Tiff: Security fix for CVE-2024-7006

Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e] CVE's Fixed: CVE-2024-7006 libtiff: NULL pointer dereference in tif_dirinfo.c (From OE-Core rev: bacab52b3d101ee99753f14542a56340dd589425) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Siddharth Doshi <sdoshi@mvista.com> 2024-08-16 12:26:19 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-08-28 06:49:22 -0700
commit: 784646063bd1ec5f295fe384ffc6b02e8555f7bc (patch)
tree: abefdf6cc8ce07fc49a3c45a7f5e7d4424a5a627
parent: 0d356a401d2e9aac2403825db31b99213fa71199 (diff)
download: poky-784646063bd1ec5f295fe384ffc6b02e8555f7bc.tar.gz
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch
new file mode 100644
index 0000000000..217de0ea92
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch
@@ -0,0 +1,64 @@
+From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 1 Dec 2023 20:12:25 +0100
+Subject: [PATCH] Check return value of _TIFFCreateAnonField().
+Fixes #624
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e]
+CVE: CVE-2024-7006
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ libtiff/tif_dirinfo.c |  2 +-
+ libtiff/tif_dirread.c | 15 ++++++---------
+ 2 files changed, 7 insertions(+), 10 deletions(-)
+diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
+index a212d01..95226a8 100644
+--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
+@@ -797,7 +797,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, TIFFDataType dt)
+        fld = TIFFFindField(tif, tag, dt);
+        if (fld == NULL) {
+                fld = _TIFFCreateAnonField(tif, tag, dt);
+-               if (!_TIFFMergeFields(tif, fld, 1))
+               if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+                        return NULL;
+        }
+ 
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 0e283fc..1781166 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -3735,11 +3735,9 @@ TIFFReadDirectory(TIFF* tif)
+                                    dp->tdir_tag,dp->tdir_tag);
+                                /* the following knowingly leaks the 
+                                   anonymous field structure */
+-                               if (!_TIFFMergeFields(tif,
+-                                       _TIFFCreateAnonField(tif,
+-                                               dp->tdir_tag,
+-                                               (TIFFDataType) dp->tdir_type),
+-                                       1)) {
+                const TIFFField *fld = _TIFFCreateAnonField(
+                    tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+                if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) {
+                                        TIFFWarningExt(tif->tif_clientdata,
+                                            module,
+                                            "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
+@@ -4502,10 +4500,9 @@ TIFFReadCustomDirectory(TIFF* tif, toff_t diroff,
+                        TIFFWarningExt(tif->tif_clientdata, module,
+                            "Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered",
+                            dp->tdir_tag, dp->tdir_tag);
+-                       if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
+-                                               dp->tdir_tag,
+-                                               (TIFFDataType) dp->tdir_type),
+-                                            1)) {
+            const TIFFField *fld = _TIFFCreateAnonField(
+                tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+            if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) {
+                                TIFFWarningExt(tif->tif_clientdata, module,
+                                    "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
+                                    dp->tdir_tag, dp->tdir_tag);
+-- 
+2.35.7
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index b4af179e76..209b38b8f2 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -53,6 +53,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
           file://CVE-2023-6277-2.patch \
           file://CVE-2023-6277-3.patch \
           file://CVE-2023-6277-4.patch \
+           file://CVE-2024-7006.patch \
           "
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
author	Siddharth Doshi <sdoshi@mvista.com>	2024-08-16 12:26:19 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-08-28 06:49:22 -0700
commit	784646063bd1ec5f295fe384ffc6b02e8555f7bc (patch)
tree	abefdf6cc8ce07fc49a3c45a7f5e7d4424a5a627
parent	0d356a401d2e9aac2403825db31b99213fa71199 (diff)
download	poky-784646063bd1ec5f295fe384ffc6b02e8555f7bc.tar.gz

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch new file mode 100644 index 0000000000..217de0ea92 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch
@@ -0,0 +1,64 @@
		1	From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001
		2	From: Su_Laus <sulau@freenet.de>
		3	Date: Fri, 1 Dec 2023 20:12:25 +0100
		4	Subject: [PATCH] Check return value of _TIFFCreateAnonField().
		5
		6	Fixes #624
		7
		8	Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e]
		9	CVE: CVE-2024-7006
		10	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		11	---
		12	libtiff/tif_dirinfo.c \| 2 +-
		13	libtiff/tif_dirread.c \| 15 ++++++---------
		14	2 files changed, 7 insertions(+), 10 deletions(-)
		15
		16	diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
		17	index a212d01..95226a8 100644
		18	--- a/libtiff/tif_dirinfo.c
		19	+++ b/libtiff/tif_dirinfo.c
		20	@@ -797,7 +797,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, TIFFDataType dt)
		21	fld = TIFFFindField(tif, tag, dt);
		22	if (fld == NULL) {
		23	fld = _TIFFCreateAnonField(tif, tag, dt);
		24	- if (!_TIFFMergeFields(tif, fld, 1))
		25	+ if (fld == NULL \|\| !_TIFFMergeFields(tif, fld, 1))
		26	return NULL;
		27	}
		28
		29	diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
		30	index 0e283fc..1781166 100644
		31	--- a/libtiff/tif_dirread.c
		32	+++ b/libtiff/tif_dirread.c
		33	@@ -3735,11 +3735,9 @@ TIFFReadDirectory(TIFF* tif)
		34	dp->tdir_tag,dp->tdir_tag);
		35	/* the following knowingly leaks the
		36	anonymous field structure */
		37	- if (!_TIFFMergeFields(tif,
		38	- _TIFFCreateAnonField(tif,
		39	- dp->tdir_tag,
		40	- (TIFFDataType) dp->tdir_type),
		41	- 1)) {
		42	+ const TIFFField *fld = _TIFFCreateAnonField(
		43	+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
		44	+ if (fld == NULL \|\| !_TIFFMergeFields(tif, fld, 1)) {
		45	TIFFWarningExt(tif->tif_clientdata,
		46	module,
		47	"Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
		48	@@ -4502,10 +4500,9 @@ TIFFReadCustomDirectory(TIFF* tif, toff_t diroff,
		49	TIFFWarningExt(tif->tif_clientdata, module,
		50	"Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered",
		51	dp->tdir_tag, dp->tdir_tag);
		52	- if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
		53	- dp->tdir_tag,
		54	- (TIFFDataType) dp->tdir_type),
		55	- 1)) {
		56	+ const TIFFField *fld = _TIFFCreateAnonField(
		57	+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
		58	+ if (fld == NULL \|\| !_TIFFMergeFields(tif, fld, 1)) {
		59	TIFFWarningExt(tif->tif_clientdata, module,
		60	"Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
		61	dp->tdir_tag, dp->tdir_tag);
		62	--
		63	2.35.7
		64


diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index b4af179e76..209b38b8f2 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -53,6 +53,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
53	file://CVE-2023-6277-2.patch \	53	file://CVE-2023-6277-2.patch \
54	file://CVE-2023-6277-3.patch \	54	file://CVE-2023-6277-3.patch \
55	file://CVE-2023-6277-4.patch \	55	file://CVE-2023-6277-4.patch \
		56	file://CVE-2024-7006.patch \
56	"	57	"
57		58
58	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"	59	SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"