Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tiff for openSUSE:Factory checked in 
at 2022-11-15 13:18:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tiff (Old)
 and      /work/SRC/openSUSE:Factory/.tiff.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "tiff"

Tue Nov 15 13:18:18 2022 rev:87 rq:1035628 version:4.4.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/tiff/tiff.changes        2022-10-18 
12:44:49.221699212 +0200
+++ /work/SRC/openSUSE:Factory/.tiff.new.1597/tiff.changes      2022-11-15 
13:21:04.128690285 +0100
@@ -1,0 +2,20 @@
+Mon Nov 14 11:54:03 UTC 2022 - Michael Vetter <mvet...@suse.com>
+
+- security update:
+  * CVE-2022-3970 [bsc#1205392]
+    + tiff-CVE-2022-3970.patch
+
+-------------------------------------------------------------------
+Sun Nov 13 20:42:25 UTC 2022 - Michael Vetter <mvet...@suse.com>
+
+- security update:
+  * CVE-2022-3597 [bsc#1204641]
+  * CVE-2022-3626 [bsc#1204644]
+  * CVE-2022-3627 [bsc#1204645]
+    + tiff-CVE-2022-3597,CVE-2022-3626,CVE-2022-3627.patch
+  * CVE-2022-3599 [bsc#1204643]
+    + tiff-CVE-2022-3599.patch
+  * CVE-2022-3598 [bsc#1204642]
+    + tiff-CVE-2022-3598.patch
+
+-------------------------------------------------------------------

New:
----
  tiff-CVE-2022-3597,CVE-2022-3626,CVE-2022-3627.patch
  tiff-CVE-2022-3598.patch
  tiff-CVE-2022-3599.patch
  tiff-CVE-2022-3970.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ tiff.spec ++++++
--- /var/tmp/diff_new_pack.8vXg7p/_old  2022-11-15 13:21:04.636692908 +0100
+++ /var/tmp/diff_new_pack.8vXg7p/_new  2022-11-15 13:21:04.644692949 +0100
@@ -36,6 +36,10 @@
 Patch2:         tiff-CVE-2022-2056,CVE-2022-2057,CVE-2022-2058.patch
 Patch3:         tiff-CVE-2022-34526.patch
 Patch4:         tiff-CVE-2022-2519,CVE-2022-2520,CVE-2022-2521.patch
+Patch5:         tiff-CVE-2022-3597,CVE-2022-3626,CVE-2022-3627.patch
+Patch6:         tiff-CVE-2022-3599.patch
+Patch7:         tiff-CVE-2022-3598.patch
+Patch8:         tiff-CVE-2022-3970.patch
 BuildRequires:  gcc-c++
 BuildRequires:  libjbig-devel
 BuildRequires:  libjpeg-devel
@@ -78,6 +82,10 @@
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
 
 %build
 CFLAGS="%{optflags} -fPIE"


++++++ tiff-CVE-2022-3597,CVE-2022-3626,CVE-2022-3627.patch ++++++
Index: tiff-4.4.0/tools/tiffcrop.c
===================================================================
--- tiff-4.4.0.orig/tools/tiffcrop.c
+++ tiff-4.4.0/tools/tiffcrop.c
@@ -108,8 +108,10 @@
  *                lower level, scanline level routines. Debug reports a 
limited set
  *                of messages to monitor progress without enabling dump logs.
  * 
- * Note:    The (-X|-Y), -Z, -z and -S options are mutually exclusive.
+ * Note 1:  The (-X|-Y), -Z, -z and -S options are mutually exclusive.
  *          In no case should the options be applied to a given selection 
successively.
+ * Note 2:  Any of the -X, -Y, -Z and -z options together with other 
PAGE_MODE_x options
+ *          such as -H, -V, -P, -J or -K are not supported and may cause 
buffer overflows.
  */
 
 static   char tiffcrop_version_id[] = "2.5";
@@ -781,8 +783,10 @@ static const char usage_info[] =
 "             The four debug/dump options are independent, though it makes 
little sense to\n"
 "             specify a dump file without specifying a detail level.\n"
 "\n"
-"Note:        The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
+"Note 1:      The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
 "             In no case should the options be applied to a given selection 
successively.\n"
+"Note 2:      Any of the -X, -Y, -Z and -z options together with other 
PAGE_MODE_x options\n"
+"             such as - H, -V, -P, -J or -K are not supported and may cause 
buffer overflows.\n"
 "\n"
 ;
 
