Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Debian Bug report logs - #678140
Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Date: Tue, 19 Jun 2012 16:04:18 +0200

Package: tiff
Severity: grave
Tags: security

Two new tiff issues have been repored to Red Hat bugzilla, please see
these bugs for details:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2088
https://bugzilla.redhat.com/show_bug.cgi?id=810551 (CVE-2012-2113)

Cheers,
        Moritz

Message #10 received at 678140@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: Moritz Muehlenhoff <muehlenhoff@univention.de>

Cc: 678140@bugs.debian.org

Subject: Re: Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Date: Thu, 28 Jun 2012 16:51:54 -0400

Moritz Muehlenhoff <muehlenhoff@univention.de> wrote:

> Package: tiff
> Severity: grave
> Tags: security
>
> Two new tiff issues have been repored to Red Hat bugzilla, please see
> these bugs for details:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2088
> https://bugzilla.redhat.com/show_bug.cgi?id=810551 (CVE-2012-2113)
>
> Cheers,
>         Moritz

Oops, somehow I managed to overlook this bug report.  I uploaded tiff
4.0.2 a few days ago.  I'll see if that includes these fixes and will
see about backporting to the 3.x series.  I'm not sure how soon I can do
it.  I have a very full weekend coming up, but I am at least now aware
of the issue.

-- 
Jay Berkenbilt <qjb@debian.org>

Message #15 received at 678140-done@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: 678140-done@bugs.debian.org

Subject: bug fixed in 4.0.2

Date: Fri, 29 Jun 2012 14:05:59 -0400

Version: 4.0.2-1

Of the two security issues reported here, only CVE-2012-2113 is in 4.x,
and it is fixed in version 4.0.2, which I had already uploaded before
seeing this bug report.

-- 
Jay Berkenbilt <qjb@debian.org>

Message #26 received at 678140@bugs.debian.org (full text, mbox, reply):

From: Lee Garrett <lgarrett@programmfabrik.de>

To: 678140@bugs.debian.org

Subject: Re: Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Date: Fri, 14 Sep 2012 15:50:57 +0200

AFAICS stable is still affected by both CVEs. Can you confirm this? 
Patches are available in the Ubuntu natty version of libtiff4.

Message #31 received at 678140@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: Lee Garrett <lgarrett@programmfabrik.de>

Cc: 678140@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Date: Sat, 22 Sep 2012 12:09:15 -0400

[Message part 1 (text/plain, inline)]

Lee Garrett <lgarrett@programmfabrik.de> wrote:

> AFAICS stable is still affected by both CVEs. Can you confirm this?
> Patches are available in the Ubuntu natty version of libtiff4.

Yes, I can confirm.  Sorry about that.  I checked against the natty
package, and there are quite a few CVEs that we seem to have missed.  I
think probably these were not affected in the version in unstable, and I
lost track of not having backported or considered them for stable.  I
have a new version of tiff (tiff-3.9.4-5+squeeze5) built against squeeze
that is ready to upload.  I've attached a patch from squeeze4 to
squeeze5.  The only changes were either adding some new patches (the
ones mentioned in the changelog) or replacing some old patches that were
affected by the new ones.  This happened for two patches, and I checked
the diffs to make sure the changes were actually the same.  As always, I
didn't touch any other aspect of the packages.  I literally just
replaced the patch files and the series file and updated the changelog.

Please let me know whether I should do the upload or whether you will
prepare a package for stable-security based on the attached patch.
Thanks!

-- 
Jay Berkenbilt <qjb@debian.org>

[tiff-3.9.4-squeeze4-to-5.patch (text/x-diff, inline)]

diff -urN ../tiff-3.9.4-5+squeeze4/debian/changelog ./debian/changelog
--- ../tiff-3.9.4-5+squeeze4/debian/changelog	2012-04-02 11:41:13.000000000 -0400
+++ ./debian/changelog	2012-09-22 12:05:39.852315189 -0400
@@ -1,3 +1,18 @@
+tiff (3.9.4-5+squeeze5) stable-security; urgency=high
+
+  * Added several additional security patches taken from the Ubuntu Natty
+    (11.04) tiff package.
+
+    CVE-2010-2482
+    CVE-2010-2595
+    CVE-2010-2597
+    CVE-2010-2630
+    CVE-2010-4665
+    CVE-2012-2113
+    CVE-2012-3401
+
+ -- Jay Berkenbilt <qjb@debian.org>  Sat, 22 Sep 2012 11:51:18 -0400
+
 tiff (3.9.4-5+squeeze4) stable-security; urgency=high
 
