From: Siddharth Doshi Date: Wed, 14 Aug 2024 18:19:23 +0000 (+0530) Subject: Tiff: Security fix for CVE-2024-7006 X-Git-Tag: yocto-5.2~2071 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5313b4b233a486e8a1483757ad9c9aed3a213aae;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git Tiff: Security fix for CVE-2024-7006 Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e] CVE's Fixed: CVE-2024-7006 libtiff: NULL pointer dereference in tif_dirinfo.c Signed-off-by: Siddharth Doshi Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie --- diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch new file mode 100644 index 00000000000..785244bdea3 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch @@ -0,0 +1,65 @@ +From 8ee0e7d2bdcc1a5a5a3241904b243964ab947b7b Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 1 Dec 2023 20:12:25 +0100 +Subject: [PATCH] Check return value of _TIFFCreateAnonField(). + +Fixes #624 + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e] +CVE: CVE-2024-7006 +Signed-off-by: Siddharth Doshi +--- + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirread.c | 16 ++++++---------- + 2 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index 0e705e8..4cfdaad 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, + if (fld == NULL) + { + fld = _TIFFCreateAnonField(tif, tag, dt); +- if (!_TIFFMergeFields(tif, fld, 1)) ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 58a4276..738df9f 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4275,11 +4275,9 @@ int TIFFReadDirectory(TIFF *tif) + dp->tdir_tag, dp->tdir_tag); + /* the following knowingly leaks the + anonymous field structure */ +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR( + tif, module, +@@ -5153,11 +5151,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff, + "Unknown field with tag %" PRIu16 " (0x%" PRIx16 + ") encountered", + dp->tdir_tag, dp->tdir_tag); +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR(tif, module, + "Registering anonymous field with tag %" PRIu16 +-- +2.44.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb index d42ea6a6e5b..89681be634b 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb @@ -16,6 +16,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-52355-0001.patch \ file://CVE-2023-52355-0002.patch \ file://CVE-2023-52356.patch \ + file://CVE-2024-7006.patch \ " SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"