From a8c485f9d3e53d6ec6dc3e01b58a2454d60c3116 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Tue, 5 Aug 2025 17:44:45 +0000 Subject: [PATCH 1/2] Patch libtiff for CVE-2025-8534, CVE-2025-8177, CVE-2025-8176 --- SPECS/libtiff/CVE-2025-8176.patch | 115 ++++++++++++++++++++++++++++++ SPECS/libtiff/CVE-2025-8177.patch | 62 ++++++++++++++++ SPECS/libtiff/CVE-2025-8534.patch | 60 ++++++++++++++++ SPECS/libtiff/libtiff.spec | 8 ++- 4 files changed, 244 insertions(+), 1 deletion(-) create mode 100644 SPECS/libtiff/CVE-2025-8176.patch create mode 100644 SPECS/libtiff/CVE-2025-8177.patch create mode 100644 SPECS/libtiff/CVE-2025-8534.patch diff --git a/SPECS/libtiff/CVE-2025-8176.patch b/SPECS/libtiff/CVE-2025-8176.patch new file mode 100644 index 00000000000..fa0f9c153ac --- /dev/null +++ b/SPECS/libtiff/CVE-2025-8176.patch @@ -0,0 +1,115 @@ +From 80c3f0f9ca0e882c4af1b98ccf473411ccbc123f Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Mon, 19 May 2025 10:53:30 -0700 +Subject: [PATCH 1/3] Don't skip the first line of the input image. Addresses + issue #703 + +--- + archive/tools/tiffdither.c | 4 ++-- + archive/tools/tiffmedian.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/archive/tools/tiffdither.c b/archive/tools/tiffdither.c +index 187a61a..0c86e7f 100644 +--- a/archive/tools/tiffdither.c ++++ b/archive/tools/tiffdither.c +@@ -98,7 +98,7 @@ static int fsdither(TIFF *in, TIFF *out) + nextptr = nextline; + for (j = 0; j < imagewidth; ++j) + *nextptr++ = *inptr++; +- for (i = 1; i < imagelength; ++i) ++ for (i = 0; i < imagelength; ++i) + { + tmpptr = thisline; + thisline = nextline; +@@ -146,7 +146,7 @@ static int fsdither(TIFF *in, TIFF *out) + nextptr[0] += v / 16; + } + } +- if (TIFFWriteScanline(out, outline, i - 1, 0) < 0) ++ if (TIFFWriteScanline(out, outline, i, 0) < 0) + goto skip_on_error; + } + goto exit_label; +diff --git a/archive/tools/tiffmedian.c b/archive/tools/tiffmedian.c +index 334566a..291e73b 100644 +--- a/archive/tools/tiffmedian.c ++++ b/archive/tools/tiffmedian.c +@@ -912,7 +912,7 @@ static void quant_fsdither(TIFF *in, TIFF *out) + outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + + GetInputLine(in, 0, goto bad); /* get first line */ +- for (i = 1; i <= imagelength; ++i) ++ for (i = 0; i <= imagelength; ++i) + { + SWAP(short *, thisline, nextline); + lastline = (i >= imax); +@@ -992,7 +992,7 @@ static void quant_fsdither(TIFF *in, TIFF *out) + nextptr += 3; + } + } +- if (TIFFWriteScanline(out, outline, i - 1, 0) < 0) ++ if (TIFFWriteScanline(out, outline, i, 0) < 0) + break; + } + bad: +-- +2.45.4 + + +From e39690d84c229788cdceec9cd4d11f46aad72da7 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Sat, 24 May 2025 21:25:16 -0700 +Subject: [PATCH 2/3] Fix tiffmedian bug #707 + +--- + archive/tools/tiffmedian.