   * CVE-2012-1173
diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2482.patch ./debian/patches/CVE-2010-2482.patch
--- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2482.patch	1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/CVE-2010-2482.patch	2011-03-03 11:16:07.000000000 -0500
@@ -0,0 +1,52 @@
+Description: fix denial of service via invalid td_stripbytecount field
+Origin: upstream, r1.24.2.7, r1.14.2.5
+Bug: http://bugzilla.maptools.org/show_bug.cgi?id=1996
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/597246
+
+Index: tiff-3.9.4/libtiff/tif_ojpeg.c
+===================================================================
+--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c	2011-03-03 10:40:33.000000000 -0500
++++ tiff-3.9.4/libtiff/tif_ojpeg.c	2011-03-03 10:41:33.000000000 -0500
+@@ -1918,8 +1918,14 @@
+ 					{
+ 						if (sp->in_buffer_file_pos>=sp->file_size)
+ 							sp->in_buffer_file_pos=0;
++						else if (sp->tif->tif_dir.td_stripbytecount==NULL)
++							sp->in_buffer_file_togo=sp->file_size-sp->in_buffer_file_pos;
+ 						else
+ 						{
++							if (sp->tif->tif_dir.td_stripbytecount == 0) {
++								TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
++								return(0);
++							}
+ 							sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];  
+ 							if (sp->in_buffer_file_togo==0)
+ 								sp->in_buffer_file_pos=0;
+Index: tiff-3.9.4/tools/tiffsplit.c
+===================================================================
+--- tiff-3.9.4.orig/tools/tiffsplit.c	2011-03-03 10:41:02.000000000 -0500
++++ tiff-3.9.4/tools/tiffsplit.c	2011-03-03 10:41:36.000000000 -0500
+@@ -237,7 +237,10 @@
+ 		tstrip_t s, ns = TIFFNumberOfStrips(in);
+ 		uint32 *bytecounts;
+ 
+-		TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
++		if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
++			fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
++			return (0);
++		}
+ 		for (s = 0; s < ns; s++) {
+ 			if (bytecounts[s] > (uint32)bufsize) {
+ 				buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
+@@ -267,7 +270,10 @@
+ 		ttile_t t, nt = TIFFNumberOfTiles(in);
+ 		uint32 *bytecounts;
+ 
+-		TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
++		if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
++			fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
++			return (0);
++		}
+ 		for (t = 0; t < nt; t++) {
+ 			if (bytecounts[t] > (uint32) bufsize) {
+ 				buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);
diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2595.patch ./debian/patches/CVE-2010-2595.patch
--- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2595.patch	1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/CVE-2010-2595.patch	2011-03-03 11:18:28.000000000 -0500
@@ -0,0 +1,31 @@
+Description: fix denial of service via invalid ReferenceBlackWhite values
+Origin: upstream, libtiff/tif_color.c r1.12.2.2
+Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2208
+
+Index: tiff-3.9.4/libtiff/tif_color.c
+===================================================================
+--- tiff-3.9.4.orig/libtiff/tif_color.c	2011-03-03 10:42:19.000000000 -0500
++++ tiff-3.9.4/libtiff/tif_color.c	2011-03-03 10:42:25.000000000 -0500
+@@ -183,13 +183,18 @@
+ TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
+ 	       uint32 *r, uint32 *g, uint32 *b)
+ {
++	int32 i;
++
+ 	/* XXX: Only 8-bit YCbCr input supported for now */
+ 	Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
+ 
+-	*r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
+-	*g = ycbcr->clamptab[ycbcr->Y_tab[Y]
+-	    + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
+-	*b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
++	i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
++	*r = CLAMP(i, 0, 255);
++	i = ycbcr->Y_tab[Y]
++	    + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
++	*g = CLAMP(i, 0, 255);
++	i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
++	*b = CLAMP(i, 0, 255);
+ }
+ 
+ /*
diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2597.patch ./debian/patches/CVE-2010-2597.patch
--- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2597.patch	1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/CVE-2010-2597.patch	2011-03-03 11:21:05.000000000 -0500
@@ -0,0 +1,48 @@
+Description: fix denial of service via devide-by-zero
+Origin: upstream, r1.19.2.3
+Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2215
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/593067
+
+Index: tiff-3.9.4/libtiff/tif_strip.c
+===================================================================
+--- tiff-3.9.4.orig/libtiff/tif_strip.c	2011-03-03 10:42:54.000000000 -0500
++++ tiff-3.9.4/libtiff/tif_strip.c	2011-03-03 10:43:04.000000000 -0500
+@@ -124,9 +124,9 @@
+ 		uint16 ycbcrsubsampling[2];
+ 		tsize_t w, scanline, samplingarea;
+ 
+-		TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
+-			      ycbcrsubsampling + 0,
+-			      ycbcrsubsampling + 1 );
++		TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++				      ycbcrsubsampling + 0,
++				      ycbcrsubsampling + 1);
+ 
+ 		samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1];
+ 		if (samplingarea == 0) {
