE-2025-9165 [bsc#1248330]
Fix local execution manipulation can lead to memory leak
+ tiff-CVE-2025-9165.patch
* CVE-2024-13978 [bsc#1247581]
Fix null pointer dereference in tiff2pdf
+ tiff-CVE-2024-13978.patch
-------------------------------------------------------------------
Mon Aug 4 13:39:29 UTC 2025 - Michael Vetter <mvetter@suse.com>
- bsc#1243503:
Fix TIFFMergeFieldInfo() read_count=write_count=0
+ tiff-4.7.0-bsc1243503.patch
-------------------------------------------------------------------
Mon Aug 4 09:02:49 UTC 2025 - Michael Vetter <mvetter@suse.com>
- security update:
* CVE-2025-8176 [bsc#1247108]
Fix heap use-after-free in tools/tiffmedian.c
+ tiff-CVE-2025-8176.patch
* CVE-2025-8177 [bsc#1247106]
Fix possible buffer overflow in tools/thumbnail.c:setrow()
+ tiff-CVE-2025-8177.patch
-------------------------------------------------------------------
Sat Mar 22 01:24:28 UTC 2025 - Shawn Dunn <sfalken@opensuse.org>
- Add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix FTBFS with cmake4
- Add %check section
- Remove Group: declarations, no longer used
-------------------------------------------------------------------
Mon Feb 24 15:19:23 UTC 2025 - Lubos Kocman <lubos.kocman@suse.com>
- Use python3-Sphinx instead of %{primary_python}-Sphinx
based on recommendation from python maintainers.
* Fixes build issue of man flavor on 15.6
-------------------------------------------------------------------
Wed Feb 5 16:26:35 UTC 2025 - Lubos Kocman <lubos.kocman@suse.com>

20
tiff.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package tiff
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -33,11 +33,10 @@ Name: tiff
%else
Name: tiff-%{build_flavor}
%endif
Version: 4.7.0
Version: 4.7.1
Release: 0
Summary: Tools for Converting from and to the Tagged Image File Format
License: HPND
Group: Productivity/Graphics/Convertors
URL: https://libtiff.gitlab.io/libtiff/
Source: https://download.osgeo.org/libtiff/tiff-%{version}.tar.xz
Source1: https://download.osgeo.org/libtiff/tiff-%{version}.tar.xz.sig
@@ -45,12 +44,10 @@ Source2: README.SUSE
Source3: baselibs.conf
Source99: tiff.keyring
Patch0: tiff-4.0.3-seek.patch
# PATCH-FIX-UPSTREAM tiff-4.7.0-test_directory.patch based on commit ea6f6bd7bccb bsc#1236834
Patch1: tiff-4.7.0-test_directory.patch
%if %{with tiff_manpages}
BuildRequires: %{primary_python}-Sphinx
BuildRequires: python3-Sphinx
%endif
BuildRequires: cmake
BuildRequires: cmake >= 3.5
BuildRequires: gcc-c++
BuildRequires: libjbig-devel
BuildRequires: libjpeg-devel
@@ -67,7 +64,6 @@ image format.
%package -n libtiff6
Summary: The Tiff Library (with JPEG and compression support)
Group: System/Libraries
Provides: libtiff = %{version}
%description -n libtiff6
@@ -77,7 +73,6 @@ libjpeg and libz in the linking process.
%package -n libtiff-devel
Summary: Development Tools for Programs which will use the libtiff Library
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: libstdc++-devel
Requires: libtiff6 = %{version}
@@ -92,7 +87,6 @@ the libtiff library.
%package -n tiff-docs
Summary: Development Tools for Programs which will use the libtiff Library
Group: Productivity/Graphics/Convertors
Requires: tiff = %{version}
BuildArch: noarch
@@ -105,7 +99,6 @@ This package holds the man pages for the command lint tools.
%package -n libtiff-devel-docs
Summary: Development Documentation for Programs which will use the libtiff Library
Group: Development/Libraries/C and C++
Requires: libtiff-devel = %{version}
BuildArch: noarch
@@ -126,7 +119,7 @@ CFLAGS="%{optflags} -fPIC"
CFLAGS="$CFLAGS -O0"
%endif
# tools are not enabled for now due to test failure `FAIL: tiffcp-32bpp-None-jpeg.sh`
%cmake
%cmake -DCMAKE_POLICY_VERSION_MINIMUM=3.5
%if %{asan_build}
find -name Makefile | xargs sed -i 's/\(^CFLAGS.*\)/\1 -fsanitize=address/'
%endif
@@ -144,6 +137,9 @@ rm -rv \
%{buildroot}%{_libdir} \
%{buildroot}%{_includedir}
%check
%ctest
%files -n tiff-docs
%{_mandir}/man1/*