From: Siddharth Doshi <[email protected]> Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e]
CVE's Fixed: CVE-2024-7006 libtiff: NULL pointer dereference in tif_dirinfo.c Signed-off-by: Siddharth Doshi <[email protected]> Signed-off-by: Steve Sakoman <[email protected]> --- .../libtiff/tiff/CVE-2024-7006.patch | 64 +++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch new file mode 100644 index 0000000000..217de0ea92 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch @@ -0,0 +1,64 @@ +From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001 +From: Su_Laus <[email protected]> +Date: Fri, 1 Dec 2023 20:12:25 +0100 +Subject: [PATCH] Check return value of _TIFFCreateAnonField(). + +Fixes #624 + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e] +CVE: CVE-2024-7006 +Signed-off-by: Siddharth Doshi <[email protected]> +--- + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirread.c | 15 ++++++--------- + 2 files changed, 7 insertions(+), 10 deletions(-) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index a212d01..95226a8 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -797,7 +797,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, TIFFDataType dt) + fld = TIFFFindField(tif, tag, dt); + if (fld == NULL) { + fld = _TIFFCreateAnonField(tif, tag, dt); +- if (!_TIFFMergeFields(tif, fld, 1)) ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 0e283fc..1781166 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -3735,11 +3735,9 @@ TIFFReadDirectory(TIFF* tif) + dp->tdir_tag,dp->tdir_tag); + /* the following knowingly leaks the + anonymous field structure */ +- if (!_TIFFMergeFields(tif, +- _TIFFCreateAnonField(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1)) { ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) { + TIFFWarningExt(tif->tif_clientdata, + module, + "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed", +@@ -4502,10 +4500,9 @@ TIFFReadCustomDirectory(TIFF* tif, toff_t diroff, + TIFFWarningExt(tif->tif_clientdata, module, + "Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered", + dp->tdir_tag, dp->tdir_tag); +- if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1)) { ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) { + TIFFWarningExt(tif->tif_clientdata, module, + "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed", + dp->tdir_tag, dp->tdir_tag); +-- +2.35.7 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index b4af179e76..209b38b8f2 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -53,6 +53,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-6277-2.patch \ file://CVE-2023-6277-3.patch \ file://CVE-2023-6277-4.patch \ + file://CVE-2024-7006.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203727): https://lists.openembedded.org/g/openembedded-core/message/203727 Mute This Topic: https://lists.openembedded.org/mt/108091948/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
