| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0007-tiffcrop-Do-not-reuse-input-buffer-for-subsequent-im.patch | tiffcrop: Do not reuse input buffer for subsequent images. Fix issue 527 Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value. Closes #527 |
Su_Laus <sulau@freenet.de> | no | 2023-02-14 | ||
| 0008-tif_luv-Check-and-correct-for-NaN-data-in-uv_encode.patch | tif_luv: Check and correct for NaN data in uv_encode(). Closes #530 See merge request !473 |
Su_Laus <sulau@freenet.de> | no | 2023-02-16 | ||
| 0009-TIFFReadRGBAStrip-TIFFReadRGBATile-add-more-validati.patch | TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of col/row (fixes #622) | Even Rouault <even.rouault@spatialys.com> | no | 2023-10-31 | ||
| 0010-Check-return-value-of-_TIFFCreateAnonField.patch | Check return value of _TIFFCreateAnonField(). Fixes #624 |
Su_Laus <sulau@freenet.de> | no | 2023-12-01 | ||
| fix_TIFFReadRawStrip_man_page_typo.patch | fix TIFFReadRawStrip man page typo Change TIFFReadEncodedStrip to TIFFReadRawStrip as needed. | Laszlo Boszormenyi (GCS) <gcs@debian.org> | no | debian | 2018-11-19 | |
| CVE-2022-0561.patch | [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null source pointer and size of zero (fixes #362) | Even Rouault <even.rouault@spatialys.com> | no | 2022-02-06 | ||
| CVE-2022-0562.patch | [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null source pointer and size of zero (fixes #362) | Even Rouault <even.rouault@spatialys.com> | no | 2022-02-05 | ||
| CVE-2022-22844.patch | [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where count is required (fixes #355) | 4ugustus <wangdw.augustus@qq.com> | no | 2022-01-25 | ||
| CVE-2022-0865.patch | [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD in memory-mapped mode and when bit reversal is needed (fixes #385) | Even Rouault <even.rouault@spatialys.com> | no | 2022-02-24 | ||
| CVE-2022-0908.patch | [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null source pointer and size of zero (fixes #383) | Even Rouault <even.rouault@spatialys.com> | no | 2022-02-17 | ||
| CVE-2022-0907.patch | [PATCH] add checks for return value of limitMalloc (#392) | Augustus <wangdw.augustus@qq.com> | no | 2022-03-07 | ||
| CVE-2022-0909.patch | [PATCH] fix the FPE in tiffcrop (#393) | 4ugustus <wangdw.augustus@qq.com> | no | 2022-03-08 | ||
| CVE-2022-0891.patch | [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in extractImageSection | Su Laus <sulau@freenet.de> | no | 2022-03-08 | ||
| CVE-2022-0924.patch | [PATCH] fix heap buffer overflow in tiffcp (#278) | 4ugustus <wangdw.augustus@qq.com> | no | 2022-03-10 | ||
| CVE-2022-1354.patch | [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319) to avoid having the size of the strip arrays inconsistent with the number of strips returned by TIFFNumberOfStrips(), which may cause out-ouf-bounds array read afterwards. One of the OJPEG hack that alters SamplesPerPixel may influence the number of strips. Hence compute tif_dir.td_nstrips only afterwards. |
Even Rouault <even.rouault@spatialys.com> | no | 2021-12-05 | ||
| CVE-2022-1355.patch | [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400) | Su_Laus <sulau@freenet.de> | no | 2022-04-02 | ||
| CVE-2022-1622.patch | [PATCH] tif_lzw.c: fix potential out-of-bounds error when trying to read in the same tile/strip after an error has occured (fixes #410) | Even Rouault <even.rouault@spatialys.com> | no | 2022-04-22 | ||
| CVE-2022-2056.patch | [PATCH] fix the FPE in tiffcrop (#415, #427, and #428) | 4ugustus <wangdw.augustus@qq.com> | no | 2022-06-11 | ||
| CVE-2022-2867.patch | [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting uint32 underflow. | Su Laus <sulau@freenet.de> | no | 2022-02-09 | ||
| CVE-2022-3570.patch | [PATCH] tiffcrop subroutines require a larger buffer (fixes #271, #381, #386, #388, #389, #435) | Su Laus <sulau@freenet.de> | no | 2022-10-13 | ||
| 0004-tiffcrop-correctly-update-buffersize-after-rotateIma.patch | tiffcrop correctly update buffersize after rotateImage() fix#520 rotateImage() set up a new buffer and calculates its size individually. Therefore, seg_buffs[] size needs to be updated accordingly. Before this fix, the seg_buffs buffer size was calculated with a different formula than within rotateImage(). Closes #520. |
Su_Laus <sulau@freenet.de> | no | 2023-02-03 | ||
| 0005-tiffcrop-correctly-update-buffersize-after-rotateIma.patch | tiffcrop correctly update buffersize after rotateImage() fix#520 -- enlarge buffsize and check integer overflow within rotateImage(). | Su_Laus <sulau@freenet.de> | no | 2023-02-04 | ||
| CVE-2023-0795.patch | CVE-2023-0795 This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798, CVE-2023-0799. |
Markus Koschany <apo@debian.org> | no | debian | https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 | 2023-02-21 |
| 0002-TIFFClose-avoid-NULL-pointer-dereferencing.-fix-515.patch | TIFFClose() avoid NULL pointer dereferencing. fix#515 Closes #515 |
Su_Laus <sulau@freenet.de> | no | 2023-02-03 | ||
| 0003-Consider-error-return-of-writeSelections.patch | Consider error return of writeSelections(). Fixes #553 | Su_Laus <sulau@freenet.de> | no | 2023-05-05 | ||
| CVE-2022-3599.patch | [PATCH] Revised handling of TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed: Behaviour for writing: `NumberOfInks` MUST fit to the number of inks in the `InkNames` string. `NumberOfInks` is automatically set when `InkNames` is set. If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. Behaviour for reading: When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string. If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456. It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue. |
Su_Laus <sulau@freenet.de> | no | 2022-08-30 | ||
| CVE-2022-3597.patch | References: * https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf * https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 |
Su_Laus <sulau@freenet.de> | no | |||
| CVE-2022-3970.patch | [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on strips/tiles > 2 GB Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 |
Even Rouault <even.rouault@spatialys.com> | no | 2022-11-08 | ||
| CVE-2022-34526.patch | [PATCH] _TIFFCheckFieldIsValidForCodec(): return FALSE when passed a codec-specific tag and the codec is not configured (fixes #433) This avoids crashes when querying such tags |
Even Rouault <even.rouault@spatialys.com> | no | 2022-06-27 | ||
| CVE-2022-48281.patch | [PATCH] tiffcrop: Correct simple copy paste error. Fix #488. | Su Laus <sulau@freenet.de> | no | 2023-01-21 | ||
| CVE-2023-0800.patch | CVE-2023-0800 This is also the fix for CVE-2023-0801, CVE-2023-0802, CVE-2023-0803, CVE-2023-0804. |
Markus Koschany <apo@debian.org> | no | debian | https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 | 2023-02-21 |
| CVE-2023-3576.patch | [PATCH] Fix memory leak in tiffcrop.c | zhailiangliang <zhailiangliang@loongson.cn> | no | 2023-03-07 | ||
| CVE-2023-40745.patch | [PATCH] tiffcp: fix memory corruption (overflow) on hostile images (fixes #591) | Arie Haenel <arie.haenel@jct.ac.il> | no | 2023-07-19 | ||
| CVE-2023-41175.patch | [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes #592) | Arie Haenel <arie.haenel@jct.ac.il> | no | 2023-07-19 | ||
| 0001-countInkNamesString-fix-UndefinedBehaviorSanitizer-a.patch | countInkNamesString(): fix `UndefinedBehaviorSanitizer`: applying zero offset to null pointer | xiaoxiaoafeifei <lliangliang2007@163.com> | no | 2023-04-21 |