@@ -1,14 +1,14 @@

 Summary:        GD is an open source code library for the dynamic creation of images by programmers.

 Name:           libgd

 Version:        2.3.2

-Release:        3%{?dist}

+Release:        4%{?dist}

 License:        MIT

 URL:            https://libgd.github.io/

 Group:          System/Libraries

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        https://github.com/libgd/libgd/releases/download/gd-%{version}/%{name}-%{version}.tar.gz

-%define sha1    libgd=be6da7d9d58ff09d5d28f4fc2763aef4f0c3c75f

+%define sha512  libgd=8295dfe1ef0a23aeb4d14cc6a2977ff3c6e3835e3f37f6a0eb13b313b5ab31a8751534473c34ac29ef18307611aa4df9f5421b9fd5b7cee650e197988ecdfdd9

 Patch0:         libgd-CVE-2021-38115.patch

 Patch1:         libgd-CVE-2021-40145.patch

 Patch2:         libgd-CVE-2021-40812.patch

@@ -64,6 +64,8 @@ make %{?_smp_mflags} -k check

 %{_libdir}/pkgconfig/*

 %changelog

+*   Mon Jun 20 2022 Shivani Agarwal <shivania2@vmware.com>  2.3.2-4

+-   Version bump up to use libtiff 4.4.0

 *   Fri Sep 24 2021 Nitesh Kumar <kunitesh@vmware.com> 2.3.2-3

 -   Patched for CVE-2021-40812.

 *   Wed Sep 08 2021 Nitesh Kumar <kunitesh@vmware.com> 2.3.2-2

@@ -1,6 +1,8 @@

-+++ b/autogen.sh	2021-04-27 20:07:41.237138194 +0000

-@@ -5,16 +5,3 @@

+diff --git a/autogen.sh b/autogen.sh

+index 2882bfc7..db8c38e7 100755

+--- a/autogen.sh

+@@ -5,16 +5,3 @@ aclocal -I ./m4

  autoheader

  automake --foreign --add-missing --copy

  autoconf

@@ -11,7 +13,7 @@

 -    echo "$0: getting $file..."

 -    wget -q --timeout=5 -O config/$file.tmp \

 -      "https://git.savannah.gnu.org/cgit/config.git/plain/${file}" \

--      && mv config/$file.tmp config/$file \

+-      && mv -f config/$file.tmp config/$file \

 -      && chmod a+x config/$file

 -    retval=$?

 -    rm -f config/$file.tmp

deleted file mode 100644

@@ -1,31 +0,0 @@

-From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001

-From: Even Rouault <even.rouault@spatialys.com>

-Date: Thu, 24 Feb 2022 22:26:02 +0100

-Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD

- in memory-mapped mode and when bit reversal is needed (fixes #385)

-

- libtiff/tif_jbig.c | 10 ++++++++++

- 1 file changed, 10 insertions(+)

-

-diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c

-index 740863384c569b17f4dfc01ee580853e3270af6c..8bfa4cef6ddb8a10021c51f12b17d82381269a49 100644

-+++ b/libtiff/tif_jbig.c

-@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)

- 	 */

- 	tif->tif_flags |= TIFF_NOBITREV;

- 	tif->tif_flags &= ~TIFF_MAPPED;

-+	/* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and

-+	 * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial

-+	 * value to be consistent with the state of a non-memory mapped file.

-+	 */

-+	if (tif->tif_flags&TIFF_BUFFERMMAP) {

-+		tif->tif_rawdata = NULL;

-+		tif->tif_rawdatasize = 0;

-+		tif->tif_flags &= ~TIFF_BUFFERMMAP;

-+		tif->tif_flags |= TIFF_MYBUFFER;

-+	}

- 

- 	/* Setup the function pointers for encode, decode, and cleanup. */

- 	tif->tif_setupdecode = JBIGSetupDecode;

deleted file mode 100644

@@ -1,213 +0,0 @@

-From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001

-From: Su Laus <sulau@freenet.de>

-Date: Tue, 8 Mar 2022 17:02:44 +0000

-Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in

- extractImageSection

-

- tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------

- 1 file changed, 36 insertions(+), 56 deletions(-)

-

-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c

-index f2e5474a..e62bcc71 100644

-+++ b/tools/tiffcrop.c

-@@ -105,8 +105,8 @@

-  *                of messages to monitor progress without enabling dump logs.

