Fix CVE-2025-8851 and CVE-2025-9165

Update CVE-2024-58249 bugID.
Really remove doxygen111.patch
2025-09-05 14:07:12 +08:00 · 2025-06-10 20:26:37 +08:00 · 2025-06-01 21:14:53 +02:00 · 2025-05-30 02:02:11 +02:00 · 2025-05-30 01:04:53 +02:00 · 2025-05-29 19:13:08 +02:00
4 changed files with 104 additions and 1 deletions
--- a/wxWidgets-3_2.changes
+++ b/wxWidgets-3_2.changes
@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Mon Sep  1 17:28:12 UTC 2025 - Cliff Zhao <qzhao@suse.com>
+
+- Add wxWidgets-3_2_CVE-2025-9165.patch:
+  Backport ed14128 from libtiff upstream, tiffcmp: fix memory leak
+  when second file cannot be opened.
+  (CVE-2025-9165, bsc#1248328)
+
+-------------------------------------------------------------------
+Mon Sep  1 10:07:46 UTC 2025 - Cliff Zhao <qzhao@suse.com>
+
+- Add wxWidgets-3_2_CVE-2025-8851.patch:
+  Backport 8a7a48d from libtiff upstream, Attempt to address tiffcrop
+  Coverity scan issues 1605444.
+  (CVE-2025-8851, bsc#1248279)
+
 -------------------------------------------------------------------
 Thu May 29 17:11:39 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>

@@ -30,7 +46,7 @@ Thu Mar 20 12:11:36 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
  * Avoid repaint problems when using wxWindow::Update() with
    Wayland
  * Fix crash when connection is refused in wxWebRequestCURL
-   (gh#wxWidgets/wxWidgets#24885, bsc#1239902)
+   (gh#wxWidgets/wxWidgets#24885, CVE-2024-58249, bsc#1239902)
 - Delete doxygen111.patch (merged)