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/archive/tools/tiffmedian.c b/archive/tools/tiffmedian.c +index 291e73b..b3b2671 100644 +--- a/archive/tools/tiffmedian.c ++++ b/archive/tools/tiffmedian.c +@@ -410,7 +410,10 @@ static void get_histogram(TIFF *in, Colorbox *box) + for (i = 0; i < imagelength; i++) + { + if (TIFFReadScanline(in, inputline, i, 0) <= 0) +- break; ++ { ++ fprintf(stderr, "Error reading scanline\n"); ++ exit(EXIT_FAILURE); ++ } + inptr = inputline; + for (j = imagewidth; j-- > 0;) + { +-- +2.45.4 + + +From 0f6f0eaeefe9e98e41b96d9a47292c41e1fdf66d Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Sat, 24 May 2025 21:38:09 -0700 +Subject: [PATCH 3/3] conflict resolution + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://gitlab.com/libtiff/libtiff/-/merge_requests/727.patch +--- + archive/tools/tiffmedian.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/archive/tools/tiffmedian.c b/archive/tools/tiffmedian.c +index b3b2671..3d5c9ca 100644 +--- a/archive/tools/tiffmedian.c ++++ b/archive/tools/tiffmedian.c +@@ -915,7 +915,7 @@ static void quant_fsdither(TIFF *in, TIFF *out) + outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + + GetInputLine(in, 0, goto bad); /* get first line */ +- for (i = 0; i <= imagelength; ++i) ++ for (i = 0; i < imagelength; ++i) + { + SWAP(short *, thisline, nextline); + lastline = (i >= imax); +-- +2.45.4 + diff --git a/SPECS/libtiff/CVE-2025-8177.patch b/SPECS/libtiff/CVE-2025-8177.patch new file mode 100644 index 00000000000..21dbce5fb99 --- /dev/null +++ b/SPECS/libtiff/CVE-2025-8177.patch @@ -0,0 +1,62 @@ +From 853f57d485fa4df27f8dffc7c691f320320a9506 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Thu, 19 Jun 2025 11:51:33 -0700 +Subject: [PATCH 1/2] Fix for thumbnail issue #715 + +--- + archive/tools/thumbnail.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/archive/tools/thumbnail.c b/archive/tools/thumbnail.c +index 8ce0d9b..a94a738 100644 +--- a/archive/tools/thumbnail.c ++++ b/archive/tools/thumbnail.c +@@ -620,7 +620,15 @@ static void setrow(uint8_t *row, uint32_t nrows, const uint8_t *rows[]) + } + acc += bits[*src & mask1]; + } +- *row++ = cmap[(255 * acc) / area]; ++ if (255 * acc / area < 256) ++ { ++ *row++ = cmap[(255 * acc) / area]; ++ } ++ else ++ { ++ fprintf(stderr, "acc=%d, area=%d\n", acc, area); ++ row++; ++ } + } + } + +-- +2.45.4 + + +From 026ac684b76ea9c393c616e6d3ba67a609bc751c Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Mon, 23 Jun 2025 10:09:07 -0700 +Subject: [PATCH 2/2] set a default value - assumes cmap[0] was not, itself, + uninitialized + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://gitlab.com/libtiff/libtiff/-/merge_requests/737.patch +--- + archive/tools/thumbnail.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/archive/tools/thumbnail.c b/archive/tools/thumbnail.c +index a94a738..237d99e 100644 +--- a/archive/tools/thumbnail.c ++++ b/archive/tools/thumbnail.c +@@ -627,7 +627,7 @@ static void setrow(uint8_t *row, uint32_t nrows, const uint8_t *rows[]) + else + { + fprintf(stderr, "acc=%d, area=%d\n", acc, area); +- row++; ++ *row++ = cmap[0]; + } + } + } +-- +2.45.4 + diff --git a/SPECS/libtiff/CVE-2025-8534.patch b/SPECS/libtiff/CVE-2025-8534.patch new file mode 100644 index 00000000000..343d89db6a7 --- /dev/null +++ b/SPECS/libtiff/CVE-2025-8534.patch @@ -0,0 +1,60 @@ +From ca74283defdcb02685da93e63e9f93d05f4bf547 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 2 Aug 2025 18:55:54 +0200 +Subject: [PATCH] tiff2ps: check return of TIFFGetFiled() for + TIFFTAG_STRIPBYTECOUNTS and TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer + dereference. + +Closes #718 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b.patch +--- + tools/unsupported/tiff2ps.