From ac106b15435f244ad3e72675caa663286884ef68 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 29 Aug 2024 18:14:46 +0200 Subject: [PATCH] fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52926) Resolves: RHEL-52926 --- libtiff-4.6.0-CVE-2024-7006.patch | 47 +++++++++++++++++++++++++++++++ libtiff.spec | 12 ++++++-- 2 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 libtiff-4.6.0-CVE-2024-7006.patch diff --git a/libtiff-4.6.0-CVE-2024-7006.patch b/libtiff-4.6.0-CVE-2024-7006.patch new file mode 100644 index 0000000..78b5a1c --- /dev/null +++ b/libtiff-4.6.0-CVE-2024-7006.patch @@ -0,0 +1,47 @@ +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index bff7592a8fd92d24b591b6d342fa98922246db8c..2338ca21c82295ee8ab3da86035d43398fef8efc 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, + if (fld == NULL) + { + fld = _TIFFCreateAnonField(tif, tag, dt); +- if (!_TIFFMergeFields(tif, fld, 1)) ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index c79694145c30d70901a84bcb8932a2fcf5ad24dd..242912f3be5d15548510ce77ac791e53b112e417 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4278,11 +4278,9 @@ int TIFFReadDirectory(TIFF *tif) + dp->tdir_tag, dp->tdir_tag); + /* the following knowingly leaks the + anonymous field structure */ +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR( + tif, module, +@@ -5156,11 +5154,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff, + "Unknown field with tag %" PRIu16 " (0x%" PRIx16 + ") encountered", + dp->tdir_tag, dp->tdir_tag); +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR(tif, module, + "Registering anonymous field with tag %" PRIu16 diff --git a/libtiff.spec b/libtiff.spec index 181d45f..b13010c 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,7 +1,7 @@ Summary: Library of functions for manipulating TIFF format image files Name: libtiff Version: 4.6.0 -Release: 3%{?dist} +Release: 4%{?dist} License: libtiff URL: http://www.simplesystems.org/libtiff/ @@ -9,6 +9,10 @@ Source: http://download.osgeo.org/libtiff/tiff-%{version}.tar.gz Patch0: libtiff-am-version.patch +# from upstream, for <=4.6.0, RHEL-52926 +# https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779 +Patch1: libtiff-4.6.0-CVE-2024-7006.patch + BuildRequires: gcc, gcc-c++ BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel liblerc-devel BuildRequires: libtool automake autoconf pkgconfig @@ -60,7 +64,8 @@ image files using the libtiff library. %prep %autosetup -n tiff-%{version} -N -%patch0 -p1 -b .backup +%patch -P 0 -p1 -b .backup +%patch -P 1 -p1 -b .CVE-2024-7006 # Use build system's libtool.m4, not the one in the package. rm -f libtool.m4 @@ -164,6 +169,9 @@ LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check %{_mandir}/man1/* %changelog +* Wed Aug 21 2024 Michal Hlavinka - 4.6.0-4 +- fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52926) + * Mon Jun 24 2024 Troy Dawson - 4.6.0-3 - Bump release for June 2024 mass rebuild