libtiff: patch for CVE-2023-52356 & CVE-2024-7006

These are backported from new version 4.7.0 https://libtiff.gitlab.io/libtiff/releases/v4.7.0.html Note that libtiff_t v4.6.0t already contains these patches.
NixOS · Sep 8, 2024 · 95e8350 · 95e8350
1 parent 6f6c45b
commit 95e8350
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/pkgs/development/libraries/libtiff/default.nix b/pkgs/development/libraries/libtiff/default.nix
@@ -1,6 +1,7 @@
 { lib
 , stdenv
 , fetchFromGitLab
+, fetchpatch
 , nix-update-script
 
 , autoreconfHook
@@ -41,6 +42,18 @@ stdenv.mkDerivation (finalAttrs: {
     # libc++abi 11 has an `#include <version>`, this picks up files name
     # `version` in the project's include paths
     ./rename-version.patch
+    # https://gitlab.com/libtiff/libtiff/-/issues/622
+    (fetchpatch {
+      name = "CVE-2023-52356.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a.patch";
+      hash = "sha256-A1G23MEUS1AvoREcKFqoqV2sYtCqIMfzPaIIFpZNBWE=";
+    })
+    # https://gitlab.com/libtiff/libtiff/-/issues/624
+    (fetchpatch {
+      name = "CVE-2024-7006.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e.patch";
+      hash = "sha256-XbRQtNxbNMofKTbeTsbHBKv96KTKSGngCepWPIVWLH4=";
+    })
   ];
 
   postPatch = ''