-  */

- 

--static   char tiffcrop_version_id[] = "2.4";

--static   char tiffcrop_rev_date[] = "12-13-2010";

-+static   char tiffcrop_version_id[] = "2.4.1";

-+static   char tiffcrop_rev_date[] = "03-03-2010";

- 

- #include "tif_config.h"

- #include "libport.h"

-@@ -6739,10 +6739,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,

- #ifdef DEVELMODE

-   uint32_t    img_length;

- #endif

--  uint32_t    j, shift1, shift2, trailing_bits;

-+  uint32_t    j, shift1, trailing_bits;

-   uint32_t    row, first_row, last_row, first_col, last_col;

-   uint32_t    src_offset, dst_offset, row_offset, col_offset;

--  uint32_t    offset1, offset2, full_bytes;

-+  uint32_t    offset1, full_bytes;

-   uint32_t    sect_width;

- #ifdef DEVELMODE

-   uint32_t    sect_length;

-@@ -6752,7 +6752,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,

- #ifdef DEVELMODE

-   int      k;

-   unsigned char bitset;

--  static char *bitarray = NULL;

- #endif

- 

-   img_width = image->width;

-@@ -6770,17 +6769,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,

-   dst_offset = 0;

- 

- #ifdef DEVELMODE

--  if (bitarray == NULL)

--    {

--    if ((bitarray = (char *)malloc(img_width)) == NULL)

--      {

--      TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");

--      return (-1);

--      }

--    }

-+  char bitarray[39];

- #endif

- 

--  /* rows, columns, width, length are expressed in pixels */

-+  /* rows, columns, width, length are expressed in pixels

-+   * first_row, last_row, .. are index into image array starting at 0 to width-1,

-+   * last_col shall be also extracted.  */

-   first_row = section->y1;

-   last_row  = section->y2;

-   first_col = section->x1;

-@@ -6790,9 +6784,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,

- #ifdef DEVELMODE

-   sect_length = last_row - first_row + 1;

- #endif

--  img_rowsize = ((img_width * bps + 7) / 8) * spp;

--  full_bytes = (sect_width * spp * bps) / 8;   /* number of COMPLETE bytes per row in section */

--  trailing_bits = (sect_width * bps) % 8;

-+    /* The read function loadImage() used copy separate plane data into a buffer as interleaved

-+     * samples rather than separate planes so the same logic works to extract regions

-+     * regardless of the way the data are organized in the input file.

-+     * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 

-+     */

-+    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */

-+    full_bytes = (sect_width * spp * bps) / 8;            /* number of COMPLETE bytes per row in section */

-+    trailing_bits = (sect_width * spp * bps) % 8;         /* trailing bits within the last byte of destination buffer */

- 

- #ifdef DEVELMODE

-     TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",

-@@ -6805,10 +6804,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,

- 

-   if ((bps % 8) == 0)

-     {

--    col_offset = first_col * spp * bps / 8;

-+    col_offset = (first_col * spp * bps) / 8;

-     for (row = first_row; row <= last_row; row++)

-       {

--      /* row_offset = row * img_width * spp * bps / 8; */

-       row_offset = row * img_rowsize;

-       src_offset = row_offset + col_offset;

- 

-@@ -6821,14 +6819,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,

-     }

-   else

-     { /* bps != 8 */

--    shift1  = spp * ((first_col * bps) % 8);

--    shift2  = spp * ((last_col * bps) % 8);

-+    shift1 = ((first_col * spp * bps) % 8);           /* shift1 = bits to skip in the first byte of source buffer*/

-     for (row = first_row; row <= last_row; row++)

-       {

-       /* pull out the first byte */

-       row_offset = row * img_rowsize;

--      offset1 = row_offset + (first_col * bps / 8);

--      offset2 = row_offset + (last_col * bps / 8);

-+      offset1 = row_offset + ((first_col * spp * bps) / 8);   /* offset1 = offset into source of byte with first bits to be extracted */

- 

- #ifdef DEVELMODE

-       for (j = 0, k = 7; j < 8; j++, k--)

-@@ -6840,12 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,

-       sprintf(&bitarray[9], " ");

