From ac02a92b90ebbaa40c91f5468072379456d4c8ef Mon Sep 17 00:00:00 2001 From: baiguo Date: Tue, 13 Aug 2024 10:10:56 +0800 Subject: [PATCH] fix CVE-2024-7006 (cherry picked from commit 7ad5daf6c827818c60ea51ee4851b489e5c5fc88) --- backport-CVE-2024-7006.patch | 64 ++++++++++++++++++++++++++++++++++++ libtiff.spec | 10 ++++-- 2 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 backport-CVE-2024-7006.patch diff --git a/backport-CVE-2024-7006.patch b/backport-CVE-2024-7006.patch new file mode 100644 index 0000000..820184e --- /dev/null +++ b/backport-CVE-2024-7006.patch @@ -0,0 +1,64 @@ +From a91566b32d107e86c4ea0b10bbcb5ce089005cb7 Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Tue, 13 Aug 2024 09:42:15 +0800 +Subject: [PATCH] fix CVE-2024-7006 +Reference:https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e +Check return value of _TIFFCreateAnonField(). +Fixes #624 (closed) + +--- + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirread.c | 17 ++++++++--------- + 2 files changed, 9 insertions(+), 10 deletions(-) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index a212d01..755693c 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -797,7 +797,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, TIFFDataType dt) + fld = TIFFFindField(tif, tag, dt); + if (fld == NULL) { + fld = _TIFFCreateAnonField(tif, tag, dt); +- if (!_TIFFMergeFields(tif, fld, 1)) ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index ed88e80..4e2b53e 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -3734,11 +3734,10 @@ TIFFReadDirectory(TIFF* tif) + dp->tdir_tag,dp->tdir_tag); + /* the following knowingly leaks the + anonymous field structure */ +- if (!_TIFFMergeFields(tif, +- _TIFFCreateAnonField(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1)) { ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) ++ { + TIFFWarningExt(tif->tif_clientdata, + module, + "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed", +@@ -4500,10 +4499,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_t diroff, + TIFFWarningExt(tif->tif_clientdata, module, + "Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered", + dp->tdir_tag, dp->tdir_tag); +- if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1)) { ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) ++ { + TIFFWarningExt(tif->tif_clientdata, module, + "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed", + dp->tdir_tag, dp->tdir_tag); +-- +2.27.0 + diff --git a/libtiff.spec b/libtiff.spec index 5cf06de..2c757e8 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,6 +1,6 @@ Name: libtiff Version: 4.3.0 -Release: 37 +Release: 38 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ @@ -54,7 +54,7 @@ Patch9000: fix-raw2tiff-floating-point-exception.patch Patch9001: backport-0001-CVE-2023-6277.patch Patch9002: backport-0002-CVE-2023-6277.patch Patch9003: backport-0003-CVE-2023-6277.patch - +Patch9004: backport-CVE-2024-7006.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -175,6 +175,12 @@ find html -name 'Makefile*' | xargs rm %exclude %{_datadir}/html/man/tiffgt.1.html %changelog +* Tue Aug 13 2024 baiguo - 4.3.0-38 +- Type:CVE +- ID:CVE-2024-7006 +- SUG:NA +- DESC:fix CVE-2024-7006 + * Mon May 20 2024 lingsheng - 4.3.0-37 - Type:CVE - ID:CVE-2023-1916,CVE-2023-3164