import UBI libtiff-4.0.9-33.el8_10

SOURCES/libtiff-4.6.0-CVE-2024-7006.patch

@@ -0,0 +1,46 @@
+diff -up tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 tiff-4.4.0/libtiff/tif_dirinfo.c
+--- tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006	2024-08-16 00:35:35.339965778 +0200
++++ tiff-4.4.0/libtiff/tif_dirinfo.c	2024-08-16 00:54:58.255221954 +0200
+@@ -824,7 +824,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint
+ 	fld = TIFFFindField(tif, tag, dt);
+ 	if (fld == NULL) {
+ 		fld = _TIFFCreateAnonField(tif, tag, dt);
+-		if (!_TIFFMergeFields(tif, fld, 1))
++		if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+ 			return NULL;
+ 	}
+ 
+diff -up tiff-4.0.9/libtiff/tif_dirread.c~ tiff-4.0.9/libtiff/tif_dirread.c
+--- tiff-4.0.9/libtiff/tif_dirread.c~	2024-08-29 23:31:19.884308223 +0200
++++ tiff-4.0.9/libtiff/tif_dirread.c	2024-08-29 23:31:19.909308479 +0200
+@@ -3667,11 +3667,10 @@ TIFFReadDirectory(TIFF* tif)
+ 				    dp->tdir_tag,dp->tdir_tag);
+                                 /* the following knowingly leaks the 
+                                    anonymous field structure */
+-				if (!_TIFFMergeFields(tif,
+-					_TIFFCreateAnonField(tif,
+-						dp->tdir_tag,
+-						(TIFFDataType) dp->tdir_type),
+-					1)) {
++				const TIFFField *fld = _TIFFCreateAnonField(
++					tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
++				if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
++				{
+ 					TIFFWarningExt(tif->tif_clientdata,
+ 					    module,
+ 					    "Registering anonymous field with tag %d (0x%x) failed",
+@@ -4392,10 +4391,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_
+ 			TIFFWarningExt(tif->tif_clientdata, module,
+ 			    "Unknown field with tag %d (0x%x) encountered",
+ 			    dp->tdir_tag, dp->tdir_tag);
+-			if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
+-						dp->tdir_tag,
+-						(TIFFDataType) dp->tdir_type),
+-					     1)) {
++		const TIFFField *fld = _TIFFCreateAnonField(
++				tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
++			if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
++			{
+ 				TIFFWarningExt(tif->tif_clientdata, module,
+ 				    "Registering anonymous field with tag %d (0x%x) failed",
+ 				    dp->tdir_tag, dp->tdir_tag);

SPECS/libtiff.spec

@@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.9
-Release:       32%{?dist}
+Release:       33%{?dist}
 License:       libtiff
 Group:         System Environment/Libraries
 URL:           http://www.simplesystems.org/libtiff/
@@ -55,6 +55,10 @@ Patch0041: 0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch
 Patch0042: 0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch
 Patch0043: 0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
 
+# from upstream, for <=4.6.0, RHEL-52927
+# https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779
+Patch44:       libtiff-4.6.0-CVE-2024-7006.patch
+
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires: libtool automake autoconf pkgconfig
@@ -207,6 +211,9 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*
 
 %changelog
+* Thu Aug 29 2024 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-33
+- fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52927)
+
 * Thu May 16 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-32
 - Fix CVE-2023-6228 CVE-2023-52356 CVE-2023-25433 CVE-2018-15209
 - Resolves: RHEL-30682 RHEL-30520 RHEL-30474 RHEL-5406