fix CVE-2024-7006

backport-CVE-2024-7006.patch

@@ -0,0 +1,64 @@
+From a91566b32d107e86c4ea0b10bbcb5ce089005cb7 Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Tue, 13 Aug 2024 09:42:15 +0800
+Subject: [PATCH] fix CVE-2024-7006
+Reference:https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e
+Check return value of _TIFFCreateAnonField().
+Fixes #624 (closed)
+
+---
+ libtiff/tif_dirinfo.c |  2 +-
+ libtiff/tif_dirread.c | 17 ++++++++---------
+ 2 files changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
+index a212d01..755693c 100644
+--- a/libtiff/tif_dirinfo.c
++++ b/libtiff/tif_dirinfo.c
+@@ -797,7 +797,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, TIFFDataType dt)
+ 	fld = TIFFFindField(tif, tag, dt);
+ 	if (fld == NULL) {
+ 		fld = _TIFFCreateAnonField(tif, tag, dt);
+-		if (!_TIFFMergeFields(tif, fld, 1))
++		if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))		
+ 			return NULL;
+ 	}
+ 
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index ed88e80..4e2b53e 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -3734,11 +3734,10 @@ TIFFReadDirectory(TIFF* tif)
+ 				    dp->tdir_tag,dp->tdir_tag);
+ 				/* the following knowingly leaks the 
+ 				   anonymous field structure */
+-				if (!_TIFFMergeFields(tif,
+-					_TIFFCreateAnonField(tif,
+-						dp->tdir_tag,
+-						(TIFFDataType) dp->tdir_type),
+-					1)) {
++                                const TIFFField *fld = _TIFFCreateAnonField(
++                                    tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
++                                if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))				
++				{
+ 					TIFFWarningExt(tif->tif_clientdata,
+ 					    module,
+ 					    "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
+@@ -4500,10 +4499,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_t diroff,
+ 			TIFFWarningExt(tif->tif_clientdata, module,
+ 			    "Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered",
+ 			    dp->tdir_tag, dp->tdir_tag);
+-			if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
+-						dp->tdir_tag,
+-						(TIFFDataType) dp->tdir_type),
+-					     1)) {
++                        const TIFFField *fld = _TIFFCreateAnonField(
++                             tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
++                        if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))			
++			{
+ 				TIFFWarningExt(tif->tif_clientdata, module,
+ 				    "Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
+ 				    dp->tdir_tag, dp->tdir_tag);
+-- 
+2.27.0
+

libtiff.spec

@@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.3.0
-Release:        23
+Release:        24
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@@ -49,6 +49,7 @@ Patch6039:      backport-CVE-2022-40090.patch
 Patch6040:      backport-CVE-2022-34526.patch
 Patch6041:      backport-CVE-2023-6228.patch
 Patch6042:      backport-CVE-2023-1916-CVE-2023-3164.patch
+Patch6043:      backport-CVE-2024-7006.patch
 
 Patch9000:	fix-raw2tiff-floating-point-exception.patch
 Patch9001:	backport-0001-CVE-2023-6277.patch
@@ -154,6 +155,12 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html
 
 %changelog
+* Thu Aug 15 2024 lingsheng <lingsheng1@h-partners.com> - 4.3.0-24
+- Type:CVE
+- ID:CVE-2024-7006
+- SUG:NA
+- DESC:fix CVE-2024-7006
+
 * Mon May 20 2024 lingsheng <lingsheng1@h-partners.com> - 4.3.0-23
 - Type:CVE
 - ID:CVE-2023-1916,CVE-2023-3164