[Buildroot] [PATCH 1/1] package/tiff: security bump to version 4.6.0

[Buildroot] [PATCH 1/1] package/tiff: security bump to version 4.6.0

[Fabrice Fontaine]

- Drop --without-x (now unrecognized)
- Fix CVE-2023-40745: LibTIFF is vulnerable to an integer overflow. This
  flaw allows remote attackers to cause a denial of service (application
  crash) or possibly execute an arbitrary code via a crafted tiff image,
  which triggers a heap-based buffer overflow.
- Fix CVE-2023-41175: A vulnerability was found in libtiff due to
  multiple potential integer overflows in raw2tiff.c. This flaw allows
  remote attackers to cause a denial of service or possibly execute an
  arbitrary code via a crafted tiff image, which triggers a heap-based
  buffer overflow.

https://libtiff.gitlab.io/libtiff/releases/v4.6.0.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/tiff/tiff.hash | 2 +-
 package/tiff/tiff.mk   | 6 ++----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/package/tiff/tiff.hash b/package/tiff/tiff.hash
index 0fa503a02a..3aae7dc4d5 100644
--- a/package/tiff/tiff.hash
+++ b/package/tiff/tiff.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256  d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167dca5e2b  tiff-4.5.1.tar.gz
+sha256  88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a  tiff-4.6.0.tar.gz
 sha256  0780558a8bfba0af1160ec1ff11ade4f41c0d7deafd6ecfc796b492a788e380d  LICENSE.md
diff --git a/package/tiff/tiff.mk b/package/tiff/tiff.mk
index 0006f461a0..e384e8b814 100644
--- a/package/tiff/tiff.mk
+++ b/package/tiff/tiff.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-TIFF_VERSION = 4.5.1
+TIFF_VERSION = 4.6.0
 TIFF_SITE = http://download.osgeo.org/libtiff
 TIFF_LICENSE = tiff license
 TIFF_LICENSE_FILES = LICENSE.md
@@ -17,14 +17,12 @@ TIFF_INSTALL_STAGING = YES
 TIFF_CONF_OPTS = \
 	--disable-contrib \
 	--disable-tests \
-	--disable-webp \
-	--without-x
+	--disable-webp
 
 TIFF_DEPENDENCIES = host-pkgconf
 
 HOST_TIFF_CONF_OPTS = \
 	--disable-cxx \
-	--without-x \
 	--disable-zlib \
 	--disable-libdeflate \
 	--disable-lzma \
-- 
2.42.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/tiff: security bump to version 4.6.0

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Drop --without-x (now unrecognized)
 > - Fix CVE-2023-40745: LibTIFF is vulnerable to an integer overflow. This
 >   flaw allows remote attackers to cause a denial of service (application
 >   crash) or possibly execute an arbitrary code via a crafted tiff image,
 >   which triggers a heap-based buffer overflow.
 > - Fix CVE-2023-41175: A vulnerability was found in libtiff due to
 >   multiple potential integer overflows in raw2tiff.c. This flaw allows
 >   remote attackers to cause a denial of service or possibly execute an
 >   arbitrary code via a crafted tiff image, which triggers a heap-based
 >   buffer overflow.

 > https://libtiff.gitlab.io/libtiff/releases/v4.6.0.html

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2023.02.x and 2023.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot