From 8200d186fdaddd34b752e160a18d02b8016fbc29 Mon Sep 17 00:00:00 2001 From: wangguochun Date: Tue, 13 Aug 2024 09:49:28 +0800 Subject: [PATCH] fix CVE-2024-7006 (cherry picked from commit 26f86e195c26776eb9353b22f013754d86779d87) --- backport-0004-CVE-2024-7006.patch | 61 +++++++++++++++++++++++++++++++ libtiff.spec | 6 ++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 backport-0004-CVE-2024-7006.patch diff --git a/backport-0004-CVE-2024-7006.patch b/backport-0004-CVE-2024-7006.patch new file mode 100644 index 0000000..cbde7a3 --- /dev/null +++ b/backport-0004-CVE-2024-7006.patch @@ -0,0 +1,61 @@ +From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 1 Dec 2023 20:12:25 +0100 +Subject: [PATCH] Check return value of _TIFFCreateAnonField(). + +Fixes #624 +--- + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirread.c | 16 ++++++---------- + 2 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index bff7592a..2338ca21 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, + if (fld == NULL) + { + fld = _TIFFCreateAnonField(tif, tag, dt); +- if (!_TIFFMergeFields(tif, fld, 1)) ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index c7969414..242912f3 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4278,11 +4278,9 @@ int TIFFReadDirectory(TIFF *tif) + dp->tdir_tag, dp->tdir_tag); + /* the following knowingly leaks the + anonymous field structure */ +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR( + tif, module, +@@ -5156,11 +5154,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff, + "Unknown field with tag %" PRIu16 " (0x%" PRIx16 + ") encountered", + dp->tdir_tag, dp->tdir_tag); +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR(tif, module, + "Registering anonymous field with tag %" PRIu16 +-- +GitLab + diff --git a/libtiff.spec b/libtiff.spec index fe97af4..4b9f815 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,6 +1,6 @@ Name: libtiff Version: 4.6.0 -Release: 2 +Release: 3 Summary: TIFF Library and Utilities License: libtiff URL: https://libtiff.gitlab.io/libtiff/ @@ -10,6 +10,7 @@ Patch6000: backport-CVE-2023-6228.patch Patch6001: backport-0001-CVE-2023-6277.patch Patch6002: backport-0002-CVE-2023-6277.patch Patch6003: backport-0003-CVE-2023-6277.patch +Patch6004: backport-0004-CVE-2024-7006.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -129,6 +130,9 @@ find doc -name 'Makefile*' | xargs rm %exclude %{_mandir}/man1/* %changelog +* Tue Aug 13 2024 wangguochun - 4.6.0-3 +- fix CVE-2024-7006 + * Mon Jul 22 2024 xuguangmin - 4.6.0-2 - Fix incorrect dates in the ChangeLog section of the spec file.