From 3f40a5fec5a482764bab186a4f666cc07d4d2141 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Sun, 14 Mar 2021 05:20:39 +0100
Subject: [PATCH] libtiff: fix two security issues

CVE-2020-35523:
An integer overflow flaw was found in libtiff that exists in the
tif_getimage.c file. This flaw allows an attacker to inject and execute
arbitrary code when a user opens a crafted TIFF file. The highest
threat from this vulnerability is to confidentiality, integrity, as
well as system availability.

CVE-2020-35524:
A heap-based buffer overflow flaw was found in libtiff in the handling
of TIFF images in libtiff's TIFF2PDF tool. A specially crafted TIFF
file can lead to arbitrary code execution. The highest threat from this
vulnerability is to confidentiality, integrity, as well as system
availability.

Fixes: CVE-2020-35523, CVE-2020-35524
---
 .../development/libraries/libtiff/default.nix | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/pkgs/development/libraries/libtiff/default.nix b/pkgs/development/libraries/libtiff/default.nix
index 6d4109621826b..9a06c430ceba7 100644
--- a/pkgs/development/libraries/libtiff/default.nix
+++ b/pkgs/development/libraries/libtiff/default.nix
@@ -1,5 +1,6 @@
 { stdenv
 , fetchurl
+, fetchpatch
 
 , pkgconfig
 
@@ -19,6 +20,32 @@ stdenv.mkDerivation rec {
 
   outputs = [ "bin" "dev" "out" "man" "doc" ];
 
+  patches = [
+    # https://gitlab.com/libtiff/libtiff/-/merge_requests/160
+    (fetchpatch {
+      name = "CVE-2020-35523.1.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/712fe9f5b9795c5a3e80f38db90dad11e6a8bb6a.patch";
+      sha256 = "1h4jrilnhc50qzjxljcm0471i4inwr790b1dzdf6qvwf7fqi6wky";
+    })
+    (fetchpatch {
+      name = "CVE-2020-35523.2.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2.patch";
+      sha256 = "01rzwf5xk5mf3j362g74h9qc45cnmqr0c14w5xj3p8mk160cd74q";
+    })
+    # https://gitlab.com/libtiff/libtiff/-/merge_requests/159
+    (fetchpatch {
+      name = "CVE-2020-35524.1.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/c6a12721b46f1a72974f91177890301730d7b330.patch";
+      sha256 = "1lac51lsvap6wzdg1rssnq2adrpxd3bqrsdm40qd88mpa0g3rsfb";
+    })
+    (fetchpatch {
+      name = "CVE-2020-35524.2.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/d74f56e3b7ea55c8a18a03bc247cd5fd0ca288b2.patch";
+      sha256 = "0v559fpsgnmhzgjhsp7fkm3hwrfjv2042lrczd32c0yb9jbrqxvi";
+    })
+
+  ];
+
   nativeBuildInputs = [ pkgconfig ];
 
   propagatedBuildInputs = [ zlib libjpeg xz ]; #TODO: opengl support (bogus configure detection)