-       for (j = 10, k = 7; j < 18; j++, k--)

-         {

--        bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;

-+        bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;

-         sprintf(&bitarray[j], (bitset) ? "1" : "0");

-         }

-       bitarray[18] = '\0';

--      TIFFError ("", "Row: %3d Offset1: %"PRIu32",  Shift1: %"PRIu32",    Offset2: %"PRIu32",  Shift2:  %"PRIu32"\n", 

--                 row, offset1, shift1, offset2, shift2); 

-+      TIFFError ("", "Row: %3d Offset1: %"PRIu32",  Shift1: %"PRIu32",    Offset2: %"PRIu32",  Trailing_bits:  %"PRIu32"\n", 

-+                 row, offset1, shift1, offset1+full_bytes, trailing_bits); 

- #endif

- 

-       bytebuff1 = bytebuff2 = 0;

-@@ -6869,11 +6865,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,

- 

-         if (trailing_bits != 0)

-           {

--	  bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));

-+      /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */

-+	  bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));

-           sect_buff[dst_offset] = bytebuff2;

- #ifdef DEVELMODE

- 	  TIFFError ("", "        Trailing bits src offset:  %8"PRIu32", Dst offset: %8"PRIu32"\n",

--                              offset2, dst_offset); 

-+          offset1 + full_bytes, dst_offset);

-           for (j = 30, k = 7; j < 38; j++, k--)

-             {

-             bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;

-@@ -6892,8 +6889,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,

- #endif

-         for (j = 0; j <= full_bytes; j++) 

-           {

--	  bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);

--	  bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));

-+          /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/

-+          /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */

-+          bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);

-+          bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));

-           sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));

-           }

- #ifdef DEVELMODE

-@@ -6909,36 +6908,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,

- #endif

-         dst_offset += full_bytes;

- 

-+        /* Copy the trailing_bits for the last byte in the destination buffer. 

-+           Could come from one ore two bytes of the source buffer. */

-         if (trailing_bits != 0)

-           {

- #ifdef DEVELMODE

--	    TIFFError ("", "        Trailing bits   src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);

--#endif

--	  if (shift2 > shift1)

--            {

--	    bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));

--            bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);

--            sect_buff[dst_offset] = bytebuff2;

--#ifdef DEVELMODE

--	    TIFFError ("", "        Shift2 > Shift1\n"); 

-+          TIFFError("", "        Trailing bits %4"PRIu32"   src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);

- #endif

-+          /* More than necessary bits are already copied into last destination buffer, 

-+           * only masking of last byte in destination buffer is necessary.*/ 

-+          sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));

-             }

--          else

--            {

--	    if (shift2 < shift1)

--              {

--              bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));

--	      sect_buff[dst_offset] &= bytebuff2;

--#ifdef DEVELMODE

--	      TIFFError ("", "        Shift2 < Shift1\n"); 

--#endif

--              }

--#ifdef DEVELMODE

--            else

--	      TIFFError ("", "        Shift2 == Shift1\n"); 

--#endif

--            }

--	  }

- #ifdef DEVELMODE

- 	  sprintf(&bitarray[28], " ");

- 	  sprintf(&bitarray[29], " ");

-@@ -7091,7 +7071,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,

-     width  = sections[i].x2 - sections[i].x1 + 1;

-     length = sections[i].y2 - sections[i].y1 + 1;

-     sectsize = (uint32_t)

--	    ceil((width * image->bps + 7) / (double)8) * image->spp * length;

-+	    ceil((width * image->bps * image->spp + 7) / (double)8) * length;

-     /* allocate a buffer if we don't have one already */

-     if (createImageSection(sectsize, sect_buff_ptr))

-       {

-GitLab

deleted file mode 100644

@@ -1,86 +0,0 @@

-From 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001

-From: Augustus <wangdw.augustus@qq.com>

-Date: Mon, 7 Mar 2022 18:21:49 +0800

-Subject: [PATCH] add checks for return value of limitMalloc (#392)

-

- tools/tiffcrop.c | 33 +++++++++++++++++++++------------

- 1 file changed, 21 insertions(+), 12 deletions(-)

-

-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c

-index f2e5474aee6762f2b0ec1e60d4320197e7ac643f..9b8acc7ec27f8ba663df92db5035dd06edef749f 100644