@@ -2138,9 +2142,20 @@ void  process_command_opts (int argc, ch
     R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
     S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
     if (XY + Z + R + S > 1) {
-        TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and 
-S are mutually exclusive.->Exit");
+        TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and 
-S are mutually exclusive.->exit");
         exit(EXIT_FAILURE);
     }
+
+    /* Check for not allowed combination:
+     * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x 
options
+     * such as -H, -V, -P, -J or -K are not supported and may cause buffer 
overflows.
+.    */
+    if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
+        TIFFError("tiffcrop input error",
+            "Any of the crop options -X, -Y, -Z and -z together with other 
PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may 
cause buffer overflows..->exit");
+        exit(EXIT_FAILURE);
+    }
+
   }  /* end process_command_opts */
 
 /* Start a new output file if one has not been previously opened or
@@ -2411,6 +2426,7 @@ main(int argc, char* argv[])
         exit (EXIT_FAILURE);
        }
 
+      /* Crop input image and copy zones and regions from input image into 
seg_buffs or crop_buff. */
       if (crop.selections > 0)
         {
         if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
@@ -2427,6 +2443,7 @@ main(int argc, char* argv[])
           exit (EXIT_FAILURE);
          }
        }
+      /* Format and write selected image parts to output file(s). */
       if (page.mode == PAGE_MODE_NONE)
         {  /* Whole image or sections not based on output page size */
         if (crop.selections > 0)

++++++ tiff-CVE-2022-3598.patch ++++++
++++ 640 lines (skipped)

++++++ tiff-CVE-2022-3599.patch ++++++
Index: tiff-4.4.0/libtiff/tif_dir.c
===================================================================
--- tiff-4.4.0.orig/libtiff/tif_dir.c
+++ tiff-4.4.0/libtiff/tif_dir.c
@@ -136,32 +136,31 @@ setExtraSamples(TIFF* tif, va_list ap, u
 }
 
 /*
- * Confirm we have "samplesperpixel" ink names separated by \0.  Returns 
+ * Count ink names separated by \0.  Returns
  * zero if the ink names are not as expected.
  */
-static uint32_t
-checkInkNamesString(TIFF* tif, uint32_t slen, const char* s)
+static uint16_t
+countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
 {
-       TIFFDirectory* td = &tif->tif_dir;
-       uint16_t i = td->td_samplesperpixel;
+       uint16_t i = 0;
+       const char *ep = s + slen;
+       const char *cp = s;
 
        if (slen > 0) {
-               const char* ep = s+slen;
-               const char* cp = s;
-               for (; i > 0; i--) {
+               do {
                        for (; cp < ep && *cp != '\0'; cp++) {}
                        if (cp >= ep)
                                goto bad;
                        cp++;                           /* skip \0 */
-               }
-               return ((uint32_t)(cp - s));
+                       i++;
+               } while (cp < ep);
+               return (i);
        }
 bad:
        TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
-           "%s: Invalid InkNames value; expecting %"PRIu16" names, found 
%"PRIu16,
-           tif->tif_name,
-           td->td_samplesperpixel,
-           (uint16_t)(td->td_samplesperpixel-i));
+                "%s: Invalid InkNames value; no NUL at given buffer end 
location %"PRIu32", after %"PRIu16" ink",
+               tif->tif_name, slen, i);
+
        return (0);
 }
 
