Accepting request 1194640 from graphics

- security update: * CVE-2024-7006 [bsc#1228924] Fix pointer deref in tif_dirinfo.c + tiff-CVE-2024-7006.patch OBS-URL: https://build.opensuse.org/request/show/1194640 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tiff?expand=0&rev=96
- security update:
2024-08-20 14:12:38 +00:00 · 2024-08-19 06:31:33 +00:00
3 changed files with 58 additions and 0 deletions
--- a/tiff-CVE-2024-7006.patch
+++ b/tiff-CVE-2024-7006.patch
@ -0,0 +1,49 @@
+Upstream:
+3705f82b6483c7906cf08cd6b9dcdcd59c61d779
+Index: tiff-4.6.0/libtiff/tif_dirinfo.c
+===================================================================
+--- tiff-4.6.0.orig/libtiff/tif_dirinfo.c
+++ tiff-4.6.0/libtiff/tif_dirinfo.c
+@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterFiel
+     if (fld == NULL)
+     {
+         fld = _TIFFCreateAnonField(tif, tag, dt);
+-        if (!_TIFFMergeFields(tif, fld, 1))
+        if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+             return NULL;
+     }
+ 
+Index: tiff-4.6.0/libtiff/tif_dirread.c
+===================================================================
+--- tiff-4.6.0.orig/libtiff/tif_dirread.c
+++ tiff-4.6.0/libtiff/tif_dirread.c
+@@ -4260,11 +4260,9 @@ int TIFFReadDirectory(TIFF *tif)
+                                 dp->tdir_tag, dp->tdir_tag);
+                 /* the following knowingly leaks the
+                    anonymous field structure */
+-                if (!_TIFFMergeFields(
+-                        tif,
+-                        _TIFFCreateAnonField(tif, dp->tdir_tag,
+-                                             (TIFFDataType)dp->tdir_type),
+-                        1))
+				const TIFFField *fld = _TIFFCreateAnonField(
+                    tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+                if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+                 {
+                     TIFFWarningExtR(
+                         tif, module,
+@@ -5138,11 +5136,9 @@ int TIFFReadCustomDirectory(TIFF *tif, t
+                             "Unknown field with tag %" PRIu16 " (0x%" PRIx16
+                             ") encountered",
+                             dp->tdir_tag, dp->tdir_tag);
+-            if (!_TIFFMergeFields(
+-                    tif,
+-                    _TIFFCreateAnonField(tif, dp->tdir_tag,
+-                                         (TIFFDataType)dp->tdir_type),
+-                    1))
+			const TIFFField *fld = _TIFFCreateAnonField(
+                tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+            if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+             {
+                 TIFFWarningExtR(tif, module,
+                                 "Registering anonymous field with tag %" PRIu16
--- a/tiff.changes
+++ b/tiff.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Aug 19 06:30:27 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- security update:
+  * CVE-2024-7006 [bsc#1228924]
+    Fix pointer deref in tif_dirinfo.c
+    + tiff-CVE-2024-7006.patch
+
 -------------------------------------------------------------------
 Fri Jan 26 09:59:33 UTC 2024 - Michael Vetter <mvetter@suse.com>

--- a/tiff.spec
+++ b/tiff.spec
@ -32,6 +32,7 @@ Source3:        baselibs.conf
 Source99:       tiff.keyring
 Patch0:         tiff-4.0.3-seek.patch
 Patch1:         tiff-CVE-2023-52356.patch
+Patch2:         tiff-CVE-2024-7006.patch
 BuildRequires:  gcc-c++
 BuildRequires:  libjbig-devel
 BuildRequires:  libjpeg-devel