new file mode 100644

@@ -0,0 +1,68 @@

+From 5c080298d59efa53264d7248bbe3a04660db6ef7 Mon Sep 17 00:00:00 2001

+From: erouault <erouault>

+Date: Wed, 11 Jan 2017 19:25:44 +0000

+Subject: [PATCH] * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow

+ and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based

+ overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and

+ http://bugzilla.maptools.org/show_bug.cgi?id=2657

+

+---

+ tools/tiffcp.c | 24 ++++++++++++++++++++++--

+ 2 files changed, 29 insertions(+), 2 deletions(-)

+

+diff --git a/tools/tiffcp.c b/tools/tiffcp.c

+index bdf754c..8bbcd52 100644

+--- a/tools/tiffcp.c

+@@ -591,7 +591,7 @@ static	copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);

+ static int

+ tiffcp(TIFF* in, TIFF* out)

+ {

+-	uint16 bitspersample, samplesperpixel = 1;

++	uint16 bitspersample = 1, samplesperpixel = 1;

+ 	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;

+ 	copyFunc cf;

+ 	uint32 width, length;

+@@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)

+ 	register uint32 n;

+ 	uint32 row;

+ 	tsample_t s;

++        uint16 bps = 0;

++

++        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);

++        if( bps != 8 )

++        {

++            TIFFError(TIFFFileName(in),

++                      "Error, can only handle BitsPerSample=8 in %s",

++                      "cpContig2SeparateByRow");

++            return 0;

++        }

+ 

+ 	inbuf = _TIFFmalloc(scanlinesizein);

+ 	outbuf = _TIFFmalloc(scanlinesizeout);

+@@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)

+ 	register uint32 n;

+ 	uint32 row;

+ 	tsample_t s;

++        uint16 bps = 0;

++

++        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);

++        if( bps != 8 )

++        {

++            TIFFError(TIFFFileName(in),

++                      "Error, can only handle BitsPerSample=8 in %s",

++                      "cpSeparate2ContigByRow");

++            return 0;

++        }

+ 

+ 	inbuf = _TIFFmalloc(scanlinesizein);

+ 	outbuf = _TIFFmalloc(scanlinesizeout);

+@@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)

+ 	uint32 w, l, tw, tl;

+ 	int bychunk;

+ 

+-	(void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);

++	(void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);

+ 	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {

+ 		fprintf(stderr,

+ 		    "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",

@@ -1,7 +1,7 @@

 Summary:	TIFF libraries and associated utilities.

 Name:		libtiff

 Version:	4.0.7

-Release:	1%{?dist}

+Release:	2%{?dist}

 License:	libtiff

 URL:		http://www.remotesensing.org/libtiff

 Group:		System Environment/Libraries

@@ -11,6 +11,7 @@ Source0:	http://download.osgeo.org/%{name}/tiff-%{version}.tar.gz

 %define sha1 tiff=2c1b64478e88f93522a42dd5271214a0e5eae648

 Patch0:		libtiff-4.0.6-CVE-2015-7554.patch

 Patch1:     	libtiff-4.0.6-CVE-2015-1547.patch

+Patch2:     	libtiff-4.0.7-CVE-2017-5225.patch

 BuildRequires:	libjpeg-turbo-devel

 Requires:	libjpeg-turbo

 %description

@@ -27,6 +28,7 @@ It contains the libraries and header files to create applications

 %setup -q -n tiff-%{version}

 %patch0 -p1

 %patch1 -p1

+%patch2 -p1

 %build

 ./configure \

@@ -62,6 +64,8 @@ make %{?_smp_mflags} -k check

 %{_datadir}/man/man3/*

 %changelog

+*   Thu Jan 19 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 4.0.7-2

+-   Patch : CVE-2017-5225

 *   Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> 4.0.7-1

 -   Update to 4.0.7. It fixes CVE-2016-953[3456789] and CVE-2016-9540

 -   Remove obsolete patches