From 22b43237f80439f1de60b67b03bde1716f5a41c9 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Tue, 22 Apr 2025 16:58:19 +0200 Subject: [PATCH] fix CVE-2023-52356: libtiff could crash in TIFFReadRGBATileExt when parsing crafted tiff file (RHEL-17337) note:intentionaly spec file change only, no patch yet, for infra testing Resolves: RHEL-17337 --- libtiff.spec | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libtiff.spec b/libtiff.spec index ad2483b..d314974 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.4.0 -Release: 13%{?dist} +Release: 14%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -39,6 +39,9 @@ Patch0022: 0022-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch # from upstream, for <=4.6.0, RHEL-52931 # https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779 Patch23: libtiff-4.6.0-CVE-2024-7006.patch +# from upstream, for <=4.6.0, RHEL-17337 +# https://gitlab.com/libtiff/libtiff/-/merge_requests/546.patch +Patch24: libtiff-4.4.0-CVE-2023-52356.patch BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel @@ -191,6 +194,9 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man1/* %changelog +* Tue Apr 22 2025 Michal Hlavinka - 4.4.0-14 +- fix CVE-2023-52356: libtiff could crash in TIFFReadRGBATileExt when parsing crafted tiff file (RHEL-17337) + * Wed Aug 21 2024 Michal Hlavinka - 4.4.0-13 - fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52931)