!257 [sync] PR-253: fix CVE-2024-7006

From: @openeuler-sync-bot Reviewed-by: @t_feng Signed-off-by: @t_feng
2024-08-16 02:10:51 +00:00 · 2024-08-16 02:10:51 +00:00 · ae2badaad4
commit ae2badaad4
parent 1426d4a7c2 ac02a92b90
2 changed files with 72 additions and 2 deletions
--- a/backport-CVE-2024-7006.patch
+++ b/backport-CVE-2024-7006.patch
@ -0,0 +1,64 @@
 From a91566b32d107e86c4ea0b10bbcb5ce089005cb7 Mon Sep 17 00:00:00 2001
 From: Su Laus <sulau@freenet.de>
 Date: Tue, 13 Aug 2024 09:42:15 +0800
 Subject: [PATCH] fix CVE-2024-7006
 Reference:https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e
 Check return value of _TIFFCreateAnonField().
 Fixes #624 (closed)
 ---
 libtiff/tif_dirinfo.c |  2 +-
 libtiff/tif_dirread.c | 17 ++++++++---------
 2 files changed, 9 insertions(+), 10 deletions(-)
 diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
 index a212d01..755693c 100644
 --- a/libtiff/tif_dirinfo.c
 +++ b/libtiff/tif_dirinfo.c
@@ -797,7 +797,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, TIFFDataType dt)
 	fld = TIFFFindField(tif, tag, dt);
 	if (fld == NULL) {
 		fld = _TIFFCreateAnonField(tif, tag, dt);
 -		if (!_TIFFMergeFields(tif, fld, 1))
 +		if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))		
 			return NULL;
 	}
 diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
 index ed88e80..4e2b53e 100644
 --- a/libtiff/tif_dirread.c
 +++ b/libtiff/tif_dirread.c
@@ -3734,11 +3734,10 @@ TIFFReadDirectory(TIFF* tif)
 				    dp->tdir_tag,dp->tdir_tag);
 				/* the following knowingly leaks the 
 				   anonymous field structure */
 -				if (!_TIFFMergeFields(tif,
 -					_TIFFCreateAnonField(tif,
 -						dp->tdir_tag,
 -						(TIFFDataType) dp->tdir_type),
 -					1)) {
 +                                const TIFFField *fld = _TIFFCreateAnonField(
 +                                    tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
 +                                if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))				
 +				{
 					TIFFWarningExt(tif->tif_clientdata,
 					    module,
 					    "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
@@ -4500,10 +4499,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_t diroff,
 			TIFFWarningExt(tif->tif_clientdata, module,
 			    "Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered",
 			    dp->tdir_tag, dp->tdir_tag);
 -			if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
 -						dp->tdir_tag,
 -						(TIFFDataType) dp->tdir_type),
 -					     1)) {
 +                        const TIFFField *fld = _TIFFCreateAnonField(
 +                             tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
 +                        if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))			
 +			{
 				TIFFWarningExt(tif->tif_clientdata, module,
 				    "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
 				    dp->tdir_tag, dp->tdir_tag);
 -- 
 2.27.0
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.3.0
-Release:        37
+Release:        38
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@ -54,7 +54,7 @@ Patch9000:	fix-raw2tiff-floating-point-exception.patch
 Patch9001:	backport-0001-CVE-2023-6277.patch
 Patch9002:	backport-0002-CVE-2023-6277.patch
 Patch9003:	backport-0003-CVE-2023-6277.patch
-
+Patch9004:      backport-CVE-2024-7006.patch
 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires:  libtool automake autoconf pkgconfig 
@ -175,6 +175,12 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html
 %changelog
 * Tue Aug 13 2024 baiguo <baiguo@kylinos.cn> - 4.3.0-38
 - Type:CVE
 - ID:CVE-2024-7006
 - SUG:NA
 - DESC:fix CVE-2024-7006
 * Mon May 20 2024 lingsheng <lingsheng1@h-partners.com> - 4.3.0-37
 - Type:CVE
 - ID:CVE-2023-1916,CVE-2023-3164