+@@ -234,9 +234,9 @@
+ 		    && !isUpSampled(tif)) {
+ 			uint16 ycbcrsubsampling[2];
+ 
+-			TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
+-				     ycbcrsubsampling + 0,
+-				     ycbcrsubsampling + 1);
++			TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++					      ycbcrsubsampling + 0,
++					      ycbcrsubsampling + 1);
+ 
+ 			if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
+ 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+@@ -304,9 +304,9 @@
+ 		    && !isUpSampled(tif)) {
+ 			uint16 ycbcrsubsampling[2];
+ 
+-			TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
+-				     ycbcrsubsampling + 0,
+-				     ycbcrsubsampling + 1);
++			TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++					      ycbcrsubsampling + 0,
++					      ycbcrsubsampling + 1);
+ 
+ 			if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
+ 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2630.patch ./debian/patches/CVE-2010-2630.patch
--- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2630.patch	1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/CVE-2010-2630.patch	2011-03-03 11:23:51.000000000 -0500
@@ -0,0 +1,45 @@
+Description: fix denial of service via out-of-order tags
+Origin: upstream, r1.92.2.13
+Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2210
+
+Index: tiff-3.9.4/libtiff/tif_dirread.c
+===================================================================
+--- tiff-3.9.4.orig/libtiff/tif_dirread.c	2011-03-03 10:43:39.000000000 -0500
++++ tiff-3.9.4/libtiff/tif_dirread.c	2011-03-03 10:43:44.000000000 -0500
+@@ -83,6 +83,7 @@
+ 	const TIFFFieldInfo* fip;
+ 	size_t fix;
+ 	uint16 dircount;
++	uint16 previous_tag = 0;
+ 	int diroutoforderwarning = 0, compressionknown = 0;
+ 	int haveunknowntags = 0;
+ 
+@@ -163,23 +164,24 @@
+ 
+ 		if (dp->tdir_tag == IGNORE)
+ 			continue;
+-		if (fix >= tif->tif_nfields)
+-			fix = 0;
+ 
+ 		/*
+ 		 * Silicon Beach (at least) writes unordered
+ 		 * directory tags (violating the spec).  Handle
+ 		 * it here, but be obnoxious (maybe they'll fix it?).
+ 		 */
+-		if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) {
++		if (dp->tdir_tag < previous_tag) {
+ 			if (!diroutoforderwarning) {
+ 				TIFFWarningExt(tif->tif_clientdata, module,
+ 	"%s: invalid TIFF directory; tags are not sorted in ascending order",
+ 					    tif->tif_name);
+ 				diroutoforderwarning = 1;
+ 			}
+-			fix = 0;			/* O(n^2) */
+ 		}
++		previous_tag = dp->tdir_tag;
++		if (fix >= tif->tif_nfields ||
++		    dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag)
++			fix = 0;			/* O(n^2) */
+ 		while (fix < tif->tif_nfields &&
+ 		    tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ 			fix++;
diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-4665.patch ./debian/patches/CVE-2010-4665.patch
--- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-4665.patch	1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/CVE-2010-4665.patch	2012-04-02 10:57:37.000000000 -0400
@@ -0,0 +1,38 @@
+Description: fix denial of service and possible code execution via tiffdump
+Origin: extracted from libtiff 3.9.5
+Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2218
+
+Index: tiff-3.9.4/tools/tiffdump.c
+===================================================================
+--- tiff-3.9.4.orig/tools/tiffdump.c	2010-06-08 14:50:44.000000000 -0400
++++ tiff-3.9.4/tools/tiffdump.c	2012-04-02 10:54:36.462126292 -0400
+@@ -52,6 +52,11 @@
+ # define O_BINARY	0
+ #endif
+ 
++/* Safe multiply which returns zero if there is an integer overflow */
++#ifndef TIFFSafeMultiply
++# define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
++#endif
++
+ char*	appname;
+ char*	curfile;
+ int	swabflag;
+@@ -317,7 +322,7 @@
+ 			printf(">\n");
+ 			continue;
+ 		}
+-		space = dp->tdir_count * datawidth[dp->tdir_type];
++		space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]);
+ 		if (space <= 0) {
+ 			printf(">\n");
+ 			Error("Invalid count for tag %u", dp->tdir_tag);
+@@ -709,7 +714,7 @@
+ 	w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0);
+ 	cc = dir->tdir_count * w;
+ 	if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1
+-	    && read(fd, cp, cc) != -1) {
++	    && read(fd, cp, cc) == cc) {
+ 		if (swabflag) {
+ 			switch (dir->tdir_type) {
+ 			case TIFF_SHORT:
diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-1173.patch ./debian/patches/CVE-2012-1173.patch
--- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-1173.patch	2012-04-02 11:40:12.000000000 -0400
+++ ./debian/patches/CVE-2012-1173.patch	2012-04-02 10:54:56.000000000 -0400
@@ -1,6 +1,23 @@
-diff -aur tiff-3.9.4.orig/libtiff/tif_getimage.c tiff-3.9.4/libtiff/tif_getimage.c
---- tiff-3.9.4.orig/libtiff/tif_getimage.c	2012-04-02 15:37:36.000000000 +0000
-+++ tiff-3.9.4/libtiff/tif_getimage.c	2012-04-02 15:39:31.000000000 +0000
+Description: fix arbitrary code execution via size overflow
+Origin: thanks to Tom Lane of Red Hat
+
+Index: tiff-3.9.4/libtiff/tiffiop.h
+===================================================================
+--- tiff-3.9.4.orig/libtiff/tiffiop.h	2010-06-11 22:55:16.000000000 -0400
++++ tiff-3.9.4/libtiff/tiffiop.h	2012-04-02 10:54:54.058126125 -0400
