Skip to content

Commit d0515d6

Browse files
CBL-Mariner-Botbhagyapathak
CBL-Mariner-Bot
and
bhagyapathak
authored
[AUTO-CHERRYPICK] Fix CVE-2023-3164 in libtiff package for 3.0 - branch 3.0-dev (#11984)
Co-authored-by: bhagyapathak <[email protected]>
1 parent b8bd2d6 commit d0515d6

File tree

2 files changed

+35
-1
lines changed

2 files changed

+35
-1
lines changed

SPECS/libtiff/CVE-2023-3164.patch

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
From 7ec6f53745ab6331382e59373ffd980b38a378f0 Mon Sep 17 00:00:00 2001
2+
From: Lee Howard <[email protected]>
3+
Date: Wed, 13 Mar 2024 10:06:21 -0700
4+
Subject: [PATCH] fix tiffcrop issues #552, #550, and #542
5+
6+
---
7+
archive/tools/tiffcrop.c | 8 ++++++++
8+
1 file changed, 8 insertions(+)
9+
10+
diff --git a/archive/tools/tiffcrop.c b/archive/tools/tiffcrop.c
11+
index 95983479c..3d837d269 100644
12+
--- a/archive/tools/tiffcrop.c
13+
+++ b/archive/tools/tiffcrop.c
14+
@@ -7766,6 +7766,14 @@ static int extractImageSection(struct image_data *image,
15+
(sect_width * spp * bps) %
16+
8; /* trailing bits within the last byte of destination buffer */
17+
18+
+ /* Check to make sure that we've got enough buffer.
19+
+ */
20+
+ if ((last_row - first_row) * img_rowsize > full_bytes)
21+
+ {
22+
+ printf("The source image data is too small.\n");
23+
+ return(-1);
24+
+ }
25+
+
26+
#ifdef DEVELMODE
27+
TIFFError("",
28+
"First row: %" PRIu32 ", last row: %" PRIu32
29+
--
30+

SPECS/libtiff/libtiff.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Summary: TIFF libraries and associated utilities.
22
Name: libtiff
33
Version: 4.6.0
4-
Release: 4%{?dist}
4+
Release: 5%{?dist}
55
License: libtiff
66
Vendor: Microsoft Corporation
77
Distribution: Azure Linux
@@ -11,6 +11,7 @@ Source0: https://gitlab.com/libtiff/libtiff/-/archive/v%{version}/libtiff
1111
Patch0: CVE-2023-52356.patch
1212
Patch1: CVE-2023-6277.patch
1313
Patch2: CVE-2024-7006.patch
14+
Patch3: CVE-2023-3164.patch
1415

1516
BuildRequires: autoconf
1617
BuildRequires: automake
@@ -64,6 +65,9 @@ make %{?_smp_mflags} -k check
6465
%{_docdir}/*
6566

6667
%changelog
68+
* Fri Jan 17 2025 Bhagyashri Pathak <[email protected]> - 4.6.0-5
69+
- Add patch for CVE-2023-3164.patch
70+
6771
* Tue Aug 13 2024 Aadhar Agarwal <[email protected]> - 4.6.0-4
6872
- Add patch for CVE-2024-7006
6973

0 commit comments

Comments
 (0)