From b69ad6918780c2ebf28539b00e1bd045b392a23cd6d95246d90b604660ad6679 Mon Sep 17 00:00:00 2001 From: Michael Vetter Date: Mon, 9 May 2022 10:52:41 +0000 Subject: [PATCH] - security update: * CVE-2022-0907 [bsc#1197070] + tiff-CVE-2022-0907.patch - security update * CVE-2022-0561 [bsc#1195964] + tiff-CVE-2022-0561.patch * CVE-2022-0562 [bsc#1195965] + tiff-CVE-2022-0562.patch * CVE-2022-0865 [bsc#1197066] + tiff-CVE-2022-0865.patch * CVE-2022-0909 [bsc#1197072] + tiff-CVE-2022-0909.patch * CVE-2022-0924 [bsc#1197073] + tiff-CVE-2022-0924.patch * CVE-2022-0908 [bsc#1197074] + tiff-CVE-2022-0908.patch OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=150 --- tiff-CVE-2022-0561.patch | 29 +++++++++++++ tiff-CVE-2022-0562.patch | 27 ++++++++++++ tiff-CVE-2022-0865.patch | 34 +++++++++++++++ tiff-CVE-2022-0907.patch | 89 ++++++++++++++++++++++++++++++++++++++++ tiff-CVE-2022-0908.patch | 29 +++++++++++++ tiff-CVE-2022-0909.patch | 32 +++++++++++++++ tiff-CVE-2022-0924.patch | 53 ++++++++++++++++++++++++ tiff.changes | 24 +++++++++++ tiff.spec | 17 +++++++- 9 files changed, 332 insertions(+), 2 deletions(-) create mode 100644 tiff-CVE-2022-0561.patch create mode 100644 tiff-CVE-2022-0562.patch create mode 100644 tiff-CVE-2022-0865.patch create mode 100644 tiff-CVE-2022-0907.patch create mode 100644 tiff-CVE-2022-0908.patch create mode 100644 tiff-CVE-2022-0909.patch create mode 100644 tiff-CVE-2022-0924.patch diff --git a/tiff-CVE-2022-0561.patch b/tiff-CVE-2022-0561.patch new file mode 100644 index 0000000..3ba7434 --- /dev/null +++ b/tiff-CVE-2022-0561.patch @@ -0,0 +1,29 @@ +From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 6 Feb 2022 13:08:38 +0100 +Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +--- + libtiff/tif_dirread.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 23194ced..50ebf8ac 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); +- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); ++ if( dir->tdir_count ) ++ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); ++ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); + _TIFFfree(data); + data=resizeddata; + } +-- +GitLab + diff --git a/tiff-CVE-2022-0562.patch b/tiff-CVE-2022-0562.patch new file mode 100644 index 0000000..2b66c64 --- /dev/null +++ b/tiff-CVE-2022-0562.patch @@ -0,0 +1,27 @@ +From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 5 Feb 2022 20:36:41 +0100 +Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +--- + libtiff/tif_dirread.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 2bbc4585..23194ced 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif) + goto bad; + } + +- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); ++ if (old_extrasamples > 0) ++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); + _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); + _TIFFfree(new_sampleinfo); + } +-- +GitLab + diff --git a/tiff-CVE-2022-0865.patch b/tiff-CVE-2022-0865.patch new file mode 100644 index 0000000..779f948 --- /dev/null +++ b/tiff-CVE-2022-0865.patch @@ -0,0 +1,34 @@ +From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 24 Feb 2022 22:26:02 +0100 +Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD + in memory-mapped mode and when bit reversal is needed (fixes #385) + +--- + libtiff/tif_jbig.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c +index 74086338..8bfa4cef 100644 +--- a/libtiff/tif_jbig.c ++++ b/libtiff/tif_jbig.c +@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) + */ + tif->tif_flags |= TIFF_NOBITREV; + tif->tif_flags &= ~TIFF_MAPPED; ++ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and ++ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial ++ * value to be consistent with the state of a non-memory mapped file. ++ */ ++ if (tif->tif_flags&TIFF_BUFFERMMAP) { ++ tif->tif_rawdata = NULL; ++ tif->tif_rawdatasize = 0; ++ tif->tif_flags &= ~TIFF_BUFFERMMAP; ++ tif->tif_flags |= TIFF_MYBUFFER; ++ } + + /* Setup the function pointers for encode, decode, and cleanup. */ + tif->tif_setupdecode = JBIGSetupDecode; +-- +GitLab + diff --git a/tiff-CVE-2022-0907.patch b/tiff-CVE-2022-0907.patch new file mode 100644 index 0000000..13d3713 --- /dev/null +++ b/tiff-CVE-2022-0907.patch @@ -0,0 +1,89 @@ +From 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001 +From: Augustus +Date: Mon, 7 Mar 2022 18:21:49 +0800 +Subject: [PATCH] add checks for return value of limitMalloc (#392) + +--- + tools/tiffcrop.c | 33 +++++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 12 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index f2e5474a..9b8acc7e 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -7406,7 +7406,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + if (!sect_buff) + { + sect_buff = (unsigned char *)limitMalloc(sectsize); +- *sect_buff_ptr = sect_buff; ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + else +@@ -7422,15 +7426,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + else + sect_buff = new_buff; + ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + } + +- if (!sect_buff) +- { +- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); +- return (-1); +- } + prev_sectsize = sectsize; + *sect_buff_ptr = sect_buff; + +@@ -7697,7 +7701,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (!crop_buff) + { + crop_buff = (unsigned char *)limitMalloc(cropsize); +- *crop_buff_ptr = crop_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + prev_cropsize = cropsize; + } +@@ -7713,15 +7721,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + } + else + crop_buff = new_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + } + } + +- if (!crop_buff) +- { +- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); +- return (-1); +- } + *crop_buff_ptr = crop_buff; + + if (crop->crop_mode & CROP_INVERT) +@@ -9280,3 +9288,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui + * fill-column: 78 + * End: + */ ++ +-- +GitLab + diff --git a/tiff-CVE-2022-0908.patch b/tiff-CVE-2022-0908.patch new file mode 100644 index 0000000..8d83797 --- /dev/null +++ b/tiff-CVE-2022-0908.patch @@ -0,0 +1,29 @@ +From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 17 Feb 2022 15:28:43 +0100 +Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #383) + +--- + libtiff/tif_dirread.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 50ebf8ac..2ec44a4f 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5091,7 +5091,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); ++ if (dp->tdir_count > 0 ) ++ { ++ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); ++ } + o[(uint32_t)dp->tdir_count]=0; + if (data!=0) + _TIFFfree(data); +-- +GitLab + diff --git a/tiff-CVE-2022-0909.patch b/tiff-CVE-2022-0909.patch new file mode 100644 index 0000000..df86130 --- /dev/null +++ b/tiff-CVE-2022-0909.patch @@ -0,0 +1,32 @@ +From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Tue, 8 Mar 2022 16:22:04 +0000 +Subject: [PATCH] fix the FPE in tiffcrop (#393) + +--- + libtiff/tif_dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 57055ca9..59b346ca 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -333,13 +333,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) + break; + case TIFFTAG_XRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_YRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); + break; +-- +GitLab + diff --git a/tiff-CVE-2022-0924.patch b/tiff-CVE-2022-0924.patch new file mode 100644 index 0000000..d4728b6 --- /dev/null +++ b/tiff-CVE-2022-0924.patch @@ -0,0 +1,53 @@ +From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Thu, 10 Mar 2022 08:48:00 +0000 +Subject: [PATCH] fix heap buffer overflow in tiffcp (#278) + +--- + tools/tiffcp.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 224583e0..aa32b118 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1667,12 +1667,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) + tdata_t obuf; + tstrip_t strip = 0; + tsample_t s; ++ uint16_t bps = 0, bytes_per_sample; + + obuf = limitMalloc(stripsize); + if (obuf == NULL) + return (0); + _TIFFmemset(obuf, 0, stripsize); + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); ++ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ bytes_per_sample = bps/8; + for (s = 0; s < spp; s++) { + uint32_t row; + for (row = 0; row < imagelength; row += rowsperstrip) { +@@ -1682,7 +1697,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) + + cpContigBufToSeparateBuf( + obuf, (uint8_t*) buf + row * rowsize + s, +- nrows, imagewidth, 0, 0, spp, 1); ++ nrows, imagewidth, 0, 0, spp, bytes_per_sample); + if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { + TIFFError(TIFFFileName(out), + "Error, can't write strip %"PRIu32, +-- +GitLab + diff --git a/tiff.changes b/tiff.changes index d264690..796f206 100644 --- a/tiff.changes +++ b/tiff.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Mon May 9 10:50:34 UTC 2022 - Michael Vetter + +- security update: + * CVE-2022-0907 [bsc#1197070] + + tiff-CVE-2022-0907.patch + +------------------------------------------------------------------- +Mon May 9 10:42:53 UTC 2022 - Michael Vetter + +- security update + * CVE-2022-0561 [bsc#1195964] + + tiff-CVE-2022-0561.patch + * CVE-2022-0562 [bsc#1195965] + + tiff-CVE-2022-0562.patch + * CVE-2022-0865 [bsc#1197066] + + tiff-CVE-2022-0865.patch + * CVE-2022-0909 [bsc#1197072] + + tiff-CVE-2022-0909.patch + * CVE-2022-0924 [bsc#1197073] + + tiff-CVE-2022-0924.patch + * CVE-2022-0908 [bsc#1197074] + + tiff-CVE-2022-0908.patch + ------------------------------------------------------------------- Fri May 6 09:08:09 UTC 2022 - Michael Vetter diff --git a/tiff.spec b/tiff.spec index b88fd5f..f1c04de 100644 --- a/tiff.spec +++ b/tiff.spec @@ -31,8 +31,14 @@ Source3: baselibs.conf Patch0: tiff-4.0.3-seek.patch # http://bugzilla.maptools.org/show_bug.cgi?id=2442 Patch1: tiff-4.0.3-compress-warning.patch -# bsc#1197631 and bsc#1197068 -Patch2: https://gitlab.com/libtiff/libtiff/-/commit/46dc8fcd4d38c3b6f35ab28e532aee80e6f609d6.patch#/tiff-CVE-2022-1056,CVE-2022-0891.patch +Patch2: tiff-CVE-2022-1056,CVE-2022-0891.patch +Patch3: tiff-CVE-2022-0908.patch +Patch4: tiff-CVE-2022-0924.patch +Patch5: tiff-CVE-2022-0909.patch +Patch6: tiff-CVE-2022-0865.patch +Patch7: tiff-CVE-2022-0562.patch +Patch8: tiff-CVE-2022-0561.patch +Patch9: tiff-CVE-2022-0907.patch BuildRequires: gcc-c++ BuildRequires: libjbig-devel BuildRequires: libjpeg-devel @@ -73,6 +79,13 @@ the libtiff library. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 %build CFLAGS="%{optflags} -fPIE"