+@@ -243,7 +243,7 @@
+ #define	TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
+ 
+ /* Safe multiply which returns zero if there is an integer overflow */
+-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
+ 
+ #define TIFFmax(A,B) ((A)>(B)?(A):(B))
+ #define TIFFmin(A,B) ((A)<(B)?(A):(B))
+Index: tiff-3.9.4/libtiff/tif_getimage.c
+===================================================================
+--- tiff-3.9.4.orig/libtiff/tif_getimage.c	2012-04-02 10:54:42.714126234 -0400
++++ tiff-3.9.4/libtiff/tif_getimage.c	2012-04-02 10:54:54.058126125 -0400
 @@ -673,18 +673,24 @@
  	unsigned char* p2;
  	unsigned char* pa;
@@ -54,15 +71,3 @@
  	p1 = p0 + stripsize;
  	p2 = p1 + stripsize;
  	pa = (alpha?(p2+stripsize):NULL);
-diff -aur tiff-3.9.4.orig/libtiff/tiffiop.h tiff-3.9.4/libtiff/tiffiop.h
---- tiff-3.9.4.orig/libtiff/tiffiop.h	2010-06-12 02:55:16.000000000 +0000
-+++ tiff-3.9.4/libtiff/tiffiop.h	2012-04-02 15:39:31.000000000 +0000
-@@ -243,7 +243,7 @@
- #define	TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))
- 
- /* Safe multiply which returns zero if there is an integer overflow */
--#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0)
-+#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
- 
- #define TIFFmax(A,B) ((A)>(B)?(A):(B))
- #define TIFFmin(A,B) ((A)<(B)?(A):(B))
diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-2088.patch ./debian/patches/CVE-2012-2088.patch
--- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-2088.patch	1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/CVE-2012-2088.patch	2012-07-04 10:55:05.000000000 -0400
@@ -0,0 +1,133 @@
+Description: fix possible arbitrary code execution via buffer overflow
+ due to type-conversion flaw
+Origin: thanks to Red Hat
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1016324
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678140
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=832864
+
+Index: tiff-3.9.5/libtiff/tif_strip.c
+===================================================================
+--- tiff-3.9.5.orig/libtiff/tif_strip.c	2011-01-03 23:31:28.000000000 -0500
++++ tiff-3.9.5/libtiff/tif_strip.c	2012-07-04 10:08:25.007573859 -0400
+@@ -107,6 +107,7 @@
+ TIFFVStripSize(TIFF* tif, uint32 nrows)
+ {
+ 	TIFFDirectory *td = &tif->tif_dir;
++	uint32 stripsize;
+ 
+ 	if (nrows == (uint32) -1)
+ 		nrows = td->td_imagelength;
+@@ -122,7 +123,7 @@
+ 		 * YCbCr data for the extended image.
+ 		 */
+ 		uint16 ycbcrsubsampling[2];
+-		tsize_t w, scanline, samplingarea;
++		uint32 w, scanline, samplingarea;
+ 
+ 		TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
+ 				      ycbcrsubsampling + 0,
+@@ -141,13 +142,27 @@
+ 		nrows = TIFFroundup(nrows, ycbcrsubsampling[1]);
+ 		/* NB: don't need TIFFhowmany here 'cuz everything is rounded */
+ 		scanline = multiply(tif, nrows, scanline, "TIFFVStripSize");
+-		return ((tsize_t)
+-		    summarize(tif, scanline,
+-			      multiply(tif, 2, scanline / samplingarea,
+-				       "TIFFVStripSize"), "TIFFVStripSize"));
++		/* a zero anywhere in here means overflow, must return zero */
++		if (scanline > 0) {
++			uint32 extra =
++			    multiply(tif, 2, scanline / samplingarea,
++				     "TIFFVStripSize");
++			if (extra > 0)
++				stripsize = summarize(tif, scanline, extra,
++						      "TIFFVStripSize");
++			else
++				stripsize = 0;
++		} else
++			stripsize = 0;
+ 	} else
+-		return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif),
+-					   "TIFFVStripSize"));
++		stripsize = multiply(tif, nrows, TIFFScanlineSize(tif),
++				     "TIFFVStripSize");
++	/* Because tsize_t is signed, we might have conversion overflow */
++	if (((tsize_t) stripsize) < 0) {
++		TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVStripSize");
++		stripsize = 0;
++	}
++	return (tsize_t) stripsize;
+ }
+ 
+ 
+Index: tiff-3.9.5/libtiff/tif_tile.c
+===================================================================
+--- tiff-3.9.5.orig/libtiff/tif_tile.c	2010-06-08 14:50:43.000000000 -0400
++++ tiff-3.9.5/libtiff/tif_tile.c	2012-07-04 10:08:25.007573859 -0400
+@@ -174,7 +174,7 @@
+ TIFFTileRowSize(TIFF* tif)
+ {
+ 	TIFFDirectory *td = &tif->tif_dir;
+-	tsize_t rowsize;
++	uint32 rowsize;
+ 	
+ 	if (td->td_tilelength == 0 || td->td_tilewidth == 0)
+ 		return ((tsize_t) 0);
+@@ -193,7 +193,7 @@
+ TIFFVTileSize(TIFF* tif, uint32 nrows)
+ {
+ 	TIFFDirectory *td = &tif->tif_dir;
+-	tsize_t tilesize;
++	uint32 tilesize;
+ 
+ 	if (td->td_tilelength == 0 || td->td_tilewidth == 0 ||
+ 	    td->td_tiledepth == 0)
+@@ -209,12 +209,12 @@
+ 		 * horizontal/vertical subsampling area include
+ 		 * YCbCr data for the extended image.
+ 		 */
+-		tsize_t w =
++		uint32 w =
+ 		    TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]);
+-		tsize_t rowsize =
++		uint32 rowsize =
+ 		    TIFFhowmany8(multiply(tif, w, td->td_bitspersample,
+ 					  "TIFFVTileSize"));
+-		tsize_t samplingarea =
++		uint32 samplingarea =
+ 		    td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1];
+ 		if (samplingarea == 0) {
+ 			TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling");
+@@ -223,15 +223,27 @@
+ 		nrows = TIFFroundup(nrows, td->td_ycbcrsubsampling[1]);
