Debian Bug report logs -
#846837
tiff: CVE-2016-10270: heap-based buffer overflow in TIFFFillStrip
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#846837; Package src:tiff.
(Sat, 03 Dec 2016 16:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 03 Dec 2016 16:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tiff
Version: 4.0.7-1
Severity: important
Tags: security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2608
Hi
There is a heap-based buffer overflow in TIFFFillStrip, cf
http://bugzilla.maptools.org/show_bug.cgi?id=2608 .
Please adjust the affected versions in the BTS as needed, only 4.0.7-1
has been verified so far.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Wed, 07 Dec 2016 16:51:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 07 Dec 2016 16:51:15 GMT) (full text, mbox, link).
Message #10 received at 846837-close@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 4.0.7-2
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 846837@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 04 Dec 2016 12:24:44 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.7-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff5 - Tag Image File Format (TIFF) library
libtiff5-dev - Tag Image File Format library (TIFF), development files
libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 846837 846838
Changes:
tiff (4.0.7-2) unstable; urgency=high
.
* Backport security fixes:
- fix uint32 overflow in TIFFReadEncodedStrip() that caused an integer
division by zero,
- avoid uint32 underflow in cpDecodedStrips that can cause various
issues, such as buffer overflows in the library,
- fix heap-based buffer overflow on generation of PixarLog / LUV
compressed files, with ColorMap, TransferFunction attached and nasty
plays with bitspersample,
- fix ChopUpSingleUncompressedStrip() in reading outside of the
StripByCounts/StripOffsets arrays when using TIFFReadScanline()
(closes: #846837),
- make OJPEGDecode() early exit in case of failure in OJPEGPreDecode() to
avoid a divide by zero, and potential other issues,
- fix readContigStripsIntoBuffer() in -i (ignore) mode so that the
output buffer is correctly incremented to avoid write outside bounds,
- add 3 extra bytes at end of strip buffer in
readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
buffer,
- fix integer division by zero when BitsPerSample is missing
(closes: #846838),
- fix null pointer dereference in -r mode when the image has no
StripByteCount tag,
- avoid potential division by zero if BitsPerSamples tag is missing,
- limit the return number of inks to SamplesPerPixel in
TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) , so that code that parses ink
names doesn't go past the end of the buffer,
- avoid another potential division by zero if BitsPerSamples tag is
missing,
- fix uint32 underflow/overflow that can cause heap-based buffer overflow,
- replace assert( (bps % 8) == 0 ) by a non assert check.
* Remove thumbnail and rgb2ycbcr documentations, these tools no longer
present.
Checksums-Sha1:
48a52b27dffb639cdc00ed341a7b42a7a9bebdff 2157 tiff_4.0.7-2.dsc
8bbf361bc019c94010c042adbb7ca1e6d9286289 23124 tiff_4.0.7-2.debian.tar.xz
da0f4a602201d406340a2199b1d4c020ff16e0a3 387840 libtiff-doc_4.0.7-2_all.deb
74a11cea49462af4c833c34715de330f2b27a281 14158 libtiff-opengl-dbgsym_4.0.7-2_amd64.deb
c11eb4f61f80fe39fac4bdaaf7c9edbd1af09f51 95566 libtiff-opengl_4.0.7-2_amd64.deb
422accb6d1662cfeff3b25805d47d391ee8e7b7c 350840 libtiff-tools-dbgsym_4.0.7-2_amd64.deb
d5a9ee3cb85533eddb43802a6139277a3c4c9d5b 275862 libtiff-tools_4.0.7-2_amd64.deb
9e2bdf09281a1b7e9bc6a3b2ba9c16ffc7677f66 365976 libtiff5-dbgsym_4.0.7-2_amd64.deb
a3af72e56fb83c5cdc1c8751f4e71c6048358d2a 352096 libtiff5-dev_4.0.7-2_amd64.deb
87c8ea7848b81e325d9131efa0b5b8e772e7b6cf 229734 libtiff5_4.0.7-2_amd64.deb
87a7475184993fc7d32b4beecf6a6a6e19f9c0ef 21036 libtiffxx5-dbgsym_4.0.7-2_amd64.deb
