diff --git a/SPECS/libtiff/CVE-2025-61143.patch b/SPECS/libtiff/CVE-2025-61143.patch new file mode 100644 index 00000000000..9a2937dc9f9 --- /dev/null +++ b/SPECS/libtiff/CVE-2025-61143.patch @@ -0,0 +1,56 @@ +From 5dc7828382338433f6cabc7bc602de6e2cbe626e Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Fri, 5 Sep 2025 11:48:00 -0700 +Subject: [PATCH 1/2] avoid out-of-bounds read identified in #733 + +--- + archive/tools/tiffdither.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/archive/tools/tiffdither.c b/archive/tools/tiffdither.c +index 0c86e7f..17673e7 100644 +--- a/archive/tools/tiffdither.c ++++ b/archive/tools/tiffdither.c +@@ -87,6 +87,11 @@ static int fsdither(TIFF *in, TIFF *out) + fprintf(stderr, "Out of memory.\n"); + goto skip_on_error; + } ++ if (imagewidth > TIFFScanlineSize(in)) ++ { ++ fprintf(stderr, "Image width exceeds scanline size.\n"); ++ goto skip_on_error; ++ } + + /* + * Get first line +-- +2.45.4 + + +From 1302fe68e080340921e0c522cdecef7563296bc5 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Fri, 5 Sep 2025 12:11:13 -0700 +Subject: [PATCH 2/2] avoid null pointer dereference in tiffcrop #734 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://gitlab.com/libtiff/libtiff/-/merge_requests/755.patch +--- + archive/tools/tiffcrop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/archive/tools/tiffcrop.c b/archive/tools/tiffcrop.c +index adfd0d2..f69efa8 100644 +--- a/archive/tools/tiffcrop.c ++++ b/archive/tools/tiffcrop.c +@@ -2925,7 +2925,7 @@ int main(int argc, char *argv[]) + if (dump.outfile != NULL) + { + dump_info(dump.outfile, dump.format, "", "Completed run for %s", +- TIFFFileName(out)); ++ out ? TIFFFileName(out) : "(not opened)"); + fclose(dump.outfile); + } + } +-- +2.45.4 + diff --git a/SPECS/libtiff/CVE-2025-61144.patch b/SPECS/libtiff/CVE-2025-61144.patch new file mode 100644 index 00000000000..39ef3cb43d1 --- /dev/null +++ b/SPECS/libtiff/CVE-2025-61144.patch @@ -0,0 +1,27 @@ +From 050c8047ce6dbdd76820d2bbcc89c380aeb36d87 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Fri, 5 Sep 2025 13:01:12 -0700 +Subject: [PATCH] avoid buffer overflow in tiffcrop #740 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://gitlab.com/libtiff/libtiff/-/merge_requests/757.patch +--- + archive/tools/tiffcrop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/archive/tools/tiffcrop.c b/archive/tools/tiffcrop.c +index f69efa8..998c6ab 100644 +--- a/archive/tools/tiffcrop.c ++++ b/archive/tools/tiffcrop.c +@@ -4375,7 +4375,7 @@ static int combineSeparateSamplesBytes(unsigned char *srcbuffs[], + { + if ((dumpfile != NULL) && (level == 2)) + { +- for (s = 0; s < spp; s++) ++ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + dump_info(dumpfile, format, "combineSeparateSamplesBytes", + "Input data, Sample %" PRIu16, s); +-- +2.45.4 + diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec index 97fb63b6bf6..6aeb9d5e72d 100644 --- a/SPECS/libtiff/libtiff.spec +++ b/SPECS/libtiff/libtiff.spec @@ -1,7 +1,7 @@ Summary: TIFF libraries and associated utilities. Name: libtiff Version: 4.6.0 -Release: 11%{?dist} +Release: 12%{?dist} License: libtiff Vendor: Microsoft Corporation Distribution: Azure Linux @@ -21,6 +21,8 @@ Patch9: CVE-2025-9165.patch Patch10: CVE-2025-9900.patch Patch11: CVE-2024-13978.patch Patch12: CVE-2025-8961.patch +Patch13: CVE-2025-61143.patch +Patch14: CVE-2025-61144.patch BuildRequires: autoconf BuildRequires: automake @@ -77,6 +79,9 @@ make %{?_smp_mflags} -k check %exclude %{_docdir}/tiff-%{version}/LICENSE.md %changelog +* Wed Feb 25 2026 Azure Linux Security Servicing Account - 4.6.0-12 +- Patch for CVE-2025-61144, CVE-2025-61143 + * Thu Nov 27 2025 Azure Linux Security Servicing Account - 4.6.0-11 - Patch for CVE-2025-8961