From c2da8dee8b8e21c4db46b3ac2d97c1e5619b7bbd Mon Sep 17 00:00:00 2001
From: Julien Olivain <ju.o@free.fr>
Date: Wed, 13 Nov 2024 22:15:22 +0100
Subject: [PATCH] package/tiff: security bump to version 4.7.0

For the release note, see:
http://www.simplesystems.org/libtiff/releases/v4.7.0.html

This commit also adds the _SOURCE variable, to switch to the xz
archive, which saves ~1.5MB. The _SITE url is also updated to switch
to the https protocol.

This commit also adds a comment in the hash file about pgp signature
veritication.

Fixes:
- https://nvd.nist.gov/vuln/detail/CVE-2023-6277
- https://nvd.nist.gov/vuln/detail/CVE-2023-52356
- https://nvd.nist.gov/vuln/detail/CVE-2024-7006

Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d571951c67d63824fcdf96cba8b59c80876a827a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/tiff/tiff.hash | 6 ++++--
 package/tiff/tiff.mk   | 5 +++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/package/tiff/tiff.hash b/package/tiff/tiff.hash
index 3aae7dc4d5..5e2dcca73c 100644
--- a/package/tiff/tiff.hash
+++ b/package/tiff/tiff.hash
@@ -1,3 +1,5 @@
-# Locally computed
-sha256  88b3979e6d5c7e32b50d7ec72fb15af724f6ab2cbf7e10880c360a77e4b5d99a  tiff-4.6.0.tar.gz
+# Locally computed after checking pgp signature
+# https://download.osgeo.org/libtiff/tiff-4.7.0.tar.xz.sig
+# with key: B1FA7D81EEB8E66399178B9733EBBFC47B3DD87D
+sha256  273a0a73b1f0bed640afee4a5df0337357ced5b53d3d5d1c405b936501f71017  tiff-4.7.0.tar.xz
 sha256  0780558a8bfba0af1160ec1ff11ade4f41c0d7deafd6ecfc796b492a788e380d  LICENSE.md
diff --git a/package/tiff/tiff.mk b/package/tiff/tiff.mk
index 0e5e0dd48a..5d7219d7da 100644
--- a/package/tiff/tiff.mk
+++ b/package/tiff/tiff.mk
@@ -4,8 +4,9 @@
 #
 ################################################################################
 
-TIFF_VERSION = 4.6.0
-TIFF_SITE = http://download.osgeo.org/libtiff
+TIFF_VERSION = 4.7.0
+TIFF_SOURCE = tiff-$(TIFF_VERSION).tar.xz
+TIFF_SITE = https://download.osgeo.org/libtiff
 TIFF_LICENSE = tiff license
 TIFF_LICENSE_FILES = LICENSE.md
 TIFF_CPE_ID_VENDOR = libtiff