[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
15/19: gnu: libtiff: Fix CVE-2022-34526.
From: |
guix-commits |
Subject: |
15/19: gnu: libtiff: Fix CVE-2022-34526. |
Date: |
Fri, 16 Sep 2022 16:45:33 -0400 (EDT) |
mbakke pushed a commit to branch core-updates
in repository guix.
commit c7966ba3ef63a303f243f5694b58a4d179460516
Author: Marius Bakke <marius@gnu.org>
AuthorDate: Fri Sep 16 19:54:02 2022 +0200
gnu: libtiff: Fix CVE-2022-34526.
* gnu/packages/patches/libtiff-CVE-2022-34526.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/image.scm (libtiff)[source](patches): New field.
---
gnu/local.mk | 1 +
gnu/packages/image.scm | 1 +
gnu/packages/patches/libtiff-CVE-2022-34526.patch | 22 ++++++++++++++++++++++
3 files changed, 24 insertions(+)
diff --git a/gnu/local.mk b/gnu/local.mk
index b09c887c8d..094012316f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1416,6 +1416,7 @@ dist_patch_DATA =
\
%D%/packages/patches/libtgvoip-disable-sse2.patch \
%D%/packages/patches/libtgvoip-disable-webrtc.patch \
%D%/packages/patches/libtheora-config-guess.patch \
+ %D%/packages/patches/libtiff-CVE-2022-34526.patch \
%D%/packages/patches/libtirpc-CVE-2021-46828.patch \
%D%/packages/patches/libtirpc-hurd.patch \
%D%/packages/patches/libtommath-fix-linkage.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 0461835a70..f669f97c40 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -575,6 +575,7 @@ extracting icontainer icon files.")
(method url-fetch)
(uri (string-append "https://download.osgeo.org/libtiff/tiff-"
version ".tar.xz"))
+ (patches (search-patches "libtiff-CVE-2022-34526.patch"))
(sha256
(base32
"1h8xrcpbyf9id2hw2ms0cmpgx0li8gladjzj82ycgk28018pnc29"))))
diff --git a/gnu/packages/patches/libtiff-CVE-2022-34526.patch
b/gnu/packages/patches/libtiff-CVE-2022-34526.patch
new file mode 100644
index 0000000000..a5ad9d79a5
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2022-34526.patch
@@ -0,0 +1,22 @@
+Fix CVE-2022-34526:
+
+ https://nvd.nist.gov/vuln/detail/CVE-2022-34526
+ https://gitlab.com/libtiff/libtiff/-/issues/433
+
+Patch taken from upstream source repository:
+
+
https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990
+
+diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
+--- a/libtiff/tif_dirinfo.c
++++ b/libtiff/tif_dirinfo.c
+@@ -1191,6 +1191,9 @@ _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
+ default:
+ return 1;
+ }
++ if( !TIFFIsCODECConfigured(tif->tif_dir.td_compression) ) {
++ return 0;
++ }
+ /* Check if codec specific tags are allowed for the current
+ * compression scheme (codec) */
+ switch (tif->tif_dir.td_compression) {
- branch core-updates updated (7e0f2728a4 -> 5339cb1161), guix-commits, 2022/09/16
- 01/19: gnu: libgcrypt: Provide absolute gpgrt-config also for native builds., guix-commits, 2022/09/16
- 05/19: gnu: python-mako: Update to 1.2.2., guix-commits, 2022/09/16
- 07/19: gnu: GnuPG: Update to 2.2.39., guix-commits, 2022/09/16
- 02/19: gnu: glibc-for-bootstrap: Remove obsolete patch., guix-commits, 2022/09/16
- 03/19: gnu: freeimage: Adjust for LibTIFF 4.4., guix-commits, 2022/09/16
- 04/19: gnu: fontforge: Update to 20220308., guix-commits, 2022/09/16
- 08/19: gnu: libpaper: Update to 2.0.0., guix-commits, 2022/09/16
- 09/19: gnu: cmake-minimal: Update to 3.24.2., guix-commits, 2022/09/16
- 15/19: gnu: libtiff: Fix CVE-2022-34526.,
guix-commits <=
- 17/19: gnu: Remove wayland-protocols-next., guix-commits, 2022/09/16
- 12/19: gnu: tevent: Update to 0.13.0., guix-commits, 2022/09/16
- 06/19: gnu: libksba: Update to 1.6.1., guix-commits, 2022/09/16
- 10/19: gnu: samba: Update to 4.17.0., guix-commits, 2022/09/16
- 16/19: gnu: QPDF: Update to 11.1.0., guix-commits, 2022/09/16
- 13/19: gnu: tdb: Update to 1.4.7., guix-commits, 2022/09/16
- 14/19: gnu: ldb: Update to 2.6.1., guix-commits, 2022/09/16
- 11/19: gnu: talloc: Update to 2.3.4., guix-commits, 2022/09/16
- 19/19: gnu: abseil-cpp: Re-enable testing., guix-commits, 2022/09/16
- 18/19: gnu: googletest: Update to 1.12.1., guix-commits, 2022/09/16