From 21cdd75b44d4aa017c3df163cad6a932005398e9 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 29 Aug 2024 23:49:28 +0200 Subject: [PATCH] fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52927) Resolves: RHEL-52927 --- libtiff-4.6.0-CVE-2024-7006.patch | 46 +++++++++++++++++++++++++++++++ libtiff.spec | 9 +++++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 libtiff-4.6.0-CVE-2024-7006.patch diff --git a/libtiff-4.6.0-CVE-2024-7006.patch b/libtiff-4.6.0-CVE-2024-7006.patch new file mode 100644 index 0000000..1c7d72a --- /dev/null +++ b/libtiff-4.6.0-CVE-2024-7006.patch @@ -0,0 +1,46 @@ +diff -up tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 tiff-4.4.0/libtiff/tif_dirinfo.c +--- tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 2024-08-16 00:35:35.339965778 +0200 ++++ tiff-4.4.0/libtiff/tif_dirinfo.c 2024-08-16 00:54:58.255221954 +0200 +@@ -824,7 +824,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint + fld = TIFFFindField(tif, tag, dt); + if (fld == NULL) { + fld = _TIFFCreateAnonField(tif, tag, dt); +- if (!_TIFFMergeFields(tif, fld, 1)) ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff -up tiff-4.0.9/libtiff/tif_dirread.c~ tiff-4.0.9/libtiff/tif_dirread.c +--- tiff-4.0.9/libtiff/tif_dirread.c~ 2024-08-29 23:31:19.884308223 +0200 ++++ tiff-4.0.9/libtiff/tif_dirread.c 2024-08-29 23:31:19.909308479 +0200 +@@ -3667,11 +3667,10 @@ TIFFReadDirectory(TIFF* tif) + dp->tdir_tag,dp->tdir_tag); + /* the following knowingly leaks the + anonymous field structure */ +- if (!_TIFFMergeFields(tif, +- _TIFFCreateAnonField(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1)) { ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) ++ { + TIFFWarningExt(tif->tif_clientdata, + module, + "Registering anonymous field with tag %d (0x%x) failed", +@@ -4392,10 +4391,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_ + TIFFWarningExt(tif->tif_clientdata, module, + "Unknown field with tag %d (0x%x) encountered", + dp->tdir_tag, dp->tdir_tag); +- if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1)) { ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) ++ { + TIFFWarningExt(tif->tif_clientdata, module, + "Registering anonymous field with tag %d (0x%x) failed", + dp->tdir_tag, dp->tdir_tag); diff --git a/libtiff.spec b/libtiff.spec index 4ce811f..071e6cc 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.0.9 -Release: 32%{?dist} +Release: 33%{?dist} License: libtiff Group: System Environment/Libraries URL: http://www.simplesystems.org/libtiff/ @@ -55,6 +55,10 @@ Patch0041: 0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch Patch0042: 0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch Patch0043: 0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch +# from upstream, for <=4.6.0, RHEL-52927 +# https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779 +Patch44: libtiff-4.6.0-CVE-2024-7006.patch + BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -207,6 +211,9 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Thu Aug 29 2024 Michal Hlavinka - 4.0.9-33 +- fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52927) + * Thu May 16 2024 Matej Mužila - 4.0.9-32 - Fix CVE-2023-6228 CVE-2023-52356 CVE-2023-25433 CVE-2018-15209 - Resolves: RHEL-30682 RHEL-30520 RHEL-30474 RHEL-5406