@@ -475,13 +474,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag,
                _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 
6);
                break;
        case TIFFTAG_INKNAMES:
-               v = (uint16_t) va_arg(ap, uint16_vap);
-               s = va_arg(ap, char*);
-               v = checkInkNamesString(tif, v, s);
-               status = v > 0;
-               if( v > 0 ) {
-                       _TIFFsetNString(&td->td_inknames, s, v);
-                       td->td_inknameslen = v;
+{
+                       v = (uint16_t) va_arg(ap, uint16_vap);
+                       s = va_arg(ap, char*);
+                       uint16_t ninksinstring;
+                       ninksinstring = countInkNamesString(tif, v, s);
+                       status = ninksinstring > 0;
+                       if(ninksinstring > 0 ) {
+                               _TIFFsetNString(&td->td_inknames, s, v);
+                               td->td_inknameslen = v;
+                               /* Set NumberOfInks to the value ninksinstring 
*/
+                               if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
+                               {
+                                       if (td->td_numberofinks != 
ninksinstring) {
+                                               
TIFFErrorExt(tif->tif_clientdata, module,
+                                                       "Warning %s; Tag %s:\n  
Value %"PRIu16" of NumberOfInks is different from the number of inks 
%"PRIu16".\n  -> NumberOfInks value adapted to %"PRIu16"",
+                                                       tif->tif_name, 
fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
+                                               td->td_numberofinks = 
ninksinstring;
+                                       }
+                               } else {
+                                       td->td_numberofinks = ninksinstring;
+                                       TIFFSetFieldBit(tif, 
FIELD_NUMBEROFINKS);
+                               }
+                               if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
+                               {
+                                       if (td->td_numberofinks != 
td->td_samplesperpixel) {
+                                               
TIFFErrorExt(tif->tif_clientdata, module,
+                                                       "Warning %s; Tag %s:\n  
Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value 
%"PRIu16"",
+                                                       tif->tif_name, 
fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
+                                       }
+                               }
+                       }
+               }
+               break;
+       case TIFFTAG_NUMBEROFINKS:
+               v = (uint16_t)va_arg(ap, uint16_vap);
+               /* If InkNames already set also NumberOfInks is set accordingly 
and should be equal */
+               if (TIFFFieldSet(tif, FIELD_INKNAMES))
+               {
+                       if (v != td->td_numberofinks) {
+                               TIFFErrorExt(tif->tif_clientdata, module,
+                                       "Error %s; Tag %s:\n  It is not 
possible to set the value %"PRIu32" for NumberOfInks\n  which is different from 
the number of inks in the InkNames tag (%"PRIu16")",
+                                       tif->tif_name, fip->field_name, v, 
td->td_numberofinks);
+                               /* Do not set / overwrite number of inks 
already set by InkNames case accordingly. */
+                               status = 0;
+                       }
+               } else {
+                       td->td_numberofinks = (uint16_t)v;
+                       if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
+                       {
+                               if (td->td_numberofinks != 
td->td_samplesperpixel) {
+                                       TIFFErrorExt(tif->tif_clientdata, 
module,
+                                               "Warning %s; Tag %s:\n  Value 
%"PRIu32" of NumberOfInks is different from the SamplesPerPixel value 
%"PRIu16"",
+                                               tif->tif_name, fip->field_name, 
v, td->td_samplesperpixel);
+                               }
+                       }
                }
                break;
        case TIFFTAG_PERSAMPLE:
@@ -916,34 +963,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag,
                standard_tag = 0;
        }
        
