Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
15e090190926b0288f2ae4dbcb08c7093961cc3b
rpi-buildroot/package/tiff
History
Thomas Perale 10d381d410 package/tiff: security bump to v4.7.1 
For more details on the version bump, see:
  - https://gitlab.com/libtiff/libtiff/-/releases/v4.7.1

This bump includes the security fix for CVE-2025-8176, CVE-2025-8177
that were addressed in commit [1][2].

Also fixes the following vulnerabilities:

- CVE-2024-13978

    A vulnerability was found in LibTIFF up to 4.7.0. It has been
    declared as problematic. Affected by this vulnerability is the
    function t2p_read_tiff_init of the file tools/tiff2pdf.c of the
    component fax2ps. The manipulation leads to null pointer
    dereference. The attack needs to be approached locally. The
    complexity of an attack is rather high. The exploitation appears to
    be difficult. The patch is named
    2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply
    a patch to fix this issue.

For more information, see:
  - https://nvd.nist.gov//vuln/detail/CVE-2024-13978
  - 2ebfffb0e8

- CVE-2025-8961

    A weakness has been identified in LibTIFF 4.7.0. This affects the
    function main of the file tiffcrop.c of the component tiffcrop.
    Executing manipulation can lead to memory corruption. The attack can
    only be executed locally. The exploit has been made available to the
    public and could be exploited.

For more information, see:
  - https://nvd.nist.gov//vuln/detail/CVE-2025-8961
  - 0ac97aa7a5

- CVE-2025-9165

    A flaw has been found in LibTIFF 4.7.0. This affects the function
    _TIFFmallocExt/_TIFFCheckRealloc/TIFFHashSetNew/InitCCITTFax3 of the
    file tools/tiffcmp.c of the component tiffcmp. Executing
    manipulation can lead to memory leak. The attack is restricted to
    local execution. The exploit has been published and may be used.
    This patch is called ed141286a37f6e5ddafb5069347ff5d587e7a4e0. It is
    best practice to apply a patch to resolve this issue.

For more information, see:
  - https://nvd.nist.gov//vuln/detail/CVE-2025-9165
  - ed141286a3

This commit also updates the LICENSE.md hash file, which was updated
upstream to include a historical license. See:
a0b623c780

[1] b3974df966 package/tiff: add patches to fix CVE-2025-8176
[2] 3db725d71d package/tiff: add patch to fix CVE-2025-8177

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: fix license hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9e67ae519f)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
2025-09-30 11:05:41 +02:00
..
Config.in
tiff.hash
tiff.mk