From d9499302658d492b1557beceb1f30d95b74898cf Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Thu, 9 Jul 2026 03:45:24 +0530 Subject: [PATCH] [AutoPR- Security] Patch libtiff for CVE-2026-12912 [HIGH] (#17903) Co-authored-by: akhila-guruju (cherry picked from commit e2a25c05823dafe777ac8ee261ce6751905d7751) --- SPECS/libtiff/CVE-2026-12912.patch | 54 ++++++++++++++++++++++++++++++ SPECS/libtiff/libtiff.spec | 6 +++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 SPECS/libtiff/CVE-2026-12912.patch diff --git a/SPECS/libtiff/CVE-2026-12912.patch b/SPECS/libtiff/CVE-2026-12912.patch new file mode 100644 index 00000000000..69a7f044391 --- /dev/null +++ b/SPECS/libtiff/CVE-2026-12912.patch @@ -0,0 +1,54 @@ +From ba2b04b114c5dd945107ccc613cedfcca3af73bb Mon Sep 17 00:00:00 2001 +From: waugustus +Date: Thu, 23 Apr 2026 17:05:53 +0800 +Subject: [PATCH] pixarlog: fix heap-buffer-overflow in 8BITABGR decode + with stride 3 (#824) & pixarlog: add comment explaining 4-byte advance in ABGR decode + + +Upstream Patch reference: https://gitlab.com/libtiff/libtiff/-/merge_requests/873.patch +--- + libtiff/tif_pixarlog.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c +index 5c0346b..6570411 100644 +--- a/libtiff/tif_pixarlog.c ++++ b/libtiff/tif_pixarlog.c +@@ -864,6 +864,19 @@ static int PixarLogDecode(TIFF *tif, uint8_t *op, tmsize_t occ, uint16_t s) + + llen = sp->stride * td->td_imagewidth; + ++ /* Fix: ABGR with stride=3 expands 3 samples to 4 output bytes per pixel */ ++ if (sp->user_datafmt == PIXARLOGDATAFMT_8BITABGR && sp->stride == 3) ++ { ++ tmsize_t required = (tmsize_t)td->td_imagewidth * 4; ++ if (occ < required) ++ { ++ TIFFErrorExtR(tif, module, ++ "Output buffer too small for PixarLog ABGR data"); ++ memset(op, 0, (size_t)occ); ++ return (0); ++ } ++ } ++ + (void)s; + assert(sp != NULL); + +@@ -972,7 +985,13 @@ static int PixarLogDecode(TIFF *tif, uint8_t *op, tmsize_t occ, uint16_t s) + case PIXARLOGDATAFMT_8BITABGR: + horizontalAccumulate8abgr(up, llen, sp->stride, + (unsigned char *)op, sp->ToLinear8); +- op += llen * sizeof(unsigned char); ++ ++ /* For stride == 3 (RGB), horizontalAccumulate8abgr expands to 4 ++ * bytes/pixel (ABGR) */ ++ if (sp->stride == 3) ++ op += (unsigned long)td->td_imagewidth * 4; ++ else ++ op += (unsigned long)llen * sizeof(unsigned char); + break; + default: + TIFFErrorExtR(tif, module, "Unsupported bits/sample: %" PRIu16, +-- +2.34.1 + diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec index 6b5893c5d7f..1cd49be2945 100644 --- a/SPECS/libtiff/libtiff.spec +++ b/SPECS/libtiff/libtiff.spec @@ -1,7 +1,7 @@ Summary: TIFF libraries and associated utilities. Name: libtiff Version: 4.6.0 -Release: 13%{?dist} +Release: 14%{?dist} License: libtiff Vendor: Microsoft Corporation Distribution: Azure Linux @@ -24,6 +24,7 @@ Patch12: CVE-2025-8961.patch Patch13: CVE-2025-61143.patch Patch14: CVE-2025-61144.patch Patch15: CVE-2026-4775.patch +Patch16: CVE-2026-12912.patch BuildRequires: autoconf BuildRequires: automake @@ -80,6 +81,9 @@ make %{?_smp_mflags} -k check %exclude %{_docdir}/tiff-%{version}/LICENSE.md %changelog +* Fri Jul 03 2026 Azure Linux Security Servicing Account - 4.6.0-14 +- Patch for CVE-2026-12912 + * Thu Apr 23 2026 Azure Linux Security Servicing Account - 4.6.0-13 - Patch for CVE-2026-4775