+ 		/* NB: don't need TIFFhowmany here 'cuz everything is rounded */
+ 		tilesize = multiply(tif, nrows, rowsize, "TIFFVTileSize");
+-		tilesize = summarize(tif, tilesize,
+-				     multiply(tif, 2, tilesize / samplingarea,
+-					      "TIFFVTileSize"),
++		/* a zero anywhere in here means overflow, must return zero */
++		if (tilesize > 0) {
++			uint32 extra =
++			    multiply(tif, 2, tilesize / samplingarea,
+ 				     "TIFFVTileSize");
++			if (extra > 0)
++				tilesize = summarize(tif, tilesize, extra,
++						     "TIFFVTileSize");
++			else
++				tilesize = 0;
++		}
+ 	} else
+ 		tilesize = multiply(tif, nrows, TIFFTileRowSize(tif),
+ 				    "TIFFVTileSize");
+-	return ((tsize_t)
+-	    multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize"));
++	tilesize = multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize");
++	/* Because tsize_t is signed, we might have conversion overflow */
++	if (((tsize_t) tilesize) < 0) {
++		TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVTileSize");
++		tilesize = 0;
++	}
++	return (tsize_t) tilesize;
+ }
+ 
+ /*
diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-2113.patch ./debian/patches/CVE-2012-2113.patch
--- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-2113.patch	1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/CVE-2012-2113.patch	2012-07-04 11:19:13.000000000 -0400
@@ -0,0 +1,259 @@
+Description: fix possible arbitrary code execution via integer
+ overflows in tiff2pdf
+Origin: thanks to Red Hat
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1016324
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678140
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=810551
+
+Index: tiff-3.9.4/tools/tiff2pdf.c
+===================================================================
+--- tiff-3.9.4.orig/tools/tiff2pdf.c	2012-07-04 10:59:50.839652872 -0400
++++ tiff-3.9.4/tools/tiff2pdf.c	2012-07-04 11:18:28.903681500 -0400
+@@ -44,6 +44,7 @@
+ # include <io.h>
+ #endif
+ 
++#include "tiffiop.h"
+ #include "tiffio.h"
+ 
+ #ifndef HAVE_GETOPT
+@@ -414,6 +415,34 @@
+ 	(void) handle, (void) data, (void) offset;
+ }
+ 
++static uint64
++checkAdd64(uint64 summand1, uint64 summand2, T2P* t2p)
++{
++	uint64 bytes = summand1 + summand2;
++
++	if (bytes - summand1 != summand2) {
++		TIFFError(TIFF2PDF_MODULE, "Integer overflow");
++		t2p->t2p_error = T2P_ERR_ERROR;
++		bytes = 0;
++	}
++
++	return bytes;
++}
++
++static uint64
++checkMultiply64(uint64 first, uint64 second, T2P* t2p)
++{
++	uint64 bytes = first * second;
++
++	if (second && bytes / second != first) {
++		TIFFError(TIFF2PDF_MODULE, "Integer overflow");
++		t2p->t2p_error = T2P_ERR_ERROR;
++		bytes = 0;
++	}
++
++	return bytes;
++}
++
+ /*
+ 
+   This is the main function.
+@@ -1828,9 +1857,7 @@
+ 	tstrip_t i=0;
+ 	tstrip_t stripcount=0;
+ #endif
+-#ifdef OJPEG_SUPPORT
+-        tsize_t k = 0;
+-#endif
++        uint64 k = 0;
+ 
+ 	if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){
+ #ifdef CCITT_SUPPORT
+@@ -1858,19 +1885,25 @@
+ 			}
+ 			stripcount=TIFFNumberOfStrips(input);
+ 			for(i=0;i<stripcount;i++){
+-				k += sbc[i];
++				k = checkAdd64(k, sbc[i], t2p);
+ 			}
+ 			if(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){
+ 				if(t2p->tiff_dataoffset != 0){
+ 					if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){
+ 						if(t2p->tiff_datasize < k) {
+-							t2p->pdf_ojpegiflength=t2p->tiff_datasize;
+-							t2p->tiff_datasize+=k;
+-							t2p->tiff_datasize+=6;
+-							t2p->tiff_datasize+=2*stripcount;
+ 							TIFFWarning(TIFF2PDF_MODULE, 
+ 								"Input file %s has short JPEG interchange file byte count", 
+ 								TIFFFileName(input));
++							t2p->pdf_ojpegiflength=t2p->tiff_datasize;
++							k = checkAdd64(k, t2p->tiff_datasize, t2p);
++							k = checkAdd64(k, 6, t2p);
++							k = checkAdd64(k, stripcount, t2p);
++							k = checkAdd64(k, stripcount, t2p);
++							t2p->tiff_datasize = (tsize_t) k;
++							if ((uint64) t2p->tiff_datasize != k) {
++								TIFFError(TIFF2PDF_MODULE, "Integer overflow");
++								t2p->t2p_error = T2P_ERR_ERROR;
++							}
+ 							return;
+ 						}
+ 						return;
+@@ -1883,9 +1916,14 @@
+ 					}
+ 				}
+ 			}
+-			t2p->tiff_datasize+=k;
+-			t2p->tiff_datasize+=2*stripcount;
+-			t2p->tiff_datasize+=2048;
++			k = checkAdd64(k, stripcount, t2p);
++			k = checkAdd64(k, stripcount, t2p);
++			k = checkAdd64(k, 2048, t2p);
++			t2p->tiff_datasize = (tsize_t) k;
++			if ((uint64) t2p->tiff_datasize != k) {
++				TIFFError(TIFF2PDF_MODULE, "Integer overflow");
++				t2p->t2p_error = T2P_ERR_ERROR;
++			}
+ 			return;
+ 		}
+ #endif
+@@ -1894,11 +1932,11 @@
+ 			uint32 count = 0;
+ 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){
+ 				if(count > 4){
+-					t2p->tiff_datasize += count;
+-					t2p->tiff_datasize -= 2; /* don't use EOI of header */
++					k += count;
++					k -= 2; /* don't use EOI of header */
+ 				}
+ 			} else {
+-				t2p->tiff_datasize = 2; /* SOI for first strip */
++				k = 2; /* SOI for first strip */
+ 			}
+ 			stripcount=TIFFNumberOfStrips(input);
+ 			if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){
+@@ -1909,18 +1947,33 @@
+ 				return;
+ 			}
+ 			for(i=0;i<stripcount;i++){