-+++ b/tools/tiffcrop.c

-@@ -7406,7 +7406,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)

-   if (!sect_buff)

-     {

-     sect_buff = (unsigned char *)limitMalloc(sectsize);

--    *sect_buff_ptr = sect_buff;

-+    if (!sect_buff)

-+    {

-+        TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");

-+        return (-1);

-+    }

-     _TIFFmemset(sect_buff, 0, sectsize);

-     }

-   else

-@@ -7422,15 +7426,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)

-       else

-         sect_buff = new_buff;

- 

-+      if (!sect_buff)

-+      {

-+          TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");

-+          return (-1);

-+      }

-       _TIFFmemset(sect_buff, 0, sectsize);

-       }

-     }

- 

--  if (!sect_buff)

--    {

--    TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");

--    return (-1);

--    }

-   prev_sectsize = sectsize;

-   *sect_buff_ptr = sect_buff;

- 

-@@ -7697,7 +7701,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,

-   if (!crop_buff)

-     {

-     crop_buff = (unsigned char *)limitMalloc(cropsize);

--    *crop_buff_ptr = crop_buff;

-+    if (!crop_buff)

-+    {

-+        TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");

-+        return (-1);

-+    }

-     _TIFFmemset(crop_buff, 0, cropsize);

-     prev_cropsize = cropsize;

-     }

-@@ -7713,15 +7721,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,

-         }

-       else

-         crop_buff = new_buff;

-+      if (!crop_buff)

-+      {

-+          TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");

-+          return (-1);

-+      }

-       _TIFFmemset(crop_buff, 0, cropsize);

-       }

-     }

- 

--  if (!crop_buff)

--    {

--    TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");

--    return (-1);

--    }

-   *crop_buff_ptr = crop_buff;

- 

-   if (crop->crop_mode & CROP_INVERT)

-@@ -9280,3 +9288,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui

-  * fill-column: 78

-  * End:

-  */

-+

deleted file mode 100644

@@ -1,26 +0,0 @@

-From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001

-From: Even Rouault <even.rouault@spatialys.com>

-Date: Thu, 17 Feb 2022 15:28:43 +0100

-Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null

- source pointer and size of zero (fixes #383)

-

- libtiff/tif_dirread.c | 5 ++++-

- 1 file changed, 4 insertions(+), 1 deletion(-)

-

-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c

-index 50ebf8ac5b800f7b16e98d29f7e99b83056444c5..2ec44a4f13e14afad4c5ed40fdbf6398123c8782 100644

-+++ b/libtiff/tif_dirread.c

-@@ -5091,7 +5091,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)

- 								_TIFFfree(data);

- 							return(0);

- 						}

--						_TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);

-+						if (dp->tdir_count > 0 )

-+						{

-+							_TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);

-+						}

- 						o[(uint32_t)dp->tdir_count]=0;

- 						if (data!=0)

- 							_TIFFfree(data);

deleted file mode 100644

@@ -1,29 +0,0 @@

-From 5c663c84f8a83ba790250a0ede847aa255825414 Mon Sep 17 00:00:00 2001

-From: Augustus <wangdw.augustus@qq.com>

-Date: Thu, 3 Mar 2022 16:06:58 +0800

-Subject: [PATCH] fix FPE in tiffcrop

-

- libtiff/tif_dir.c | 4 ++--

- 1 file changed, 2 insertions(+), 2 deletions(-)

-

-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c

-index 57055ca90ac1efd4fabea1a2001a5dc77937951f..59b346ca15efc2105ed3920e9ba0f030e6ae23d8 100644

-+++ b/libtiff/tif_dir.c

-@@ -333,13 +333,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)

- 		break;

- 	case TIFFTAG_XRESOLUTION:

-         dblval = va_arg(ap, double);

--        if( dblval < 0 )

-+        if( dblval != dblval || dblval < 0 )

-             goto badvaluedouble;

- 		td->td_xresolution = _TIFFClampDoubleToFloat( dblval );

- 		break;

- 	case TIFFTAG_YRESOLUTION:

-         dblval = va_arg(ap, double);

--        if( dblval < 0 )

-+        if( dblval != dblval || dblval < 0 )

-             goto badvaluedouble;

