From ed40c72a6df3bb12b01339fccb00b782d95ae414 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Thu, 10 Mar 2022 14:46:40 +0800 Subject: [PATCH] fix CVE-2022-22844 --- backport-0001-CVE-2022-22844.patch | 50 ++++++++++++++++++++++++++++++ backport-0002-CVE-2022-22844.patch | 39 +++++++++++++++++++++++ backport-0003-CVE-2022-22844.patch | 28 +++++++++++++++++ libtiff.spec | 11 ++++++- 4 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2022-22844.patch create mode 100644 backport-0002-CVE-2022-22844.patch create mode 100644 backport-0003-CVE-2022-22844.patch diff --git a/backport-0001-CVE-2022-22844.patch b/backport-0001-CVE-2022-22844.patch new file mode 100644 index 0000000..e02aa8c --- /dev/null +++ b/backport-0001-CVE-2022-22844.patch @@ -0,0 +1,50 @@ +From 49b81e99704bd199a24ccce65f974cc2d78cccc4 Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Tue, 4 Jan 2022 11:01:37 +0000 +Subject: [PATCH] fixing global-buffer-overflow in tiffset + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/commit/49b81e99704bd199a24ccce65f974cc2d78cccc4 + +--- + tools/tiffset.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/tools/tiffset.c b/tools/tiffset.c +index 7ecc401..53afc51 100644 +--- a/tools/tiffset.c ++++ b/tools/tiffset.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include "tiffio.h" + +@@ -133,9 +134,19 @@ main(int argc, char* argv[]) + + arg_index++; + if (TIFFFieldDataType(fip) == TIFF_ASCII) { +- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) +- fprintf( stderr, "Failed to set %s=%s\n", +- TIFFFieldName(fip), argv[arg_index] ); ++ if(TIFFFieldPassCount( fip )) { ++ size_t len; ++ len = (uint32_t)(strlen(argv[arg_index] + 1)); ++ if (TIFFSetField(tiff, TIFFFieldTag(fip), ++ (uint16_t)len, argv[arg_index]) != 1) ++ fprintf( stderr, "Failed to set %s=%s", ++ TIFFFieldName(fip), argv[arg_index] ); ++ } else { ++ if (TIFFSetField(tiff, TIFFFieldTag(fip), ++ argv[arg_index]) != 1) ++ fprintf( stderr, "Failed to set %s=%s", ++ TIFFFieldName(fip), argv[arg_index] ); ++ } + } else if (TIFFFieldWriteCount(fip) > 0 + || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { + int ret = 1; +-- +2.33.0 + diff --git a/backport-0002-CVE-2022-22844.patch b/backport-0002-CVE-2022-22844.patch new file mode 100644 index 0000000..5cc47a5 --- /dev/null +++ b/backport-0002-CVE-2022-22844.patch @@ -0,0 +1,39 @@ +From 0cf67888e32e36b45828dd467920684c93f2b22d Mon Sep 17 00:00:00 2001 +From: Timothy Lyanguzov +Date: Tue, 25 Jan 2022 04:27:28 +0000 +Subject: [PATCH] Apply 4 suggestion(s) to 1 file(s) + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/commit/0cf67888e32e36b45828dd467920684c93f2b22d + +--- + tools/tiffset.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/tiffset.c b/tools/tiffset.c +index 53afc51..75a8616 100644 +--- a/tools/tiffset.c ++++ b/tools/tiffset.c +@@ -136,15 +136,15 @@ main(int argc, char* argv[]) + if (TIFFFieldDataType(fip) == TIFF_ASCII) { + if(TIFFFieldPassCount( fip )) { + size_t len; +- len = (uint32_t)(strlen(argv[arg_index] + 1)); +- if (TIFFSetField(tiff, TIFFFieldTag(fip), ++ len = strlen(argv[arg_index] + 1); ++ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), + (uint16_t)len, argv[arg_index]) != 1) +- fprintf( stderr, "Failed to set %s=%s", ++ fprintf( stderr, "Failed to set %s=%s\n", + TIFFFieldName(fip), argv[arg_index] ); + } else { + if (TIFFSetField(tiff, TIFFFieldTag(fip), + argv[arg_index]) != 1) +- fprintf( stderr, "Failed to set %s=%s", ++ fprintf( stderr, "Failed to set %s=%s\n", + TIFFFieldName(fip), argv[arg_index] ); + } + } else if (TIFFFieldWriteCount(fip) > 0 +-- +2.33.0 + diff --git a/backport-0003-CVE-2022-22844.patch b/backport-0003-CVE-2022-22844.patch new file mode 100644 index 0000000..6450024 --- /dev/null +++ b/backport-0003-CVE-2022-22844.patch @@ -0,0 +1,28 @@ +From 0a827a985f891d6df481a6f581c723640fad7874 Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Tue, 25 Jan 2022 04:30:38 +0000 +Subject: [PATCH] fix a small typo in strlen + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/commit/0a827a985f891d6df481a6f581c723640fad7874 + +--- + tools/tiffset.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/tiffset.c b/tools/tiffset.c +index 75a8616..19e177b 100644 +--- a/tools/tiffset.c ++++ b/tools/tiffset.c +@@ -136,7 +136,7 @@ main(int argc, char* argv[]) + if (TIFFFieldDataType(fip) == TIFF_ASCII) { + if(TIFFFieldPassCount( fip )) { + size_t len; +- len = strlen(argv[arg_index] + 1); ++ len = strlen(argv[arg_index]) + 1; + if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), + (uint16_t)len, argv[arg_index]) != 1) + fprintf( stderr, "Failed to set %s=%s\n", +-- +2.33.0 + diff --git a/libtiff.spec b/libtiff.spec index d57d939..6cc60e7 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,6 +1,6 @@ Name: libtiff Version: 4.1.0 -Release: 4 +Release: 5 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ @@ -11,6 +11,9 @@ Patch6001: backport-CVE-2020-35523.patch Patch6002: backport-CVE-2020-35524.patch Patch6003: backport-CVE-2022-0561.patch Patch6004: backport-CVE-2022-0562.patch +Patch6005: backport-0001-CVE-2022-22844.patch +Patch6006: backport-0002-CVE-2022-22844.patch +Patch6007: backport-0003-CVE-2022-22844.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig git @@ -117,6 +120,12 @@ find html -name 'Makefile*' | xargs rm %exclude %{_datadir}/html/man/tiffgt.1.html %changelog +* Thu Mar 10 2022 dongyuzhen - 4.1.0-5 +- Type:cves +- ID:CVE-2022-22844 +- SUG:NA +- DESC:fix CVE-2022-22844 + * Wed Feb 23 2022 liuyumeng -4.1.0-4 - Type:cves - ID:CVE-2022-0561 CVE-2022-0562