+-				t2p->tiff_datasize += sbc[i];
+-				t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */
++				k = checkAdd64(k, sbc[i], t2p);
++				k -=4; /* don't use SOI or EOI of strip */
++			}
++			k = checkAdd64(k, 2, t2p); /* use EOI of last strip */
++			t2p->tiff_datasize = (tsize_t) k;
++			if ((uint64) t2p->tiff_datasize != k) {
++				TIFFError(TIFF2PDF_MODULE, "Integer overflow");
++				t2p->t2p_error = T2P_ERR_ERROR;
+ 			}
+-			t2p->tiff_datasize +=2; /* use EOI of last strip */
+ 			return;
+ 		}
+ #endif
+ 		(void) 0;
+ 	}
+-	t2p->tiff_datasize=TIFFScanlineSize(input) * t2p->tiff_length;
++	k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+ 	if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+-		t2p->tiff_datasize*= t2p->tiff_samplesperpixel;
++		k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
++	}
++	if (k == 0) {
++		/* Assume we had overflow inside TIFFScanlineSize */
++		t2p->t2p_error = T2P_ERR_ERROR;
++	}
++
++	t2p->tiff_datasize = (tsize_t) k;
++	if ((uint64) t2p->tiff_datasize != k) {
++		TIFFError(TIFF2PDF_MODULE, "Integer overflow");
++		t2p->t2p_error = T2P_ERR_ERROR;
+ 	}
+ 
+ 	return;
+@@ -1938,6 +1991,7 @@
+ #ifdef JPEG_SUPPORT
+ 	unsigned char* jpt;
+ #endif
++        uint64 k;
+ 
+ 	edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
+ 	edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
+@@ -1949,14 +2003,17 @@
+ #endif
+ 		){
+ 			t2p->tiff_datasize=TIFFTileSize(input);
++			if (t2p->tiff_datasize == 0) {
++				/* Assume we had overflow inside TIFFTileSize */
++				t2p->t2p_error = T2P_ERR_ERROR;
++			}
+ 			return;
+ 		} else {
+ 			TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc);
+-			t2p->tiff_datasize=tbc[tile];
++			k=tbc[tile];
+ #ifdef OJPEG_SUPPORT
+ 			if(t2p->tiff_compression==COMPRESSION_OJPEG){
+-				t2p->tiff_datasize+=2048;
+-				return;
++			  	k = checkAdd64(k, 2048, t2p);
+ 			}
+ #endif
+ #ifdef JPEG_SUPPORT
+@@ -1964,18 +2021,35 @@
+ 				uint32 count = 0;
+ 				if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){
+ 					if(count > 4){
+-						t2p->tiff_datasize += count;
+-						t2p->tiff_datasize -= 4; /* don't use EOI of header or SOI of tile */
++						k = checkAdd64(k, count, t2p);
++						k -= 4; /* don't use EOI of header or SOI of tile */
++
++
+ 					}
+ 				}
+ 			}
+ #endif
++			t2p->tiff_datasize = (tsize_t) k;
++			if ((uint64) t2p->tiff_datasize != k) {
++				TIFFError(TIFF2PDF_MODULE, "Integer overflow");
++				t2p->t2p_error = T2P_ERR_ERROR;
++			}
+ 			return;
+ 		}
+ 	}
+-	t2p->tiff_datasize=TIFFTileSize(input);
++	k = TIFFTileSize(input);
+ 	if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+-		t2p->tiff_datasize*= t2p->tiff_samplesperpixel;
++		k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
++	}
++	if (k == 0) {
++		/* Assume we had overflow inside TIFFTileSize */
++		t2p->t2p_error = T2P_ERR_ERROR;
++	}
++
++	t2p->tiff_datasize = (tsize_t) k;
++	if ((uint64) t2p->tiff_datasize != k) {
++		TIFFError(TIFF2PDF_MODULE, "Integer overflow");
++		t2p->t2p_error = T2P_ERR_ERROR;
+ 	}
+ 
+ 	return;
+@@ -2068,6 +2142,10 @@
+ 	uint32 max_striplength=0;
+ #endif
+ 
++	/* Fail if prior error (in particular, can't trust tiff_datasize) */
++	if (t2p->t2p_error != T2P_ERR_OK)
++		return(0);
++
+ 	if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){
+ #ifdef CCITT_SUPPORT
+ 		if(t2p->pdf_compression == T2P_COMPRESS_G4){
+@@ -2641,6 +2719,10 @@
+ 	uint32 xuint32=0;
+ #endif
+ 
++	/* Fail if prior error (in particular, can't trust tiff_datasize) */
++	if (t2p->t2p_error != T2P_ERR_OK)
++		return(0);
++
+ 	edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
+ 	edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile);
+ 
diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-3401.patch ./debian/patches/CVE-2012-3401.patch
--- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-3401.patch	1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/CVE-2012-3401.patch	2012-07-16 09:50:51.000000000 -0400
@@ -0,0 +1,16 @@
+Description: fix possible arbitrary code execution via heap overflow
+ in tiff2pdf.
+Origin: Patch thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com>
+
+Index: tiff-3.9.4/tools/tiff2pdf.c
+===================================================================
+--- tiff-3.9.4.orig/tools/tiff2pdf.c	2012-07-16 09:44:41.000000000 -0400
++++ tiff-3.9.4/tools/tiff2pdf.c	2012-07-16 09:50:48.740976594 -0400
+@@ -1119,6 +1119,7 @@
+ 				"Can't set directory %u of input file %s", 
+ 				i,
+ 				TIFFFileName(input));
++			t2p->t2p_error = T2P_ERR_ERROR;
+ 			return;
+ 		}
+ 		if(TIFFGetField(input, TIFFTAG_PAGENUMBER, &pagen, &paged)){
diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/series ./debian/patches/series
--- ../tiff-3.9.4-5+squeeze4/debian/patches/series	2012-04-02 11:40:38.000000000 -0400
+++ ./debian/patches/series	2012-07-16 09:50:46.000000000 -0400
@@ -4,7 +4,15 @@
 man-spelling.patch
 tif_getimage.c-CVE-2010-2233.patch
 fix-ycbcr-oob-read.patch
+CVE-2010-2482.patch
+CVE-2010-2595.patch
+CVE-2010-2597.patch
+CVE-2010-2630.patch
 CVE-2011-0192.patch
 CVE-2011-1167.patch
 CVE-2009-5022.patch
+CVE-2010-4665.patch
 CVE-2012-1173.patch
+CVE-2012-2088.patch
+CVE-2012-2113.patch
+CVE-2012-3401.patch

