Opened 6 months ago

Closed 6 months ago

#20420 closed enhancement (fixed)

tiff-4.7.0

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: elevated Milestone: 12.3
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New minor version.

Change History (5)

comment:1 by Douglas R. Reno, 6 months ago

Priority: normalelevated

This has some security fixes in it.

comment:2 by Douglas R. Reno, 6 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:3 by Douglas R. Reno, 6 months ago

Major changes

  • This version restores in the default build the availability of the tools that had been dropped in v4.6.0

Software configuration changes

  • autoconf build: configure.ac: avoid -Werror passed to CFLAGS to interfere with feature detection
  • autoconf build: fix error when running make clean
  • autoconf build: back off the minimum required automake version to 1.11
  • autoconf.ac: fix detection of windows.h for mingw
  • libtiff-4.pc: Fix Requires.private missing Lerc. It provides a .pc file starting from version 4 (in autoconf builds, we assume that liblerc is at least version 4)
  • CMake: Fix TIFF_INCLUDE_DIRS
  • CMake: MinGW compilers don't need a .def file for shared library
  • CMake: move libdeflate and Lerc to Requires.private
  • CMake: enable resource compilation on all Windows.

Library changes

New/improved functionalities:

  • Add TIFFOpenOptionsSetMaxCumulatedMemAlloc(). This function complements TIFFOpenOptionsSetMaxSingleMemAlloc() to define the maximum cumulated memory allocations in byte, for a given TIFF handle, that libtiff internal memory allocation functions are allowed.

API/ABI breaks:

None

Bug fixes:

  • TIFFWriteDirectory(): Avoid overwriting following data if an IFD is enlarged.
  • TIFFXYZToRGB: avoid integer overflow
  • uv_decode() and uv_encode(): avoid potential out-of-bounds array index
  • Fix cases where tif_curdir is set incorrectly. Fix cases where the current directory number (tif_curdir) is set inconsistently or incorrectly, depending on the previous history.
  • TIFFRead[Scanline/EncodedStrip/EncodeTile]: 0-initialize output buffer if setupdecode fails ; most codecs: zero-initialize (not-yet-written parts of) output buffer if failure
  • OJPEG: reset subsampling_convert_state=0 in OJPEGPreDecode
  • ThunderRLE: fix failure when decoding last run. Bug seen with GhostPDL
  • LERC codec: deal with issues with multi-band PlanarConfig=Contig and NaN values
  • tif_fax3.c: error out after a number of times end-of-file has been reached
  • LZW: avoid warning about misaligned address with UBSAN
  • TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of col/row (CVE-2023-52356)
  • tif_dirread.c: only issue TIFFGetFileSize() for large enough RAM requests
  • Avoid FPEs (division by zero) in tif_getimage.c.
  • Avoiding FPE (division by zero) for TIFFhowmany_32() and TIFFhowmany_64() macros by checking for denominator not zero before macros are executed.
  • Add non-zero check before division in TIFFComputeStrip()
  • Fix wrong return of TIFFIsBigTIFF() in case byte-swapping is active
  • Setting the TIFFFieldInfo field set_field_type should consider field_writecount not field_readcount
  • Avoid memory leaks when using TIFFCreateDirectory() by releasing the allocated memory in the tif-structure.
  • For non-terminated ASCII arrays, the buffer is first enlarged before a NULL is set at the end to avoid deleting the last character.
  • Check return value of _TIFFCreateAnonField(). (CVE-2024-7006)
  • Prevent some out-of-memory attacks (#614 (comment 1602683857))
  • Ensure absolute seeking is forced independent of TIFFReadDirectory success.
  • tif_dirinfo.c: re-enable TIFFTAG_EP_CFAREPEATPATTERNDIM and TIFFTAG_EP_CFAPATTERN tags

Other changes:

  • Fix warnings with GCC 14
  • tif_dir.c: Log source file, line number, and input tif for directory count error
  • Last usage of get_field_type of TIFFField structure at TIFFWriteDirectorySec() changed to using set_field_type.
  • tif_jpeg.c/tif_ojpeg.c: remove likely ifdef tricks related to old compilers or unusual setups
  • Remove _TIFFUInt64ToFloat() and _TIFFUInt64ToDouble()
  • Remove support for _MSC_VER < 1500.
  • Use #ifdef _WIN32 to test for Windows, and tiffio.h: remove definition of WIN32

Documentation

  • Amend manpages for changes in current directory index behaviour
  • Note on using TIFFFlush() before TIFFClose() to check that the data has been successfully written to the file.
  • Update TIFF documentation about TIFFOpenOptions.rst and TIFFOpenOptionsSetMaxSingleMemAlloc() usage and some other small fixes (relates to CVE-2024-7006)

Tools changes

Re-added tools:

  • fax2ps
  • fax2tiff
  • pal2rgb
  • ppm2tiff
  • raw2tiff
  • rgb2ycbcr (not installed)
  • thumbnail (not installed)
  • tiff2bw
  • tiff2rgba
  • tiffcmp
  • tiffcrop
  • tiffdither
  • tiffgt
  • tiffmedian
  • tiff2ps
  • tiff2pdf

New/improved functionality:

  • tiff2rgba: Add background gradient option for alpha compositing
  • tiffcp: -i flag restored

Bug fixes:

  • tiffcrop: address Coverity scan issues 1605444, 1605445, and 16054
  • tiffcrop: Apply "Fix heap-buffer-overflow in function extractImageSection"
  • tiffcrop: fix buffer overflows, use after free
  • tiff2pdf: address Coverity scan issues
  • tiff2pdf: fix inconsistent PLANARCONFIG value for the input and output TIFF
  • tiff2pdf: fix issue with JPEG restart-interval marker when converting from JPEG-compressed files
  • tiff2pdf: red and blue were being swapped for RGBA decoding (fixes :issue:253)
  • tiff2pdf: fixes
  • thumbnail: address Coverity scan issues
  • tiffcp: Add check for limitMalloc return to fix Coverity 1603334
  • tiffcp: preserve TIFFTAG_REFERENCEBLACKWHITE when doing YCbCr JPEG -> YCbCr JPEG
  • tiffcp: replace PHOTOMETRIC_YCBCR with PHOTOMETRIC_RGB when outputing to compression != JPEG
  • tiffcp: do not copy tags YCBCRCOEFFICIENTS, YCBCRSUBSAMPLING, YCBCRPOSITIONING, REFERENCEBLACKWHITE. Only set YCBCRSUBSAMPLING when generating YCbCr JPEG
  • tiffcp: Check also codec of input image, not only from output image
  • Add some basic sanity checks for tiffcp and tiffcrop RGB->YCbCr JPEG conversions.
  • fax2ps and fax2tiff: memory leak fixes
  • tiffmedian: memory leak fixes
  • fax2tiff: fix EOFB interpretation
  • fax2tiff: fix issue with unreasonable width input
  • tiffcp and tiffcrop: fixes
  • tiff2rgba: fixes
  • tiffdither: fixes
  • tiffdump: fix wrong printf formatter in error message (Coverity 1472932)
  • tiffset: avoid false positive Coverity Scan warning on 64-bit builds (Coverity 1518997)
  • tifcp/tiffset: use correct format specifiers

Changes to contributed and unsupported tools

  • contrib/addtiffo: validate return of TIFFWriteEncodedXXXX() calls (Coverity 1024680)

comment:4 by Douglas R. Reno, 6 months ago

The two security fixes are CVE-2023-52356 and CVE-2024-7006.

  • CVE-2023-52356: "A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service." (7.5 High)
  • CVE-2024-7006: "A null pointer dereference flaw was found in Libtiff via tif_dirinfo.c. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service." (7.5 High)

comment:5 by Douglas R. Reno, 6 months ago

Resolution: fixed
Status: assignedclosed

Fixed at f06d6c3c31af1601a6d7a87f97664475e8cb57b2

SA-12.2-010 issued

Note: See TracTickets for help on using tickets.