diff --git a/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch b/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch
new file mode 100644
index 0000000..83c7ae7
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch
@@ -0,0 +1,86 @@
+From 1205e9800a359b4bb4f35b2a7ff5821986e74f19 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:02:51 +0100
+Subject: [PATCH 1/3] enforce (configurable) memory limit in tiff2rgba
+
+fixes #207
+fixes #209
+---
+ tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index 4de96ae..e6de220 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
+ int process_by_block = 0; /* default is whole image at once */
+ int no_alpha = 0;
+ int bigtiff_output = 0;
++#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
++/* malloc size limit (in bytes)
++ * disabled when set to 0 */
++static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
+
+
+ static int tiffcvt(TIFF* in, TIFF* out);
+@@ -70,8 +74,11 @@ main(int argc, char* argv[])
+ extern char *optarg;
+ #endif
+
+- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
++ while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1)
+ switch (c) {
++ case 'M':
++ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
++ break;
+ case 'b':
+ process_by_block = 1;
+ break;
+@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
+ (unsigned long)width, (unsigned long)height);
+ return 0;
+ }
++ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
++ TIFFError(TIFFFileName(in),
++ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
++ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
++ return 0;
++ }
+
+ rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out)
+ TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
+ CopyField(TIFFTAG_DOCUMENTNAME, stringv);
+
++ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
++ {
++ TIFFError(TIFFFileName(in),
++ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
++ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
++ return 0;
++ }
+ if( process_by_block && TIFFIsTiled( in ) )
+ return( cvt_by_tile( in, out ) );
+ else if( process_by_block )
+@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ }
+
+ static char* stuff[] = {
+- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
++ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
+ "where comp is one of the following compression algorithms:",
+ " jpeg\t\tJPEG encoding",
+ " zip\t\tZip/Deflate encoding",
+@@ -543,6 +563,7 @@ static char* stuff[] = {
+ " -b (progress by block rather than as a whole image)",
+ " -n don't emit alpha component.",
+ " -8 write BigTIFF file instead of ClassicTIFF",
++ " -M set the memory allocation limit in MiB. 0 to disable limit",
+ NULL
+ };
+
+--
+2.31.1
+
diff --git a/SOURCES/libtiff-CVE-2020-35523.patch b/SOURCES/libtiff-CVE-2020-35523.patch
new file mode 100644
index 0000000..0f2ca43
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2020-35523.patch
@@ -0,0 +1,50 @@
+From 058e0d9c5822a912fe75ab3bd2d24b3350f4e44d Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 10 Nov 2020 01:54:30 +0100
+Subject: [PATCH 2/3] gtTileContig(): check Tile width for overflow
+
+fixes #211
+---
+ libtiff/tif_getimage.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index c6edd27..b1f7cc9 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -31,6 +31,7 @@
+ */
+ #include "tiffiop.h"
+ #include <stdio.h>
++#include <limits.h>
+
+ static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
+ static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
+@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+
+ flip = setorientation(img);
+ if (flip & FLIP_VERTICALLY) {
+- y = h - 1;
+- toskew = -(int32)(tw + w);
++ if ((tw + w) > INT_MAX) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
++ return (0);
++ }
++ y = h - 1;
++ toskew = -(int32)(tw + w);
+ }
+ else {
+- y = 0;
+- toskew = -(int32)(tw - w);
++ if (tw > (INT_MAX + w)) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
++ return (0);
++ }
++ y = 0;
++ toskew = -(int32)(tw - w);
+ }
+
+ /*
+--
+2.31.1
+
diff --git a/SOURCES/libtiff-CVE-2020-35524.patch b/SOURCES/libtiff-CVE-2020-35524.patch
new file mode 100644
index 0000000..3dda4e2
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2020-35524.patch
@@ -0,0 +1,39 @@
+From f74e26a36dd32050774f1c4a9256147fb25ae595 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sat, 14 Nov 2020 12:53:01 +0000
+Subject: [PATCH 3/3] tiff2pdf.c: properly calculate datasize when saving to
+ JPEG YCbCr
+
+fixes #220
+---
+ tools/tiff2pdf.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index a15a3ef..db380ec 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
+ #endif
+ (void) 0;
+ }
+- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
++#ifdef JPEG_SUPPORT
++ if(t2p->pdf_compression == T2P_COMPRESS_JPEG
++ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
++ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
++ } else
++#endif
++ {
++ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
++ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
++ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
++ }
+ }
+ if (k == 0) {
+ /* Assume we had overflow inside TIFFScanlineSize */
+--
+2.31.1
+
diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec
index 44c07bb..eaffd0b 100644
--- a/SPECS/libtiff.spec
+++ b/SPECS/libtiff.spec
@@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.0.9
-Release: 18%{?dist}
+Release: 20%{?dist}
License: libtiff
Group: System Environment/Libraries
URL: http://www.simplesystems.org/libtiff/
@@ -23,6 +23,9 @@ Patch11: libtiff-CVE-2018-18661.patch
Patch12: libtiff-CVE-2018-12900.patch
Patch13: libtiff-CVE-2019-14973.patch
Patch14: libtiff-CVE-2019-17546.patch
+Patch15: libtiff-CVE-2020-35521_CVE-2020-35522.patch
+Patch16: libtiff-CVE-2020-35523.patch
+Patch17: libtiff-CVE-2020-35524.patch
BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@@ -89,6 +92,9 @@ image files using the libtiff library.
%patch12 -p1
%patch13 -p1
%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
@@ -192,6 +198,15 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
+* Thu Apr 29 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-20
+- Rebuild for fixed binutils (#1954437)
+
+* Fri Apr 09 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-19
+- Fix CVE-2020-35521 (#1945539)
+- Fix CVE-2020-35522 (#1945555)
+- Fix CVE-2020-35523 (#1945542)
+- Fix CVE-2020-35524 (#1945546)
+
* Thu Feb 20 2020 Nikola Forró <nforro@redhat.com> - 4.0.9-18
- Fix CVE-2019-17546 (#1771372)