[3.17] main/tiff: add security patches (!45327) · Merge requests · alpine / aports

Alois Klink requested to merge aloisklink/aports:3.17/main/tiff-backport-CVE-fixes-from-4.4.0-4ubuntu3.3 into 3.17-stable Mar 23, 2023

Takes the patches from Ubuntu's tiff's kinetic-security 4.4.0-4ubuntu3.3 release, see https://code.launchpad.net/~git-ubuntu-import/ubuntu/+source/tiff/+git/tiff/+ref/ubuntu/kinetic-security

Luckily, according to their debian/copyright file, all of their patches are licensed under the same Hylafax license as the tiff library!

Fixes the following security issues:

CVE-2023-0795
CVE-2023-0796
CVE-2023-0797
CVE-2023-0798
CVE-2023-0799
CVE-2023-0800
CVE-2023-0801
CVE-2023-0802
CVE-2023-0803
CVE-2023-0804

Please note that I haven't tested these patches (other than confirming that they compile). I think the patches we have are pretty similar to the patches in ubuntu/kinetic-security though (the only difference seems to be that Ubuntu doesn't have a patch for CVE-2022-3597 or CVE-2022-48281), but it might be worth doing some basic tests.

[3.17] main/tiff: add security patches

Merge request reports