- 		td->td_yresolution = _TIFFClampDoubleToFloat( dblval );

- 		break;

deleted file mode 100644

@@ -1,51 +0,0 @@

-From a8a951abda9e79dafdc021f12a18e2858f474556 Mon Sep 17 00:00:00 2001

-From: Augustus <wangdw.augustus@qq.com>

-Date: Thu, 10 Mar 2022 16:41:58 +0800

-Subject: [PATCH] fix heap-buffer-overflow error in tiffcp by adding checks for

- ((bps%8)!=0)

-

- tools/tiffcp.c | 17 ++++++++++++++++-

- 1 file changed, 16 insertions(+), 1 deletion(-)

-

-diff --git a/tools/tiffcp.c b/tools/tiffcp.c

-index 224583e068159e49b9acf5fa65aeab635d4e708b..aa32b11834a45c7a094871b2d42bb38787d3cb14 100644

-+++ b/tools/tiffcp.c

-@@ -1667,12 +1667,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)

- 	tdata_t obuf;

- 	tstrip_t strip = 0;

- 	tsample_t s;

-+	uint16_t bps = 0, bytes_per_sample;

- 

- 	obuf = limitMalloc(stripsize);

- 	if (obuf == NULL)

- 		return (0);

- 	_TIFFmemset(obuf, 0, stripsize);

- 	(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);

-+	(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);

-+	if( bps == 0 )

-+        {

-+            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");

-+            _TIFFfree(obuf);

-+            return 0;

-+        }

-+        if( (bps % 8) != 0 )

-+        {

-+            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");

-+            _TIFFfree(obuf);

-+            return 0;

-+        }

-+	bytes_per_sample = bps/8;

- 	for (s = 0; s < spp; s++) {

- 		uint32_t row;

- 		for (row = 0; row < imagelength; row += rowsperstrip) {

-@@ -1682,7 +1697,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)

- 

- 			cpContigBufToSeparateBuf(

- 			    obuf, (uint8_t*) buf + row * rowsize + s,

--			    nrows, imagewidth, 0, 0, spp, 1);

-+			    nrows, imagewidth, 0, 0, spp, bytes_per_sample);

- 			if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {

- 				TIFFError(TIFFFileName(out),

- 				    "Error, can't write strip %"PRIu32,

deleted file mode 100644

@@ -1,35 +0,0 @@

-From 49b81e99704bd199a24ccce65f974cc2d78cccc4 Mon Sep 17 00:00:00 2001

-From: 4ugustus <wangdw.augustus@qq.com>

-Date: Tue, 4 Jan 2022 11:01:37 +0000

-Subject: [PATCH 1/3] fixing global-buffer-overflow in tiffset

-

- tools/tiffset.c | 16 +++++++++++++---

- 1 file changed, 13 insertions(+), 3 deletions(-)

-

-index 8c9e23c5275fd958b7ff7ac0f6c2b38c826e1fcd..e7a88c09ce19c450535063177d72adf145b46603 100644

-+++ b/tools/tiffset.c

-@@ -146,9 +146,19 @@ main(int argc, char* argv[])

- 

-             arg_index++;

-             if (TIFFFieldDataType(fip) == TIFF_ASCII) {

--                if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)

--                    fprintf( stderr, "Failed to set %s=%s\n",

--                             TIFFFieldName(fip), argv[arg_index] );

-+                if(TIFFFieldPassCount( fip )) {

-+                    size_t len;

-+                    len = strlen(argv[arg_index]) + 1;

-+                    if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),

-+                            (uint16_t)len, argv[arg_index]) != 1)

-+                        fprintf( stderr, "Failed to set %s=%s\n",

-+                            TIFFFieldName(fip), argv[arg_index] );

-+                } else {

-+                    if (TIFFSetField(tiff, TIFFFieldTag(fip),

-+                            argv[arg_index]) != 1)

-+                        fprintf( stderr, "Failed to set %s=%s\n",

-+                            TIFFFieldName(fip), argv[arg_index] );

-+                }

-             } else if (TIFFFieldWriteCount(fip) > 0

- 		       || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {

-                 int     ret = 1;

@@ -1,25 +1,18 @@

 Summary:        TIFF libraries and associated utilities.