-        if( standard_tag == TIFFTAG_NUMBEROFINKS )
-        {
-            int i;
-            for (i = 0; i < td->td_customValueCount; i++) {
-                uint16_t val;
-                TIFFTagValue *tv = td->td_customValues + i;
-                if (tv->info->field_tag != standard_tag)
-                    continue;
-                if( tv->value == NULL )
-                    return 0;
-                val = *(uint16_t *)tv->value;
-                /* Truncate to SamplesPerPixel, since the */
-                /* setting code for INKNAMES assume that there are 
SamplesPerPixel */
-                /* inknames. */
-                /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
-                if( val > td->td_samplesperpixel )
-                {
-                    TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
-                                   "Truncating NumberOfInks from %u to 
%"PRIu16,
-                                   val, td->td_samplesperpixel);
-                    val = td->td_samplesperpixel;
-                }
-                *va_arg(ap, uint16_t*) = val;
-                return 1;
-            }
-            return 0;
-        }
-
        switch (standard_tag) {
                case TIFFTAG_SUBFILETYPE:
                        *va_arg(ap, uint32_t*) = td->td_subfiletype;
@@ -1124,6 +1143,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag,
                case TIFFTAG_INKNAMES:
                        *va_arg(ap, const char**) = td->td_inknames;
                        break;
+               case TIFFTAG_NUMBEROFINKS:
+                       *va_arg(ap, uint16_t *) = td->td_numberofinks;
+                       break;
                default:
                        {
                                int i;
Index: tiff-4.4.0/libtiff/tif_dir.h
===================================================================
--- tiff-4.4.0.orig/libtiff/tif_dir.h
+++ tiff-4.4.0/libtiff/tif_dir.h
@@ -117,6 +117,7 @@ typedef struct {
        /* CMYK parameters */
        int     td_inknameslen;
        char*   td_inknames;
+       uint16_t td_numberofinks;                 /* number of inks in InkNames 
string */
 
        int     td_customValueCount;
         TIFFTagValue *td_customValues;
@@ -174,6 +175,7 @@ typedef struct {
 #define FIELD_TRANSFERFUNCTION         44
 #define FIELD_INKNAMES                 46
 #define FIELD_SUBIFD                   49
+#define FIELD_NUMBEROFINKS             50
 /*      FIELD_CUSTOM (see tiffio.h)    65 */
 /* end of support for well-known tags; codec-private tags follow */
 #define FIELD_CODEC                    66  /* base of codec-private tags */
Index: tiff-4.4.0/libtiff/tif_dirinfo.c
===================================================================
--- tiff-4.4.0.orig/libtiff/tif_dirinfo.c
+++ tiff-4.4.0/libtiff/tif_dirinfo.c
@@ -114,7 +114,7 @@ tiffFields[] = {
        { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, 
TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) 
&tiffFieldArray },
        { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, 
TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
        { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, 
TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
-       { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, 
TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
+        { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, 
TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
        { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, 
TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
        { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, 
TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
        { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, 
TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
Index: tiff-4.4.0/libtiff/tif_dirwrite.c
===================================================================
--- tiff-4.4.0.orig/libtiff/tif_dirwrite.c
+++ tiff-4.4.0/libtiff/tif_dirwrite.c
@@ -708,6 +708,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isi
                                if 
(!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
                                        goto bad;
                        }
+                       if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
+                       {
+                               if (!TIFFWriteDirectoryTagShort(tif, &ndir, 
dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
+                                       goto bad;
+                       }
                        if (TIFFFieldSet(tif,FIELD_SUBIFD))
                        {
                                if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
Index: tiff-4.4.0/libtiff/tif_print.c
===================================================================
--- tiff-4.4.0.orig/libtiff/tif_print.c
+++ tiff-4.4.0/libtiff/tif_print.c
@@ -401,6 +401,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd,
                }
                 fputs("\n", fd);
        }
+       if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
+               fprintf(fd, "  NumberOfInks: %d\n",
+                       td->td_numberofinks);
+       }
        if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
                fprintf(fd, "  Thresholding: ");
                switch (td->td_threshholding) {

++++++ tiff-CVE-2022-3970.patch ++++++
Index: tiff-4.4.0/libtiff/tif_getimage.c
===================================================================
--- tiff-4.4.0.orig/libtiff/tif_getimage.c
+++ tiff-4.4.0/libtiff/tif_getimage.c
@@ -3058,15 +3058,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t
         return( ok );
 
     for( i_row = 0; i_row < read_ysize; i_row++ ) {
-        memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
-                 raster + (read_ysize - i_row - 1) * read_xsize,
+        memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+                 raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
                  read_xsize * sizeof(uint32_t) );
-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * 
tile_xsize+read_xsize,
                      0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
     }
 
     for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
+        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
                      0, sizeof(uint32_t) * tile_xsize );
     }
 

Reply via email to