diff --git a/backport-CVE-2025-8851.patch b/backport-CVE-2025-8851.patch new file mode 100644 index 0000000000000000000000000000000000000000..62112c9438ca4597cbdcc680aaa75626e2fa7480 --- /dev/null +++ b/backport-CVE-2025-8851.patch @@ -0,0 +1,69 @@ +From 8a7a48d7a645992ca83062b3a1873c951661e2b3 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Sun, 11 Aug 2024 16:01:07 +0000 +Subject: [PATCH] Attempt to address tiffcrop Coverity scan issues 1605444, + 1605445, and 1605449. + +Reference:https://gitlab.com/libtiff/libtiff/-/commit/8a7a48d7a645992ca83062b3a1873c951661e2b3 +Conflict:Adapt context +--- + tools/tiffcrop.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index bef95cb..6ae12e8 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5029,7 +5029,14 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt + buff = srcbuffs[s]; + strip = (s * strips_per_sample) + j; + bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize); +- rows_this_strip = (uint32_t)(bytes_read / src_rowsize); ++ if (bytes_read < 0) ++ { ++ rows_this_strip = 0; ++ } ++ else ++ { ++ rows_this_strip = (uint32_t)(bytes_read / src_rowsize); ++ } + if (bytes_read < 0 && !ignore) + { + TIFFError(TIFFFileName(in), +@@ -5440,14 +5447,14 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres); + } + +- if ((lmargin + rmargin) > image->width) ++ if (lmargin == 0xFFFFFFFFU || rmargin == 0xFFFFFFFFU || (lmargin + rmargin) > image->width) + { + TIFFError("computeInputPixelOffsets", "Combined left and right margins exceed image width"); + lmargin = (uint32_t) 0; + rmargin = (uint32_t) 0; + return (-1); + } +- if ((tmargin + bmargin) > image->length) ++ if (tmargin == 0xFFFFFFFFU || bmargin == 0xFFFFFFFFU || (tmargin + bmargin) > image->length) + { + TIFFError("computeInputPixelOffsets", "Combined top and bottom margins exceed image length"); + tmargin = (uint32_t) 0; +@@ -5947,14 +5954,14 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8)); + } + +- if ((hmargin * 2.0) > (pwidth * page->hres)) ++ if (hmargin == 0xFFFFFFFFU || (hmargin * 2.0) > (pwidth * page->hres)) + { + TIFFError("computeOutputPixelOffsets", + "Combined left and right margins exceed page width"); + hmargin = (uint32_t) 0; + return (-1); + } +- if ((vmargin * 2.0) > (plength * page->vres)) ++ if (vmargin == 0xFFFFFFFFU || (vmargin * 2.0) > (plength * page->vres)) + { + TIFFError("computeOutputPixelOffsets", + "Combined top and bottom margins exceed page length"); +-- +2.33.0 + diff --git a/libtiff.spec b/libtiff.spec index 4f7e89ae56811503c31c53db695a30dd7be67675..600235a1ccfa88039f03a74d7ab30e4f23554794 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,6 +1,6 @@ Name: libtiff Version: 4.3.0 -Release: 27 +Release: 28 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ @@ -57,6 +57,7 @@ Patch6047: backport-CVE-2025-8177.patch Patch6048: backport-CVE-2024-13978.patch Patch6049: backport-0001-CVE-2025-8534.patch Patch6050: backport-0002-CVE-2025-8534.patch +Patch6051: backport-CVE-2025-8851.patch Patch9000: fix-raw2tiff-floating-point-exception.patch @@ -159,6 +160,9 @@ find html -name 'Makefile*' | xargs rm %exclude %{_datadir}/html/man/tiffgt.1.html %changelog +* Tue Aug 12 2025 lingsheng - 4.3.0-28 +- fix CVE-2025-8851 + * Thu Aug 07 2025 lingsheng - 4.3.0-27 - fix CVE-2025-8534