d8268885a02ea6ac4d02a39ea6a7368eb5e6137c 90880 libtiffxx5_4.0.7-2_amd64.deb
bc251a142914feb33c305c3e13dd9b8bd5d49bda 10083 tiff_4.0.7-2_amd64.buildinfo
Checksums-Sha256:
45c96169b9d438e37fe6f64ef77e342620330850ab741880dca4af9f69a451cc 2157 tiff_4.0.7-2.dsc
496252f073d2382ae47167b3830338353b88115fce87ff07c1bff05040cdb500 23124 tiff_4.0.7-2.debian.tar.xz
bb6599e2fe13367004995b5a6387e16896007b60d846890c3552ac412cfcf45f 387840 libtiff-doc_4.0.7-2_all.deb
d604a1032575ac424625c52a30625f132f35cb3d4183fc2a4ce7a6164ffda5ff 14158 libtiff-opengl-dbgsym_4.0.7-2_amd64.deb
16bd6bd3884b29c156f841132e163ededa0c92477aff9fb8aed4010020a77baf 95566 libtiff-opengl_4.0.7-2_amd64.deb
52458ea875e80387b2590e6120ce2ddcc2a54a872fbce01721fb3e7edc52e790 350840 libtiff-tools-dbgsym_4.0.7-2_amd64.deb
353e1c142898b0921d1c02b33d5f0d1f9846f9bc6015d34da03ce491d8732455 275862 libtiff-tools_4.0.7-2_amd64.deb
321691466a975988eeaedc71450a58cc4a9ed8602205f15d32146822d59cbafc 365976 libtiff5-dbgsym_4.0.7-2_amd64.deb
0e9a2690d1a81d45418b715d5f3c77a7a20215227e64edecbd172366ac5e0dfc 352096 libtiff5-dev_4.0.7-2_amd64.deb
3ea0525dcbc394d00e3843c870a7ba4b7d71bbaad36ea6222a3721e6c9f39318 229734 libtiff5_4.0.7-2_amd64.deb
f4610ac7108f9fb759772c698c4c73e0e97dee0711f3aad73147374baf1fbb35 21036 libtiffxx5-dbgsym_4.0.7-2_amd64.deb
0d2e4a3a5027d0906d9fe1db1f7112fdbdf7bfe9c76dc2b54520d5320ccfd6b9 90880 libtiffxx5_4.0.7-2_amd64.deb
228e339f498a2130e48eeb277c3a9080b676e508b4580cbb6b225ae862bad33e 10083 tiff_4.0.7-2_amd64.buildinfo
Files:
8dd7b62d683875235152ebd5474fe1a0 2157 libs optional tiff_4.0.7-2.dsc
1d0287fad4becf7356f4b0571b11671f 23124 libs optional tiff_4.0.7-2.debian.tar.xz
7c4d34c93487f4234585d3fb1e17c58d 387840 doc optional libtiff-doc_4.0.7-2_all.deb
572f79e4d7636b1a8988ad7dfc59cefc 14158 debug extra libtiff-opengl-dbgsym_4.0.7-2_amd64.deb
73ed530fe8985ea368d54296ede8af28 95566 graphics optional libtiff-opengl_4.0.7-2_amd64.deb
16a9f62b7cfad7ddf59bd750dd667cbd 350840 debug extra libtiff-tools-dbgsym_4.0.7-2_amd64.deb
daa49cbe81d060da50264f5b1fe67d2b 275862 graphics optional libtiff-tools_4.0.7-2_amd64.deb
3bfd5646dcf48c96c41fa580ed17cc38 365976 debug extra libtiff5-dbgsym_4.0.7-2_amd64.deb
89dc8984b3b09db0c69808c2b0ea6dc7 352096 libdevel optional libtiff5-dev_4.0.7-2_amd64.deb
aa798ccec3b1fe6f7d80772090de08b6 229734 libs optional libtiff5_4.0.7-2_amd64.deb
a12e84476d46ce639123b61c38c537ab 21036 debug extra libtiffxx5-dbgsym_4.0.7-2_amd64.deb
8bc509217559495288d9a41eb1f1f67d 90880 libs optional libtiffxx5_4.0.7-2_amd64.deb
fd513485f58ac736b759384716b21483 10083 libs optional tiff_4.0.7-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlhIOs4ACgkQ3OMQ54ZM
yL9ZTRAAtgHJ8/l/2mW9rYtjsYzQzUNV02l3aZxPjhN7+6opSwuxAqUdZVHusrDL
mttaoQnU5DtgOIE0TXOKJAwdZhKvORM4Fyzj44dh+VCyEuqeqDXODLtzYjtfGL+O
7JGsUtGYFY4041LE114ka5bXgmKaZKspt/Zzfg0JM19zDhoSwSazUV1ZDFOjDpmN
zg4CyEuYkxmZHAzSOLb030qeLV7pgLr/viUC4AIYal9gToxYfWoFdaCKOnOHeZYz
zsPVnaibov95hwxOzgbLoNAiboF4H2oowFs1iJB4h/iARtrA1/ZfSAHh44pMUU87
nltAcE0OJLmTMiQEWuM5qdiTVqEC+R61sWkYaFAXUxGWx21LMBXSDY5GwUCosBYY
o6EmuXz6nBswAgiJ67+9h4U+hFUStLq3RHm16XAOcN+rdOmuLxueKjZrHhD7z3Yq
N/HhaxUXCDdqTX4NJRifrd2Oka4YLPWG90OSqfUOV/WXth7nAHOpZU6YCZsUfMub
DVxahlj4tLQDYK+ACqsPJt0Y65z6w59raVQoBzWbhOH0HK4+ve28kpOeVw4LE/Ys
W9k2jYy2YoOUw5X/BzEYiLbc+MVmkLB6sawPRpAe/hcbRjUzmi/2ng6qCpmYKOqD
Zgl41wm906TUfxtsO6bWybM6pamOemg5GrKuOdGv/dqyMV29Lic=
=PwDx
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 23 Feb 2017 07:30:25 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 25 Mar 2017 05:45:03 GMT) (full text, mbox, link).
Changed Bug title to 'tiff: CVE-2016-10270: heap-based buffer overflow in TIFFFillStrip' from 'tiff: heap-based buffer overflow in TIFFFillStrip'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 25 Mar 2017 05:45:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 15 May 2017 07:25:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:15:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon