Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch libtiff for CVE-2025-61144, CVE-2025-61143 [Critical] - branch main" #15997

CBL-Mariner-Bot · azurelinux-security · web-flow · commit bdd8fd15fedf · 2026-02-25T15:06:59.000-08:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
diff --git a/SPECS/libtiff/CVE-2025-61143.patch b/SPECS/libtiff/CVE-2025-61143.patch
@@ -0,0 +1,56 @@
+From f42a3998f5dba33e187097367079f8ec920a20d5 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Fri, 5 Sep 2025 11:48:00 -0700
+Subject: [PATCH 1/2] avoid out-of-bounds read identified in #733
+
+---
+ archive/tools/tiffdither.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/archive/tools/tiffdither.c b/archive/tools/tiffdither.c
+index 0c86e7f..17673e7 100644
+--- a/archive/tools/tiffdither.c
++++ b/archive/tools/tiffdither.c
+@@ -87,6 +87,11 @@ static int fsdither(TIFF *in, TIFF *out)
+         fprintf(stderr, "Out of memory.\n");
+         goto skip_on_error;
+     }
++    if (imagewidth > TIFFScanlineSize(in))
++    {
++        fprintf(stderr, "Image width exceeds scanline size.\n");
++        goto skip_on_error;
++    }
+ 
+     /*
+      * Get first line
+-- 
+2.45.4
+
+
+From c88c56e1ad690bd55a3a2a18a9c68ab49059b11a Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Fri, 5 Sep 2025 12:11:13 -0700
+Subject: [PATCH 2/2] avoid null pointer dereference in tiffcrop #734
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.com/libtiff/libtiff/-/merge_requests/755.patch
+---
+ archive/tools/tiffcrop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/archive/tools/tiffcrop.c b/archive/tools/tiffcrop.c
+index adfd0d2..f69efa8 100644
+--- a/archive/tools/tiffcrop.c
++++ b/archive/tools/tiffcrop.c
+@@ -2925,7 +2925,7 @@ int main(int argc, char *argv[])
+         if (dump.outfile != NULL)
+         {
+             dump_info(dump.outfile, dump.format, "", "Completed run for %s",
+-                      TIFFFileName(out));
++                      out ? TIFFFileName(out) : "(not opened)");
+             fclose(dump.outfile);
+         }
+     }
+-- 
+2.45.4
+
diff --git a/SPECS/libtiff/CVE-2025-61144.patch b/SPECS/libtiff/CVE-2025-61144.patch
@@ -0,0 +1,27 @@
+From d81d8d12a6a050865e09ed1e982a895994ba0dc0 Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Fri, 5 Sep 2025 13:01:12 -0700
+Subject: [PATCH] avoid buffer overflow in tiffcrop #740
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://gitlab.com/libtiff/libtiff/-/merge_requests/757.patch
+---
+ archive/tools/tiffcrop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/archive/tools/tiffcrop.c b/archive/tools/tiffcrop.c
+index f69efa8..998c6ab 100644
+--- a/archive/tools/tiffcrop.c
++++ b/archive/tools/tiffcrop.c
+@@ -4375,7 +4375,7 @@ static int combineSeparateSamplesBytes(unsigned char *srcbuffs[],
+     {
+         if ((dumpfile != NULL) && (level == 2))
+         {
+-            for (s = 0; s < spp; s++)
++            for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+             {
+                 dump_info(dumpfile, format, "combineSeparateSamplesBytes",
+                           "Input data, Sample %" PRIu16, s);
+-- 
+2.45.4
+
diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec
@@ -1,7 +1,7 @@
 Summary:        TIFF libraries and associated utilities.
 Name:           libtiff
 Version:        4.6.0
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        libtiff
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -21,6 +21,8 @@ Patch9:         CVE-2025-9165.patch
 Patch10:        CVE-2025-9900.patch
 Patch11:        CVE-2024-13978.patch
 Patch12:        CVE-2025-8961.patch
+Patch13:        CVE-2025-61143.patch
+Patch14:        CVE-2025-61144.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libjpeg-turbo-devel
@@ -73,6 +75,9 @@ make %{?_smp_mflags} -k check
 %{_docdir}/*
 
 %changelog
+* Wed Feb 25 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 4.6.0-12
+- Patch for CVE-2025-61144, CVE-2025-61143
+
 * Thu Nov 27 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 4.6.0-11
 - Patch for CVE-2025-8961
 