 Name:           libtiff

-Version:        4.3.0

-Release:        2%{?dist}

+Version:        4.4.0

+Release:        1%{?dist}

 License:        libtiff

 URL:            https://gitlab.com/libtiff/libtiff

 Group:          System Environment/Libraries

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        https://gitlab.com/libtiff/libtiff/-/archive/v%{version}/libtiff-v%{version}.tar.gz

-%define sha512  libtiff-v=eaa2503dc1805283e0590b06e3e660a793fe849ae8b975b2d69369695d65a40640787c156574faaca856917be799eeb844e60f55555e1f219dd513cef66ea95d

+%define sha512  libtiff-v=93955a2b802cf243e41d49048499da73862b5d3ffc005e3eddf0bf948a8bd1537f7c9e7f112e72d082549b4c49e256b9da9a3b6d8039ad8fc5c09a941b7e75d7

 Source1:        config.guess

 Source2:        config.sub

 Patch0:         CVE-2018-12900.patch

 Patch1:         autogen.patch

-Patch2:         libtiff-CVE-2022-0891.patch

-Patch3:         libtiff-CVE-2022-22844.patch

-Patch4:         libtiff-CVE-2022-0865.patch

-Patch5:         libtiff-CVE-2022-0924.patch

-Patch6:         libtiff-CVE-2022-0908.patch

-Patch7:         libtiff-CVE-2022-0909.patch

-Patch8:         libtiff-CVE-2022-0907.patch

 BuildRequires:  libjpeg-turbo-devel wget

 Requires:       libjpeg-turbo

@@ -74,6 +67,8 @@ make %{?_smp_mflags} -k check

 %{_datadir}/man/man3/*

 %changelog

+*   Mon Jun 20 2022 Shivani Agarwal <shivania2@vmware.com> 4.4.0-1

+-   Fix CVE-2022-1622

 *   Mon May 16 2022 Shivani Agarwal <shivania2@vmware.com> 4.3.0-2

 -   Fix CVE-2022-22844, CVE-2022-0865, CVE-2022-0924, CVE-2022-0908, CVE-2022-0909, CVE-2022-0907, CVE-2022-0891

 *   Sat Apr 24 2021 Gerrit Photon <photon-checkins@vmware.com> 4.3.0-1

@@ -1,14 +1,14 @@

 Summary:	Library to encode and decode webP format images

 Name:		libwebp

 Version:	1.2.0

-Release:	1%{?dist}

+Release:	2%{?dist}

 License:	BSD

 URL:		http://webmproject.org/

 Group:		System Environment/Libraries

 Vendor:		VMware, Inc.

 Distribution:	Photon

 Source0:        https://github.com/webmproject/%{name}/archive/%{name}-%{version}.tar.gz

-%define sha1 libwebp=54383895bd18783c7af8517620252a712258b22c

+%define sha512  libwebp=177a4876035c300931ff3628a4ef6e2e7eb9372c126091f17ed0601c466b479e378d52cb593588df2844e1125395f50fc89a30c2908f2cc511b2e97c11a62968

 BuildRequires:	libjpeg-turbo-devel

 BuildRequires:	libtiff-devel

 BuildRequires:	libpng-devel

@@ -25,7 +25,7 @@ Requires:	%{name} = %{version}-%{release}

 It contains the libraries and header files to create applications

 %prep

-%setup -q

+%autosetup

 %build

 ./autogen.sh

@@ -39,7 +39,7 @@ It contains the libraries and header files to create applications

 make %{?_smp_mflags}

 %install

-make DESTDIR=%{buildroot} install

+make %{?_smp_mflags} DESTDIR=%{buildroot} install

 find %{buildroot} -name '*.la' -delete

 %post

@@ -61,6 +61,8 @@ find %{buildroot} -name '*.la' -delete

 %{_libdir}/pkgconfig/*.pc

 %changelog

+* 	Mon Jun 20 2022 Shivani Agarwal <shivania2@vmware.com>  1.2.0-2

+- 	Version bump up to use libtiff 4.4

 *       Thu Apr 29 2021 Gerrit Photon <photon-checkins@vmware.com> 1.2.0-1

 -       Automatic Version Bump

 *       Wed Jul 08 2020 Gerrit Photon <photon-checkins@vmware.com> 1.1.0-1