From b03da4f6875a0673d8f749c25e2fb38fbbd4466d Mon Sep 17 00:00:00 2001 From: baiguo Date: Tue, 13 Aug 2024 09:56:26 +0800 Subject: [PATCH] fix CVE-2024-7006 --- backport-CVE-2024-7006.patch | 65 ++++++++++++++++++++++++++++++++++++ libtiff.spec | 6 +++- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-7006.patch diff --git a/backport-CVE-2024-7006.patch b/backport-CVE-2024-7006.patch new file mode 100644 index 0000000..5c5aa0c --- /dev/null +++ b/backport-CVE-2024-7006.patch @@ -0,0 +1,65 @@ +From a91566b32d107e86c4ea0b10bbcb5ce089005cb7 Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Tue, 13 Aug 2024 09:42:15 +0800 +Subject: [PATCH] fix CVE-2024-7006 +Reference:https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e +Check return value of _TIFFCreateAnonField(). +Fixes #624 (closed) + +--- + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirread.c | 18 +++++++----------- + 2 files changed, 8 insertions(+), 12 deletions(-) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index 0e705e8..4cfdaad 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, + if (fld == NULL) + { + fld = _TIFFCreateAnonField(tif, tag, dt); +- if (!_TIFFMergeFields(tif, fld, 1)) ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 122ec34..5ac7d94 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4278,11 +4278,9 @@ int TIFFReadDirectory(TIFF *tif) + dp->tdir_tag, dp->tdir_tag); + /* the following knowingly leaks the + anonymous field structure */ +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR( + tif, module, +@@ -5156,12 +5154,10 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff, + "Unknown field with tag %" PRIu16 " (0x%" PRIx16 + ") encountered", + dp->tdir_tag, dp->tdir_tag); +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) +- { ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) ++ { + TIFFWarningExtR(tif, module, + "Registering anonymous field with tag %" PRIu16 + " (0x%" PRIx16 ") failed", +-- +2.27.0 + diff --git a/libtiff.spec b/libtiff.spec index fe97af4..a995dfa 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,6 +1,6 @@ Name: libtiff Version: 4.6.0 -Release: 2 +Release: 3 Summary: TIFF Library and Utilities License: libtiff URL: https://libtiff.gitlab.io/libtiff/ @@ -10,6 +10,7 @@ Patch6000: backport-CVE-2023-6228.patch Patch6001: backport-0001-CVE-2023-6277.patch Patch6002: backport-0002-CVE-2023-6277.patch Patch6003: backport-0003-CVE-2023-6277.patch +Patch6004: backport-CVE-2024-7006.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -129,6 +130,9 @@ find doc -name 'Makefile*' | xargs rm %exclude %{_mandir}/man1/* %changelog +* Tue 13 2024 baiguo - 4.6.0-3 +- fix CVE-2024-7006 + * Mon Jul 22 2024 xuguangmin - 4.6.0-2 - Fix incorrect dates in the ChangeLog section of the spec file. -- Gitee