diff --git a/SOURCES/libtiff-CVE-2020-19131.patch b/SOURCES/libtiff-CVE-2020-19131.patch new file mode 100644 index 0000000..6db20cc --- /dev/null +++ b/SOURCES/libtiff-CVE-2020-19131.patch @@ -0,0 +1,89 @@ +From b64713005e6110c36265750435cfa641d3a9281f Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 23:08:25 +0100 +Subject: [PATCH] tiffcrop.c: fix invertImage() for bps 2 and 4 + +too much bytes were processed, causing a heap buffer overrun + http://bugzilla.maptools.org/show_bug.cgi?id=2831 +the loop counter must be + for (col = 0; col < width; col += 8 / bps) + +Also the values were not properly calculated. It should be +255-x, 15-x, 3-x for bps 8, 4, 2. + +But anyway it is easyer to invert all bits as 255-x = ~x, etc. +(substracting from a binary number composed of all 1 is like inverting +the bits) +--- + tools/tiffcrop.c | 37 ++++++------------------------------- + 1 file changed, 6 insertions(+), 31 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 3862b1c..a612914 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -9142,7 +9142,6 @@ static int + invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff) + { + uint32 row, col; +- unsigned char bytebuff1, bytebuff2, bytebuff3, bytebuff4; + unsigned char *src; + uint16 *src_uint16; + uint32 *src_uint32; +@@ -9172,7 +9171,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len + for (row = 0; row < length; row++) + for (col = 0; col < width; col++) + { +- *src_uint32 = (uint32)0xFFFFFFFF - *src_uint32; ++ *src_uint32 = ~(*src_uint32); + src_uint32++; + } + break; +@@ -9180,39 +9179,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len + for (row = 0; row < length; row++) + for (col = 0; col < width; col++) + { +- *src_uint16 = (uint16)0xFFFF - *src_uint16; ++ *src_uint16 = ~(*src_uint16); + src_uint16++; + } + break; +- case 8: for (row = 0; row < length; row++) +- for (col = 0; col < width; col++) +- { +- *src = (uint8)255 - *src; +- src++; +- } +- break; +- case 4: for (row = 0; row < length; row++) +- for (col = 0; col < width; col++) +- { +- bytebuff1 = 16 - (uint8)(*src & 240 >> 4); +- bytebuff2 = 16 - (*src & 15); +- *src = bytebuff1 << 4 & bytebuff2; +- src++; +- } +- break; +- case 2: for (row = 0; row < length; row++) +- for (col = 0; col < width; col++) +- { +- bytebuff1 = 4 - (uint8)(*src & 192 >> 6); +- bytebuff2 = 4 - (uint8)(*src & 48 >> 4); +- bytebuff3 = 4 - (uint8)(*src & 12 >> 2); +- bytebuff4 = 4 - (uint8)(*src & 3); +- *src = (bytebuff1 << 6) || (bytebuff2 << 4) || (bytebuff3 << 2) || bytebuff4; +- src++; +- } +- break; ++ case 8: ++ case 4: ++ case 2: + case 1: for (row = 0; row < length; row++) +- for (col = 0; col < width; col += 8 /(spp * bps)) ++ for (col = 0; col < width; col += 8 / bps) + { + *src = ~(*src); + src++; +-- +2.32.0 + diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec index eaffd0b..5ea5d20 100644 --- a/SPECS/libtiff.spec +++ b/SPECS/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.9 -Release: 20%{?dist} +Release: 21%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -26,6 +26,7 @@ Patch14: libtiff-CVE-2019-17546.patch Patch15: libtiff-CVE-2020-35521_CVE-2020-35522.patch Patch16: libtiff-CVE-2020-35523.patch Patch17: libtiff-CVE-2020-35524.patch +Patch18: libtiff-CVE-2020-19131.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel @@ -95,6 +96,7 @@ image files using the libtiff library. %patch15 -p1 %patch16 -p1 %patch17 -p1 +%patch18 -p1 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -198,6 +200,9 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Wed Sep 29 2021 Nikola Forró - 4.0.9-21 +- Fix CVE-2020-19131 (#2006535) + * Thu Apr 29 2021 Nikola Forró - 4.0.9-20 - Rebuild for fixed binutils (#1954437)