import CS libtiff-4.4.0-13.el9

SOURCES/libtiff-4.6.0-CVE-2024-7006.patch

@@ -0,0 +1,46 @@
+diff -up tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 tiff-4.4.0/libtiff/tif_dirinfo.c
+--- tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006	2024-08-16 00:35:35.339965778 +0200
++++ tiff-4.4.0/libtiff/tif_dirinfo.c	2024-08-16 00:54:58.255221954 +0200
+@@ -824,7 +824,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint
+ 	fld = TIFFFindField(tif, tag, dt);
+ 	if (fld == NULL) {
+ 		fld = _TIFFCreateAnonField(tif, tag, dt);
+-		if (!_TIFFMergeFields(tif, fld, 1))
++		if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+ 			return NULL;
+ 	}
+ 
+diff -up tiff-4.4.0/libtiff/tif_dirread.c.CVE-2024-7006 tiff-4.4.0/libtiff/tif_dirread.c
+--- tiff-4.4.0/libtiff/tif_dirread.c.CVE-2024-7006	2024-08-16 00:35:35.341965797 +0200
++++ tiff-4.4.0/libtiff/tif_dirread.c	2024-08-16 00:59:02.455017380 +0200
+@@ -4038,11 +4038,10 @@ TIFFReadDirectory(TIFF* tif)
+ 				    dp->tdir_tag,dp->tdir_tag);
+ 				/* the following knowingly leaks the 
+ 				   anonymous field structure */
+-				if (!_TIFFMergeFields(tif,
+-					_TIFFCreateAnonField(tif,
+-						dp->tdir_tag,
+-						(TIFFDataType) dp->tdir_type),
+-					1)) {
++				const TIFFField *fld = _TIFFCreateAnonField(
++					tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
++				if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
++				{
+ 					TIFFWarningExt(tif->tif_clientdata,
+ 					    module,
+ 					    "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
+@@ -4805,10 +4804,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_
+ 			TIFFWarningExt(tif->tif_clientdata, module,
+ 			    "Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered",
+ 			    dp->tdir_tag, dp->tdir_tag);
+-			if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
+-						dp->tdir_tag,
+-						(TIFFDataType) dp->tdir_type),
+-					     1)) {
++			const TIFFField *fld = _TIFFCreateAnonField(
++				tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
++			if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
++			{
+ 				TIFFWarningExt(tif->tif_clientdata, module,
+ 				    "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
+ 				    dp->tdir_tag, dp->tdir_tag);

SPECS/libtiff.spec

@@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.4.0
-Release:       12%{?dist}
+Release:       13%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/
 
@@ -36,6 +36,10 @@ Patch0020: 0020-CVE-2023-3618-tiffcrop-fix-553-by-considering-error-.patch
 Patch0021: 0021-CVE-2023-40745-CVE-2023-41175-raw2tiff-fix-integer-o.patch
 Patch0022: 0022-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
 
+# from upstream, for <=4.6.0, RHEL-52931
+# https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779
+Patch23:       libtiff-4.6.0-CVE-2024-7006.patch
+
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel
 BuildRequires: libtool automake autoconf pkgconfig
@@ -187,6 +191,9 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*
 
 %changelog
+* Wed Aug 21 2024 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-13
+- fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52931)
+
 * Thu Nov 23 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-12
 - Fix CVE-2023-6228
 - Resolves: RHEL-10084