From 6ed2c0719512a397700292ed61822aca7e360b78 Mon Sep 17 00:00:00 2001 From: liuxiaoping Date: Mon, 9 Oct 2023 16:40:58 +0800 Subject: [PATCH] Fix CVE-2023-41175 CVE-2023-40745 --- Fix-CVE-2023-40745.patch | 16 +++++++++++++++ Fix-CVE-2023-41175.patch | 44 ++++++++++++++++++++++++++++++++++++++++ libtiff.spec | 8 +++++++- 3 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 Fix-CVE-2023-40745.patch create mode 100644 Fix-CVE-2023-41175.patch diff --git a/Fix-CVE-2023-40745.patch b/Fix-CVE-2023-40745.patch new file mode 100644 index 0000000..903ea4e --- /dev/null +++ b/Fix-CVE-2023-40745.patch @@ -0,0 +1,16 @@ +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1754,6 +1754,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + "Width * Samples/Pixel)"); + return 0; + } ++ ++ if ( (imagew - tilew * spp) > INT_MAX ){ ++ TIFFError(TIFFFileName(in), ++ "Error, image raster scan line size is too large"); ++ return 0; ++ } ++ + iskew = imagew - tilew * spp; + tilebuf = limitMalloc(tilesize); + if (tilebuf == 0) diff --git a/Fix-CVE-2023-41175.patch b/Fix-CVE-2023-41175.patch new file mode 100644 index 0000000..3fc81d6 --- /dev/null +++ b/Fix-CVE-2023-41175.patch @@ -0,0 +1,44 @@ +--- a/tools/raw2tiff.c ++++ b/tools/raw2tiff.c +@@ -101,6 +101,7 @@ int main(int argc, char *argv[]) + int fd; + char *outfilename = NULL; + TIFF *out; ++ uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/ + + uint32_t row, col, band; + int c; +@@ -221,6 +222,33 @@ int main(int argc, char *argv[]) + if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0) + return EXIT_FAILURE; + ++ /* check for integer overflow in */ ++ /* hdr_size + (*width) * (*length) * nbands * depth */ ++ ++ if ((width == 0) || (length == 0) ){ ++ fprintf(stderr, "Too large nbands value specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ ++ temp_limit_check = nbands * depth; ++ ++ if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) { ++ fprintf(stderr, "Too large length size specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ temp_limit_check = temp_limit_check * length; ++ ++ if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) { ++ fprintf(stderr, "Too large width size specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ temp_limit_check = temp_limit_check * width; ++ ++ if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) { ++ fprintf(stderr, "Too large header size specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ + if (outfilename == NULL) + outfilename = argv[optind + 1]; + out = TIFFOpen(outfilename, "w"); diff --git a/libtiff.spec b/libtiff.spec index f918be1..04a732d 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.5.1 @@ -12,6 +12,9 @@ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-deve BuildRequires: python3-sphinx BuildRequires: cmake +Patch0: Fix-CVE-2023-40745.patch +Patch1: Fix-CVE-2023-41175.patch + %description The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. TIFF is a widely @@ -168,6 +171,9 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/ %{_mandir}/man1/tiffgt.1* %changelog +* Tue Oct 17 2023 Xiaoping Liu - 4.5.1-2 +- Fix CVE-2023-41175 CVE-2023-40745 + * Wed Jun 14 2023 Funda Wang - 4.5.1-1 - New version 4.5.1 -- Gitee