fix CVE-2023-6228

backport-CVE-2023-6228.patch

@@ -0,0 +1,27 @@
+From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 9 Sep 2023 15:45:47 +0200
+Subject: [PATCH] Check also if codec of input image is available,
+ independently from codec check of output image and return with error if not.
+ Fixes #606.
+
+---
+ tools/tiffcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index aff06260..2628bdbb 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -846,6 +846,8 @@ static int tiffcp(TIFF *in, TIFF *out)
+     if (!TIFFIsCODECConfigured(compression))
+         return FALSE;
+     TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
++    if (!TIFFIsCODECConfigured(input_compression))
++        return FALSE;
+     TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
+     if (input_compression == COMPRESSION_JPEG)
+     {
+-- 
+GitLab
+

libtiff.spec

@@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.5.1
-Release:        1
+Release:        2
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@@ -8,6 +8,7 @@ Source0:        https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
 
 Patch6000:      backport-CVE-2023-38288.patch
 Patch6001:      backport-CVE-2023-38289.patch
+Patch6002:      backport-CVE-2023-6228.patch
 
 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires:  libtool automake autoconf pkgconfig
@@ -127,6 +128,9 @@ find doc -name 'Makefile*' | xargs rm
 %exclude %{_mandir}/man1/*
 
 %changelog
+* Tue Nov 21 2023 liningjie <liningjie@xfusion.com> - 4.5.1-2
+- fix CVE-2023-6228
+
 * Mon Jul 24 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 4.5.1-1
 - update 4.5.1