diff --git a/backport-CVE-2020-35523.patch b/backport-CVE-2020-35523.patch new file mode 100644 index 0000000..bed7c1c --- /dev/null +++ b/backport-CVE-2020-35523.patch @@ -0,0 +1,50 @@ +From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Tue, 10 Nov 2020 01:54:30 +0100 +Subject: [PATCH] gtTileContig(): check Tile width for overflow + +fixes #211 +--- + libtiff/tif_getimage.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index 4da785d3..96ab1460 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -29,6 +29,7 @@ + */ + #include "tiffiop.h" + #include ++#include + + static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); + static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); +@@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) + + flip = setorientation(img); + if (flip & FLIP_VERTICALLY) { +- y = h - 1; +- toskew = -(int32)(tw + w); ++ if ((tw + w) > INT_MAX) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); ++ return (0); ++ } ++ y = h - 1; ++ toskew = -(int32)(tw + w); + } + else { +- y = 0; +- toskew = -(int32)(tw - w); ++ if (tw > (INT_MAX + w)) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); ++ return (0); ++ } ++ y = 0; ++ toskew = -(int32)(tw - w); + } + + /* +-- +GitLab + diff --git a/backport-CVE-2020-35524.patch b/backport-CVE-2020-35524.patch new file mode 100644 index 0000000..0ac58aa --- /dev/null +++ b/backport-CVE-2020-35524.patch @@ -0,0 +1,34 @@ +From 7be2e452ddcf6d7abca88f41d3761e6edab72b22 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Sat, 14 Nov 2020 12:53:01 +0000 +Subject: [PATCH] tiff2pdf.c: properly calculate datasize when saving to JPEG + YCbCr + +fixes #220 +--- + tools/tiff2pdf.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -2063,9 +2063,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* + #endif + (void) 0; + } +- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); +- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ +- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ++#ifdef JPEG_SUPPORT ++ if(t2p->pdf_compression == T2P_COMPRESS_JPEG ++ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) { ++ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p); ++ } else ++#endif ++ { ++ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); ++ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ ++ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ++ } + } + if (k == 0) { + /* Assume we had overflow inside TIFFScanlineSize */ diff --git a/libtiff.spec b/libtiff.spec index 8a70c4e..ca9e94f 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,12 +1,14 @@ Name: libtiff Version: 4.1.0 -Release: 2 +Release: 3 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz Patch6000: backport-CVE-2020-35521_CVE-2020-35522.patch +Patch6001: backport-CVE-2020-35523.patch +Patch6002: backport-CVE-2020-35524.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig git @@ -113,7 +115,13 @@ find html -name 'Makefile*' | xargs rm %exclude %{_datadir}/html/man/tiffgt.1.html %changelog -* Thu Mar 18 2021 wangye - 4.0.10-2 +* Mon Mar 22 2021 wangye - 4.1.0-3 +- Type:cves +- ID:CVE-2020-35523 CVE-2020-35524 +- SUG:NA +- DESC: fix CVE-2020-35523 CVE-2020-35524 + +* Thu Mar 18 2021 wangye - 4.1.0-2 - Type:cves - ID:CVE-2020-35521 CVE-2020-35522 - SUG:NA