Tiff: Security fix for CVE-2024-7006

Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e] CVE's Fixed: CVE-2024-7006 libtiff: NULL pointer dereference in tif_dirinfo.c (From OE-Core rev: 5313b4b233a486e8a1483757ad9c9aed3a213aae) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Siddharth Doshi <sdoshi@mvista.com> 2024-08-14 23:49:23 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-08-15 14:51:55 +0100
commit: c048a86145567a371e309bc4977fdd2a1c753a6f (patch)
tree: 0a1929dffa4cea08a6692ea3a617b224e8153b1b /meta/recipes-multimedia/libtiff
parent: 16a410cd3dfe1c15d024c9adc099b7a3659c8d30 (diff)
download: poky-c048a86145567a371e309bc4977fdd2a1c753a6f.tar.gz
2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch
new file mode 100644
index 0000000000..785244bdea
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch
@@ -0,0 +1,65 @@
+From 8ee0e7d2bdcc1a5a5a3241904b243964ab947b7b Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 1 Dec 2023 20:12:25 +0100
+Subject: [PATCH] Check return value of _TIFFCreateAnonField().
+Fixes #624
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e]
+CVE: CVE-2024-7006
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ libtiff/tif_dirinfo.c |  2 +-
+ libtiff/tif_dirread.c | 16 ++++++----------
+ 2 files changed, 7 insertions(+), 11 deletions(-)
+diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
+index 0e705e8..4cfdaad 100644
+--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
+@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag,
+     if (fld == NULL)
+     {
+         fld = _TIFFCreateAnonField(tif, tag, dt);
+-        if (!_TIFFMergeFields(tif, fld, 1))
+        if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+             return NULL;
+     }
+ 
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 58a4276..738df9f 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -4275,11 +4275,9 @@ int TIFFReadDirectory(TIFF *tif)
+                                 dp->tdir_tag, dp->tdir_tag);
+                 /* the following knowingly leaks the
+                    anonymous field structure */
+-                if (!_TIFFMergeFields(
+-                        tif,
+-                        _TIFFCreateAnonField(tif, dp->tdir_tag,
+-                                             (TIFFDataType)dp->tdir_type),
+-                        1))
+                const TIFFField *fld = _TIFFCreateAnonField(
+                    tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+                if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+                 {
+                     TIFFWarningExtR(
+                         tif, module,
+@@ -5153,11 +5151,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff,
+                             "Unknown field with tag %" PRIu16 " (0x%" PRIx16
+                             ") encountered",
+                             dp->tdir_tag, dp->tdir_tag);
+-            if (!_TIFFMergeFields(
+-                    tif,
+-                    _TIFFCreateAnonField(tif, dp->tdir_tag,
+-                                         (TIFFDataType)dp->tdir_type),
+-                    1))
+            const TIFFField *fld = _TIFFCreateAnonField(
+                tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+            if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+             {
+                 TIFFWarningExtR(tif, module,
+                                 "Registering anonymous field with tag %" PRIu16
+-- 
+2.44.1
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
index d42ea6a6e5..89681be634 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2023-52355-0001.patch \
           file://CVE-2023-52355-0002.patch \
           file://CVE-2023-52356.patch \
+           file://CVE-2024-7006.patch \
           "
 SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"
author	Siddharth Doshi <sdoshi@mvista.com>	2024-08-14 23:49:23 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-08-15 14:51:55 +0100
commit	c048a86145567a371e309bc4977fdd2a1c753a6f (patch)
tree	0a1929dffa4cea08a6692ea3a617b224e8153b1b /meta/recipes-multimedia/libtiff
parent	16a410cd3dfe1c15d024c9adc099b7a3659c8d30 (diff)
download	poky-c048a86145567a371e309bc4977fdd2a1c753a6f.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch new file mode 100644 index 0000000000..785244bdea --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch
@@ -0,0 +1,65 @@
		1	From 8ee0e7d2bdcc1a5a5a3241904b243964ab947b7b Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Fri, 1 Dec 2023 20:12:25 +0100
		4	Subject: [PATCH] Check return value of _TIFFCreateAnonField().
		5
		6	Fixes #624
		7
		8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e]
		9	CVE: CVE-2024-7006
		10	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		11	---
		12	libtiff/tif_dirinfo.c \| 2 +-
		13	libtiff/tif_dirread.c \| 16 ++++++----------
		14	2 files changed, 7 insertions(+), 11 deletions(-)
		15
		16	diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
		17	index 0e705e8..4cfdaad 100644
		18	--- a/libtiff/tif_dirinfo.c
		19	+++ b/libtiff/tif_dirinfo.c
		20	@@ -887,7 +887,7 @@ const TIFFField _TIFFFindOrRegisterField(TIFF tif, uint32_t tag,
		21	if (fld == NULL)
		22	{
		23	fld = _TIFFCreateAnonField(tif, tag, dt);
		24	- if (!_TIFFMergeFields(tif, fld, 1))
		25	+ if (fld == NULL \|\| !_TIFFMergeFields(tif, fld, 1))
		26	return NULL;
		27	}
		28
		29	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
		30	index 58a4276..738df9f 100644
		31	--- a/libtiff/tif_dirread.c
		32	+++ b/libtiff/tif_dirread.c
		33	@@ -4275,11 +4275,9 @@ int TIFFReadDirectory(TIFF *tif)
		34	dp->tdir_tag, dp->tdir_tag);
		35	/* the following knowingly leaks the
		36	anonymous field structure */
		37	- if (!_TIFFMergeFields(
		38	- tif,
		39	- _TIFFCreateAnonField(tif, dp->tdir_tag,
		40	- (TIFFDataType)dp->tdir_type),
		41	- 1))
		42	+ const TIFFField *fld = _TIFFCreateAnonField(
		43	+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
		44	+ if (fld == NULL \|\| !_TIFFMergeFields(tif, fld, 1))
		45	{
		46	TIFFWarningExtR(
		47	tif, module,
		48	@@ -5153,11 +5151,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff,
		49	"Unknown field with tag %" PRIu16 " (0x%" PRIx16
		50	") encountered",
		51	dp->tdir_tag, dp->tdir_tag);
		52	- if (!_TIFFMergeFields(
		53	- tif,
		54	- _TIFFCreateAnonField(tif, dp->tdir_tag,
		55	- (TIFFDataType)dp->tdir_type),
		56	- 1))
		57	+ const TIFFField *fld = _TIFFCreateAnonField(
		58	+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
		59	+ if (fld == NULL \|\| !_TIFFMergeFields(tif, fld, 1))
		60	{
		61	TIFFWarningExtR(tif, module,
		62	"Registering anonymous field with tag %" PRIu16
		63	--
		64	2.44.1
		65


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb index d42ea6a6e5..89681be634 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
16	file://CVE-2023-52355-0001.patch \	16	file://CVE-2023-52355-0001.patch \
17	file://CVE-2023-52355-0002.patch \	17	file://CVE-2023-52355-0002.patch \
18	file://CVE-2023-52356.patch \	18	file://CVE-2023-52356.patch \
		19	file://CVE-2024-7006.patch \
19	"	20	"
20		21
21	SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"	22	SRC_URI[sha256sum] = "88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a"