[AutoPR- Security] Patch libtiff for CVE-2025-8534, CVE-2025-8177, CVE-2025-8176 [LOW] (#14437)

azurelinux-security · Kanishk-Bansal · web-flow · commit c7d20b276ab0 · 2025-08-11T20:32:37.000+05:30
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/libtiff/CVE-2025-8176.patch b/SPECS/libtiff/CVE-2025-8176.patch
@@ -0,0 +1,115 @@
+From 80c3f0f9ca0e882c4af1b98ccf473411ccbc123f Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Mon, 19 May 2025 10:53:30 -0700
+Subject: [PATCH 1/3] Don't skip the first line of the input image. Addresses
+ issue #703
+
+---
+ archive/tools/tiffdither.c | 4 ++--
+ archive/tools/tiffmedian.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/archive/tools/tiffdither.c b/archive/tools/tiffdither.c
+index 187a61a..0c86e7f 100644
+--- a/archive/tools/tiffdither.c
++++ b/archive/tools/tiffdither.c
+@@ -98,7 +98,7 @@ static int fsdither(TIFF *in, TIFF *out)
+     nextptr = nextline;
+     for (j = 0; j < imagewidth; ++j)
+         *nextptr++ = *inptr++;
+-    for (i = 1; i < imagelength; ++i)
++    for (i = 0; i < imagelength; ++i)
+     {
+         tmpptr = thisline;
+         thisline = nextline;
+@@ -146,7 +146,7 @@ static int fsdither(TIFF *in, TIFF *out)
+                     nextptr[0] += v / 16;
+             }
+         }
+-        if (TIFFWriteScanline(out, outline, i - 1, 0) < 0)
++        if (TIFFWriteScanline(out, outline, i, 0) < 0)
+             goto skip_on_error;
+     }
+     goto exit_label;
+diff --git a/archive/tools/tiffmedian.c b/archive/tools/tiffmedian.c
+index 334566a..291e73b 100644
+--- a/archive/tools/tiffmedian.c
++++ b/archive/tools/tiffmedian.c
+@@ -912,7 +912,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
+     outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+ 
+     GetInputLine(in, 0, goto bad); /* get first line */
+-    for (i = 1; i <= imagelength; ++i)
++    for (i = 0; i <= imagelength; ++i)
+     {
+         SWAP(short *, thisline, nextline);
+         lastline = (i >= imax);
+@@ -992,7 +992,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
+                 nextptr += 3;
+             }
+         }
+-        if (TIFFWriteScanline(out, outline, i - 1, 0) < 0)
++        if (TIFFWriteScanline(out, outline, i, 0) < 0)
+             break;
+     }
+ bad:
+-- 
+2.45.4
+
+
+From e39690d84c229788cdceec9cd4d11f46aad72da7 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:25:16 -0700
+Subject: [PATCH 2/3] Fix tiffmedian bug #707
+
+---
+ archive/tools/tiffmedian.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/archive/tools/tiffmedian.c b/archive/tools/tiffmedian.c
+index 291e73b..b3b2671 100644
+--- a/archive/tools/tiffmedian.c
++++ b/archive/tools/tiffmedian.c
+@@ -410,7 +410,10 @@ static void get_histogram(TIFF *in, Colorbox *box)
+     for (i = 0; i < imagelength; i++)
+     {
+         if (TIFFReadScanline(in, inputline, i, 0) <= 0)
+-            break;
++        {
++            fprintf(stderr, "Error reading scanline\n");
++            exit(EXIT_FAILURE);
++        }
+         inptr = inputline;
+         for (j = imagewidth; j-- > 0;)
+         {
+-- 
+2.45.4
+
+
+From 0f6f0eaeefe9e98e41b96d9a47292c41e1fdf66d Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Sat, 24 May 2025 21:38:09 -0700
+Subject: [PATCH 3/3] conflict resolution
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.com/libtiff/libtiff/-/merge_requests/727.patch
+---
+ archive/tools/tiffmedian.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/archive/tools/tiffmedian.c b/archive/tools/tiffmedian.c
+index b3b2671..3d5c9ca 100644
+--- a/archive/tools/tiffmedian.c
++++ b/archive/tools/tiffmedian.c
+@@ -915,7 +915,7 @@ static void quant_fsdither(TIFF *in, TIFF *out)
+     outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+ 
+     GetInputLine(in, 0, goto bad); /* get first line */
+-    for (i = 0; i <= imagelength; ++i)
++    for (i = 0; i < imagelength; ++i)
+     {
+         SWAP(short *, thisline, nextline);
+         lastline = (i >= imax);
+-- 
+2.45.4
+
diff --git a/SPECS/libtiff/CVE-2025-8177.patch b/SPECS/libtiff/CVE-2025-8177.patch
@@ -0,0 +1,62 @@
+From 853f57d485fa4df27f8dffc7c691f320320a9506 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Thu, 19 Jun 2025 11:51:33 -0700
+Subject: [PATCH 1/2] Fix for thumbnail issue #715
+
+---
+ archive/tools/thumbnail.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/archive/tools/thumbnail.c b/archive/tools/thumbnail.c
+index 8ce0d9b..a94a738 100644
+--- a/archive/tools/thumbnail.c
++++ b/archive/tools/thumbnail.c
+@@ -620,7 +620,15 @@ static void setrow(uint8_t *row, uint32_t nrows, const uint8_t *rows[])
+             }
+             acc += bits[*src & mask1];
+         }
+-        *row++ = cmap[(255 * acc) / area];
++        if (255 * acc / area < 256)
++        {
++            *row++ = cmap[(255 * acc) / area];
++        }
++        else
++        {
++            fprintf(stderr, "acc=%d, area=%d\n", acc, area);
++            row++;
++        }
+     }
+ }
+ 
+-- 
+2.45.4
+
+
+From 026ac684b76ea9c393c616e6d3ba67a609bc751c Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Mon, 23 Jun 2025 10:09:07 -0700
+Subject: [PATCH 2/2] set a default value - assumes cmap[0] was not, itself,
+ uninitialized
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.com/libtiff/libtiff/-/merge_requests/737.patch
+---
+ archive/tools/thumbnail.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/archive/tools/thumbnail.c b/archive/tools/thumbnail.c
+index a94a738..237d99e 100644
+--- a/archive/tools/thumbnail.c
++++ b/archive/tools/thumbnail.c
+@@ -627,7 +627,7 @@ static void setrow(uint8_t *row, uint32_t nrows, const uint8_t *rows[])
+         else
+         {
+             fprintf(stderr, "acc=%d, area=%d\n", acc, area);
+-            row++;
++            *row++ = cmap[0];
+         }
+     }
+ }
+-- 
+2.45.4
+
diff --git a/SPECS/libtiff/CVE-2025-8534.patch b/SPECS/libtiff/CVE-2025-8534.patch
@@ -0,0 +1,60 @@
+From ca74283defdcb02685da93e63e9f93d05f4bf547 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 2 Aug 2025 18:55:54 +0200
+Subject: [PATCH] tiff2ps: check return of TIFFGetFiled() for
+ TIFFTAG_STRIPBYTECOUNTS and TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer
+ dereference.
+
+Closes #718
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b.patch
+---
+ tools/unsupported/tiff2ps.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/tools/unsupported/tiff2ps.c b/tools/unsupported/tiff2ps.c
+index 541495d..d6a54b4 100644
+--- a/tools/unsupported/tiff2ps.c
++++ b/tools/unsupported/tiff2ps.c
+@@ -2432,12 +2432,22 @@ int PS_Lvl2page(FILE *fd, TIFF *tif, uint32_t w, uint32_t h)
+     if (tiled_image)
+     {
+         num_chunks = TIFFNumberOfTiles(tif);
+-        TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc);
++        if (!TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc))
++        {
++            TIFFError(filename,
++                      "Can't read bytecounts of tiles at PS_Lvl2page()");
++            return (FALSE);
++        }
+     }
+     else
+     {
+         num_chunks = TIFFNumberOfStrips(tif);
+-        TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc);
++        if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc))
++        {
++            TIFFError(filename,
++                      "Can't read bytecounts of strips at PS_Lvl2page()");
++            return (FALSE);
++        }
+     }
+ 
+     if (use_rawdata)
+@@ -3107,7 +3117,11 @@ void PSRawDataBW(FILE *fd, TIFF *tif, uint32_t w, uint32_t h)
+     (void)w;
+     (void)h;
+     TIFFGetFieldDefaulted(tif, TIFFTAG_FILLORDER, &fillorder);
+-    TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc);
++    if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc))
++    {
++        TIFFError(filename, "Can't read bytecounts of strips at PSRawDataBW()");
++        return;
++    }
+ 
+     /*
+      * Find largest strip:
+-- 
+2.45.4
+
diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec
@@ -1,7 +1,7 @@
 Summary:        TIFF libraries and associated utilities.
 Name:           libtiff
 Version:        4.6.0
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        libtiff
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -13,6 +13,9 @@ Patch1:         CVE-2023-6277.patch
 Patch2:         CVE-2024-7006.patch
 Patch3:         CVE-2023-3164.patch
 Patch4:         CVE-2023-6228.patch
+Patch5:         CVE-2025-8534.patch
+Patch6:         CVE-2025-8177.patch
+Patch7:         CVE-2025-8176.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -63,9 +66,15 @@ make %{?_smp_mflags} -k check
 %{_includedir}/*
 %{_libdir}/*.so
 %{_libdir}/pkgconfig/*.pc
+%license LICENSE.md
 %{_docdir}/*
+# The above LICENSE.md is same as below hence removing duplicate in doc file
+%exclude %{_docdir}/tiff-%{version}/LICENSE.md
 
 %changelog
+* Tue Aug 05 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 4.6.0-7
+- Patch for CVE-2025-8534, CVE-2025-8177, CVE-2025-8176
+
 * Mon Feb 03 2025 Ankita Pareek <ankitapareek@microsoft.com> - 4.6.0-6
 - Address CVE-2023-6228 with a patch
 