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/tools/unsupported/tiff2ps.c b/tools/unsupported/tiff2ps.c +index 541495d..d6a54b4 100644 +--- a/tools/unsupported/tiff2ps.c ++++ b/tools/unsupported/tiff2ps.c +@@ -2432,12 +2432,22 @@ int PS_Lvl2page(FILE *fd, TIFF *tif, uint32_t w, uint32_t h) + if (tiled_image) + { + num_chunks = TIFFNumberOfTiles(tif); +- TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc); ++ if (!TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc)) ++ { ++ TIFFError(filename, ++ "Can't read bytecounts of tiles at PS_Lvl2page()"); ++ return (FALSE); ++ } + } + else + { + num_chunks = TIFFNumberOfStrips(tif); +- TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc); ++ if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc)) ++ { ++ TIFFError(filename, ++ "Can't read bytecounts of strips at PS_Lvl2page()"); ++ return (FALSE); ++ } + } + + if (use_rawdata) +@@ -3107,7 +3117,11 @@ void PSRawDataBW(FILE *fd, TIFF *tif, uint32_t w, uint32_t h) + (void)w; + (void)h; + TIFFGetFieldDefaulted(tif, TIFFTAG_FILLORDER, &fillorder); +- TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc); ++ if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc)) ++ { ++ TIFFError(filename, "Can't read bytecounts of strips at PSRawDataBW()"); ++ return; ++ } + + /* + * Find largest strip: +-- +2.45.4 + diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec index 2e3e3b55948..d54e8bf9f91 100644 --- a/SPECS/libtiff/libtiff.spec +++ b/SPECS/libtiff/libtiff.spec @@ -1,7 +1,7 @@ Summary: TIFF libraries and associated utilities. Name: libtiff Version: 4.6.0 -Release: 6%{?dist} +Release: 7%{?dist} License: libtiff Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,6 +13,9 @@ Patch1: CVE-2023-6277.patch Patch2: CVE-2024-7006.patch Patch3: CVE-2023-3164.patch Patch4: CVE-2023-6228.patch +Patch5: CVE-2025-8534.patch +Patch6: CVE-2025-8177.patch +Patch7: CVE-2025-8176.patch BuildRequires: autoconf BuildRequires: automake @@ -66,6 +69,9 @@ make %{?_smp_mflags} -k check %{_docdir}/* %changelog +* Tue Aug 05 2025 Azure Linux Security Servicing Account - 4.6.0-7 +- Patch for CVE-2025-8534, CVE-2025-8177, CVE-2025-8176 + * Mon Feb 03 2025 Ankita Pareek - 4.6.0-6 - Address CVE-2023-6228 with a patch From 8c9ffc5720372e6ac9c9318c3c018cb34ab9de0d Mon Sep 17 00:00:00 2001 From: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> Date: Tue, 5 Aug 2025 23:26:26 +0530 Subject: [PATCH 2/2] fix licence issue --- SPECS/libtiff/libtiff.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec index d54e8bf9f91..83def110759 100644 --- a/SPECS/libtiff/libtiff.spec +++ b/SPECS/libtiff/libtiff.spec @@ -66,7 +66,10 @@ make %{?_smp_mflags} -k check %{_includedir}/* %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc +%license LICENSE.md %{_docdir}/* +# The above LICENSE.md is same as below hence removing duplicate in doc file +%exclude %{_docdir}/tiff-%{version}/LICENSE.md %changelog * Tue Aug 05 2025 Azure Linux Security Servicing Account - 4.6.0-7