Message #36 received at 678140@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: Jay Berkenbilt <qjb@debian.org>

Cc: Lee Garrett <lgarrett@programmfabrik.de>, 678140@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Date: Sun, 23 Sep 2012 13:52:14 +0200

On Saturday 22 September 2012, Jay Berkenbilt wrote:
> Please let me know whether I should do the upload or whether you will
> prepare a package for stable-security based on the attached patch.

The patch looks good for me. I can write the DSA text today. Just a minor 
question: CVE-2010-2482 should be fixed in 3.9.4. Did I missed something?

Cheers, luciano

Message #41 received at 678140@bugs.debian.org (full text, mbox, reply):

From: Lee Garrett <lgarrett@programmfabrik.de>

To: Luciano Bello <luciano@debian.org>

Cc: Jay Berkenbilt <qjb@debian.org>, 678140@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Date: Mon, 24 Sep 2012 11:24:15 +0200

On 09/23/2012 01:52 PM, Luciano Bello wrote:
> The patch looks good for me. I can write the DSA text today. Just a minor
> question: CVE-2010-2482 should be fixed in 3.9.4. Did I missed something?

According to the sources linked to in Debian's security-tracker, all 
versions up to and including 3.9.4 are affected.

Message #46 received at 678140@bugs.debian.org (full text, mbox, reply):

From: Lee Garrett <lgarrett@programmfabrik.de>

To: Luciano Bello <luciano@debian.org>

Cc: Jay Berkenbilt <qjb@debian.org>, 678140@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Date: Thu, 27 Sep 2012 12:49:20 +0200

Hi Jay,

thanks for going through the effort of checking up on all CVEs and 
packaging it up.

CVE-2012-2088 still affects 3.9.4-5+squeeze5 though. The only other 
vulnerability left is tracked in #688944, which was opened just today.

--Lee

Message #51 received at 678140-close@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: 678140-close@bugs.debian.org

Subject: Bug#678140: fixed in tiff 3.9.4-5+squeeze5

Date: Mon, 01 Oct 2012 20:47:05 +0000

Source: tiff
Source-Version: 3.9.4-5+squeeze5

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 678140@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 22 Sep 2012 11:51:18 -0400
Source: tiff
Binary: libtiff4 libtiffxx0c2 libtiff4-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 3.9.4-5+squeeze5
Distribution: stable-security
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description: 
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff4   - Tag Image File Format (TIFF) library
 libtiff4-dev - Tag Image File Format library (TIFF), development files
 libtiffxx0c2 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 678140
Changes: 
 tiff (3.9.4-5+squeeze5) stable-security; urgency=high
 .
   * Added several additional security patches taken from the Ubuntu Natty
     (11.04) tiff package.  (Closes: #678140)
 .
     CVE-2010-2482
     CVE-2010-2595
     CVE-2010-2597
     CVE-2010-2630
     CVE-2010-4665
     CVE-2012-2113
     CVE-2012-3401
Checksums-Sha1: 
 4896a0dff53d2543f00f560a005ff8f0a97071d5 1872 tiff_3.9.4-5+squeeze5.dsc
 f13d6f2064b29e75f8301a7cfa6a4d43e216edff 23185 tiff_3.9.4-5+squeeze5.debian.tar.gz
 472f96c99b2f31f2d9316f430f239b7c7ef41530 386102 libtiff-doc_3.9.4-5+squeeze5_all.deb
 1e301115103dae167b66cc386b61ed496d8c55d8 195064 libtiff4_3.9.4-5+squeeze5_amd64.deb
 d8faeb98b5eae6f0e71b229b4aaf4e20f19a9cbf 59072 libtiffxx0c2_3.9.4-5+squeeze5_amd64.deb
 f292d6336c4fa5ff78016a580afe2441a13eea83 322122 libtiff4-dev_3.9.4-5+squeeze5_amd64.deb
 21ddd107ffa53c0e48053529fe374f74e2b27ada 302544 libtiff-tools_3.9.4-5+squeeze5_amd64.deb
 05681ba67e6ad786860a6828f6e7340cd8fc830d 64494 libtiff-opengl_3.9.4-5+squeeze5_amd64.deb
Checksums-Sha256: 
 df07a5f8dfc2a3d3f42fe338daf6e7430341e43480acc27d64304098ae064958 1872 tiff_3.9.4-5+squeeze5.dsc
 3170be98e32ba5747bc3fb7c9ef5fbe50d0d3a41c7274c7b30a4738fbbede930 23185 tiff_3.9.4-5+squeeze5.debian.tar.gz
 a2c360e373e4199c728e7999ebe5c64a62363dd829ed7427bef13767d925f329 386102 libtiff-doc_3.9.4-5+squeeze5_all.deb
 691b4e6efcba385febd7e9936f107557e03b482ed9f756b2709ad24a453a347c 195064 libtiff4_3.9.4-5+squeeze5_amd64.deb
 c106fa8bbd0224172841a7de8e2f8329b1de1341c134ac7718c7a82781392d1e 59072 libtiffxx0c2_3.9.4-5+squeeze5_amd64.deb
 6e5a2c82b70810dc8ee951eb2380a8818357f5c94c30487cca4f73816aeea64c 322122 libtiff4-dev_3.9.4-5+squeeze5_amd64.deb
 9981aee3bb305144a138226fd038dcc61a5347f26e30f9977ff478cd2978c29a 302544 libtiff-tools_3.9.4-5+squeeze5_amd64.deb
 1350a8182eef7fc5273c8245bccee91d6e3ef63c9c9b8087e78c21f74bdbeef8 64494 libtiff-opengl_3.9.4-5+squeeze5_amd64.deb
Files: 
 a7ca076520bf975d5fb78b157de056f4 1872 libs optional tiff_3.9.4-5+squeeze5.dsc
 8d9275bc606f4aed473ce41bf71af3d6 23185 libs optional tiff_3.9.4-5+squeeze5.debian.tar.gz
 6a589ac4e3546bb8e497eacb4b35e6c4 386102 doc optional libtiff-doc_3.9.4-5+squeeze5_all.deb
 c6a63952d2b720c095548b122762099b 195064 libs optional libtiff4_3.9.4-5+squeeze5_amd64.deb
 fbd39c5b3fc5ea6af6c61b06d5a22ba0 59072 libs optional libtiffxx0c2_3.9.4-5+squeeze5_amd64.deb
 f056139dc31c87e3ff6a8a4e0e8d4539 322122 libdevel optional libtiff4-dev_3.9.4-5+squeeze5_amd64.deb
 e0eeba4eb48982cf821d352dfa500698 302544 graphics optional libtiff-tools_3.9.4-5+squeeze5_amd64.deb
 d4413586e598f411fbb7da14dda9d232 64494 graphics optional libtiff-opengl_3.9.4-5+squeeze5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIbBAEBAgAGBQJQY0A/AAoJEIp10QmYASx+UnwP+KpA/btBV3zCZOyD0JhbzMmw
c0UzmWIratz7vUEeTbHcwXm+1lLmkUioQepTNWyyuBLRitc+4mPxcUIFQnCVYNpM
2lNgLBAwVT2tpAyVv7KgL6RRGVT93jU5H8Z8WSEYvkaoTnGHhKk+2z8j+cc4RUYI
FK0G+vLvZAnw8lo734aoKVk+TD1rsf2OfuzyDbRf/OVMnuSxgeGpXSh/zs9OJhSt
wF39GDsdT2O8KMBzorXI/ANPuJC1HDqvQeHPdshbd7TyBwD1dJE8sobGhxXnVeXt
Tx7bnmbMpkbM397h8U/QfKQmLieUrDoGYnMbG6WjViUhLHEDzC2W5OA5w2CB+Fvn
1OdNejp1sUDEXi9kFHyiCx60HXJW+GGaxe6puudgZ2vKru8BsC2xXXHtw03O9/nn
QNCaRcCaeNki4VTiUSXwMtm88y5Q+/v63JY/S3zyhmoom82Y7OlDlgmiC/wCXacM
v3R/jv49dKRg0Hx6p4dAw2z7Q4LWGpBazn3VQp15WjoA2gzdrpV+wkz9DnAM2EBr
KSOS8AG3WK7XiIh59nuBp9SJ5vP0EIkJBUjeiLoofxYonZeDLwrpAwoza3AiP9LQ
1VX1BZZqvviJyMvQby5lgbEp/FNJwlkym43j+/KP6bx8m6QRWpdAblNnY1YvA8CU
dRVJAEPtt+SPzFsBcOk=
=VuZy
-----END PGP SIGNATURE-----

