new file mode 100644

@@ -0,0 +1,25 @@

+From f91ca83a21a6a583050e5a5755ce1441b2bf1d7e Mon Sep 17 00:00:00 2001

+From: Even Rouault <even.rouault@spatialys.com>

+Date: Wed, 23 Aug 2017 13:21:41 +0000

+Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not

+ finding the SubIFD tag by runtime check. Fixes

+ http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337

+

+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c

+index 38edb3fb..a85f0627 100644

+--- a/libtiff/tif_dirwrite.c

+@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)

+ 			TIFFDirEntry* nb;

+ 			for (na=0, nb=dir; ; na++, nb++)

+ 			{

+-				assert(na<ndir);

++				if( na == ndir )

++                                {

++                                    TIFFErrorExt(tif->tif_clientdata,module,

++                                                 "Cannot find SubIFD tag");

++                                    goto bad;

++                                }

+ 				if (nb->tdir_tag==TIFFTAG_SUBIFD)

+ 					break;

+ 			}

new file mode 100644

@@ -0,0 +1,28 @@

+From b6af137bf9ef852f1a48a50a5afb88f9e9da01cc Mon Sep 17 00:00:00 2001

+From: Even Rouault <even.rouault@spatialys.com>

+Date: Wed, 23 Aug 2017 13:33:42 +0000

+Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not

+ fitting on uint32 when selecting the value of SubIFD tag by runtime check (in

+ TIFFWriteDirectoryTagSubifd()). Fixes

+ http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337

+

+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c

+index a85f0627..cad0a498 100644

+--- a/libtiff/tif_dirwrite.c

+@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)

+ 		for (p=0; p < tif->tif_dir.td_nsubifd; p++)

+ 		{

+                         assert(pa != 0);

+-			assert(*pa <= 0xFFFFFFFFUL);

++

++                        /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */

++                        if( *pa > 0xFFFFFFFFUL)

++                        {

++                            TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");

++                            _TIFFfree(o);

++                            return(0);

++                        }

+ 			*pb++=(uint32)(*pa++);

+ 		}

+ 		n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);

@@ -1,7 +1,7 @@

 Summary:        TIFF libraries and associated utilities.

 Name:           libtiff

 Version:        4.0.8

-Release:        5%{?dist}

+Release:        6%{?dist}

 License:        libtiff

 URL:            http://www.simplesystems.org/libtiff/

 Group:          System Environment/Libraries

@@ -16,6 +16,8 @@ Patch2:         libtiff-CVE-2017-10688.patch

 Patch3:         libtiff-4.0.8-CVE-2017-9936.patch

 Patch4:         libtiff-4.0.8-CVE-2017-11335.patch

 Patch5:         libtiff-4.0.8-CVE-2017-12944.patch

+Patch6:         libtiff-4.0.8-CVE-2017-13726.patch

+Patch7:         libtiff-4.0.8-CVE-2017-13727.patch

 BuildRequires:  libjpeg-turbo-devel

 Requires:       libjpeg-turbo

 %description

@@ -36,6 +38,8 @@ It contains the libraries and header files to create applications

 %patch3 -p1

 %patch4 -p1

 %patch5 -p1

+%patch6 -p1

+%patch7 -p1

 %build

 %configure \

     --disable-static

@@ -69,6 +73,8 @@ make %{?_smp_mflags} -k check

 %{_datadir}/man/man3/*

 %changelog

+*   Mon Nov 27 2017 Xiaolin Li <xiaolinl@vmware.com> 4.0.8-6

+-   Added patches for CVE-2017-13726, CVE-2017-13727

 *   Mon Nov 13 2017 Dheeraj Shetty <dheerajs@vmware.com> 4.0.8-5

 -   Patch : CVE-2017-12944

 *   Fri Oct 13 2017 Alexey Makhalov <amakhalov@vmware.com> 4.0.8-4