[AUTO-CHERRYPICK] [Low] patch libtiff for CVE-2023-6228 - branch main (#13352)

Co-authored-by: jykanase <v-jykanase@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/libtiff/CVE-2023-6228.patch

@@ -0,0 +1,26 @@
+From b40cf6a6ef58b3ab091f3a00519eae72e2ced10c Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Tue, 18 Mar 2025 08:15:06 +0000
+Subject: [PATCH] CVE-2023-6228
+
+Source Link: https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a
+---
+ tools/tiffcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index aff0626..2628bdb 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -846,6 +846,8 @@ static int tiffcp(TIFF *in, TIFF *out)
+     if (!TIFFIsCODECConfigured(compression))
+         return FALSE;
+     TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
++    if (!TIFFIsCODECConfigured(input_compression))
++        return FALSE;
+     TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
+     if (input_compression == COMPRESSION_JPEG)
+     {
+-- 
+2.45.2
+

SPECS/libtiff/libtiff.spec

@@ -1,7 +1,7 @@
 Summary:        TIFF libraries and associated utilities.
 Name:           libtiff
 Version:        4.6.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        libtiff
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -12,6 +12,7 @@ Patch0:         CVE-2023-52356.patch
 Patch1:         CVE-2024-7006.patch
 Patch2:         CVE-2023-6277.patch
 Patch3:         CVE-2023-3164.patch
+Patch4:         CVE-2023-6228.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libjpeg-turbo-devel
@@ -64,6 +65,9 @@ make %{?_smp_mflags} -k check
 %{_docdir}/*
 
 %changelog
+* Tue Mar 18 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 4.6.0-6
+- Fix CVE-2023-6228
+
 * Thu Jan 16 2025 Bhagyashri Pathak <bhapathak@microsoft.com> - 4.6.0-5
 - Add patch to resolve CVE-2023-3164