 -------------------------------------------------------------------
--- a/wxWidgets-3_2.spec
+++ b/wxWidgets-3_2.spec
@@ -83,6 +83,8 @@ Source6:        wxpython-mkdiff.sh
 Patch0:         soversion.diff
 Patch1:         autoconf-2_72.diff
 Patch2:         textfiletest-fix-file-exists.diff
+Patch3:         wxWidgets-3_2_CVE-2025-8851.patch
+Patch4:         wxWidgets-3_2_CVE-2025-9165.patch
 %if "%flavor" == "doc"
 BuildRequires:  doxygen
 BuildRequires:  fdupes
--- a/wxWidgets-3_2_CVE-2025-8851.patch
+++ b/wxWidgets-3_2_CVE-2025-8851.patch
@@ -0,0 +1,62 @@
+From 8a7a48d7a645992ca83062b3a1873c951661e2b3 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sun, 11 Aug 2024 16:01:07 +0000
+Subject: [PATCH] Attempt to address tiffcrop Coverity scan issues 1605444,
+ 1605445, and 1605449.
+
+---
+ tools/tiffcrop.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/src/tiff/tools/tiffcrop.c
+++ b/src/tiff/tools/tiffcrop.c
+@@ -4902,7 +4902,14 @@
+       buff = srcbuffs[s];
+       strip = (s * strips_per_sample) + j;
+       bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
+-      rows_this_strip = bytes_read / src_rowsize;
+      if (bytes_read < 0)
+      {
+            rows_this_strip = 0;
+      }
+      else
+      {
+            rows_this_strip = bytes_read / src_rowsize;
+      }
+       if (bytes_read < 0 && !ignore)
+         {
+         TIFFError(TIFFFileName(in),
+@@ -5276,14 +5283,14 @@
+       rmargin = (uint32)(crop->margins[3] * scale * xres);
+       }
+
+-    if ((lmargin + rmargin) > image->width)
+    if (lmargin == 0xFFFFFFFFU || rmargin == 0xFFFFFFFFU || (lmargin + rmargin) > image->width)
+       {
+       TIFFError("computeInputPixelOffsets", "Combined left and right margins exceed image width");
+       lmargin = (uint32) 0;
+       rmargin = (uint32) 0;
+       return (-1);
+       }
+-    if ((tmargin + bmargin) > image->length)
+    if (tmargin == 0xFFFFFFFFU || bmargin == 0xFFFFFFFFU || (tmargin + bmargin) > image->length)
+       {
+       TIFFError("computeInputPixelOffsets", "Combined top and bottom margins exceed image length");
+       tmargin = (uint32) 0;
+@@ -5728,14 +5735,14 @@
+       vmargin = (uint32)(page->vmargin * scale * ((image->bps + 7)/ 8));
+       }
+
+-    if ((hmargin * 2.0) > (pwidth * page->hres))
+    if (hmargin == 0xFFFFFFFFU || (hmargin * 2.0) > (pwidth * page->hres))
+       {
+       TIFFError("computeOutputPixelOffsets",
+                 "Combined left and right margins exceed page width");
+       hmargin = (uint32) 0;
+       return (-1);
+       }
+-    if ((vmargin * 2.0) > (plength * page->vres))
+    if (vmargin == 0xFFFFFFFFU || (vmargin * 2.0) > (plength * page->vres))
+       {
+       TIFFError("computeOutputPixelOffsets",
+                 "Combined top and bottom margins exceed page length");
--- a/wxWidgets-3_2_CVE-2025-9165.patch
+++ b/wxWidgets-3_2_CVE-2025-9165.patch
@@ -0,0 +1,23 @@
+From ed141286a37f6e5ddafb5069347ff5d587e7a4e0 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 8 Aug 2025 21:35:30 +0200
+Subject: [PATCH] tiffcmp: fix memory leak when second file cannot be opened.
+
+Closes #728, #729
+---
+ tools/tiffcmp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/src/tiff/tools/tiffcmp.c
+++ b/src/tiff/tools/tiffcmp.c
+@@ -108,7 +108,10 @@
+		return (2);
+	tif2 = TIFFOpen(argv[optind+1], "r");
+	if (tif2 == NULL)
+        {
+                TIFFClose(tif1);
+		return (2);
+        }
+	dirnum = 0;
+	while (tiffcmp(tif1, tif2)) {
+		if (!TIFFReadDirectory(tif1)) {
Author	SHA256	Message	Date
ZhaoQiang	3e98252e49	Fix CVE-2025-8851 and CVE-2025-9165	2025-09-05 14:07:12 +08:00
ZhaoQiang	d336ff7a50	Update CVE-2024-58249 bugID.	2025-06-10 20:26:37 +08:00
Antonio Larrosa	eac178af84	Really remove doxygen111.patch It was already removed from the spec file, and the removal was mentioned in the changelog but the file was left behind which causes factory-auto to complain in SLFO (https://build.suse.de/request/show/378788)	2025-06-01 21:14:53 +02:00
Jan Engelhardt	af5365366b	Synchronize Leap and TW experience	2025-05-30 02:02:11 +02:00
Antonio Larrosa	08e3098154	Add missing %endif	2025-05-30 01:04:53 +02:00
Antonio Larrosa	accc639084	Do not build the Qt flavor in SLE16 Qt5 will not be available in SLE16 so we have to disable the Qt flavor (which can be built in Leap). Also, wxWidgets 3.3 (currently in rc1) will have Qt6 support, so we can enable it back when 3.3 is released.	2025-05-29 19:13:08 +02:00
Jan Engelhardt	b80324c47b	wxWidgets 3.2.8	2025-05-03 01:04:55 +02:00
ZhaoQiang	0c4e48f77e	Add security bugID to the 3.2.7 update to record fix history.	2025-04-16 18:35:08 +08:00
Jan Engelhardt	842b67f926	wxWidgets 3.2.7	2025-03-20 14:50:35 +01:00
Jan Engelhardt	5af5487f2a	Build with --enable-secretstore	2025-03-10 01:05:22 +01:00
Jan Engelhardt	fd86d0bbda	Bump SO version since the base for wxGLCanvas had changed.	2025-03-08 00:23:23 +01:00
Jan Engelhardt	4f73079cf2	Enable EGL-based wxGLCanvas	2025-03-01 10:42:46 +01:00
Jan Engelhardt	79cfb31c27	Run spec-beautifier	2025-03-01 10:11:18 +01:00
Jan Engelhardt	2df551cde5	Use webkit2gtk-4.1	2024-10-07 16:16:27 +02:00
Markéta Calábková	241650b413	add patch doxygen111.patch	2024-10-01 13:55:03 +02:00
Jan Engelhardt	071d574776	wxWidgets 3.2.6	2024-09-09 18:47:10 +02:00
Christian Boltz	96fa1f9078	Add textfiletest-fix-file-exists.diff (s390 build fix)	2024-08-21 08:49:31 +02:00