Message #56 received at 678140@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: Lee Garrett <lgarrett@programmfabrik.de>

Cc: 678140@bugs.debian.org, Luciano Bello <luciano@debian.org>, team@security.debian.org

Subject: Re: Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Date: Fri, 05 Oct 2012 16:37:08 -0400

Lee Garrett <lgarrett@programmfabrik.de> wrote:

> Hi Jay,
>
> thanks for going through the effort of checking up on all CVEs and
> packaging it up.
>
> CVE-2012-2088 still affects 3.9.4-5+squeeze5 though. The only other
> vulnerability left is tracked in #688944, which was opened just today.

Sorry...I'll double check CVE-2012-2088 and see what I messed up on with
that.  I'll also take care of 2012-4447 for unstable and stable and will
upload to unstable with urgency high and no other changes so it can go
to testing.

-- 
Jay Berkenbilt <qjb@debian.org>

Message #61 received at 678140@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: Lee Garrett <lgarrett@programmfabrik.de>

Cc: 678140@bugs.debian.org, Luciano Bello <luciano@debian.org>, team@security.debian.org

Subject: Re: Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Date: Fri, 05 Oct 2012 16:53:17 -0400

Jay Berkenbilt <qjb@debian.org> wrote:

> Lee Garrett <lgarrett@programmfabrik.de> wrote:
>
>> Hi Jay,
>>
>> thanks for going through the effort of checking up on all CVEs and
>> packaging it up.
>>
>> CVE-2012-2088 still affects 3.9.4-5+squeeze5 though. The only other
>> vulnerability left is tracked in #688944, which was opened just today.
>
> Sorry...I'll double check CVE-2012-2088 and see what I messed up on with
> that.  I'll also take care of 2012-4447 for unstable and stable and will
> upload to unstable with urgency high and no other changes so it can go
> to testing.

Actually, why do you say 3.9.4-5+squeeze5 is affected by CVE-2012-2088?
Is the patch wrong?

Oh, I see.  I left it out of the changelog.  The patch is there though.
I'll make sure all patches are listed in the changelog.

Message #66 received at 678140@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: Lee Garrett <lgarrett@programmfabrik.de>

Cc: 678140@bugs.debian.org, Luciano Bello <luciano@debian.org>, team@security.debian.org

Subject: Re: Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Date: Fri, 05 Oct 2012 17:09:48 -0400

[Message part 1 (text/plain, inline)]

Jay Berkenbilt <qjb@debian.org> wrote:

> Jay Berkenbilt <qjb@debian.org> wrote:
>
>> Lee Garrett <lgarrett@programmfabrik.de> wrote:
>>
>>> Hi Jay,
>>>
>>> thanks for going through the effort of checking up on all CVEs and
>>> packaging it up.
>>>
>>> CVE-2012-2088 still affects 3.9.4-5+squeeze5 though. The only other
>>> vulnerability left is tracked in #688944, which was opened just today.

To address CVE-2012-4777, I will be uploading 3.9.4-5+squeeze6 with the
attached differences.

[tiff-3.9.4-5+squeeze5-to-6.patch (text/x-diff, inline)]

diff -urN ../tiff-3.9.4-5+squeeze5/debian/changelog ./debian/changelog
--- ../tiff-3.9.4-5+squeeze5/debian/changelog	2012-09-26 13:46:28.000000000 -0400
+++ ./debian/changelog	2012-10-05 16:54:07.553605838 -0400
@@ -1,3 +1,11 @@
+tiff (3.9.4-5+squeeze6) stable-security; urgency=high
+
+  * Add fix for CVE-2012-4777, a buffer overrun.  (Closes: #688944)
+  * CVE-2012-2088 was actually included in previous version but not listed
+    in the change log.
+
+ -- Jay Berkenbilt <qjb@debian.org>  Fri, 05 Oct 2012 16:54:07 -0400
+
 tiff (3.9.4-5+squeeze5) stable-security; urgency=high
 
   * Added several additional security patches taken from the Ubuntu Natty
diff -urN ../tiff-3.9.4-5+squeeze5/debian/patches/CVE-2012-4777.patch ./debian/patches/CVE-2012-4777.patch
--- ../tiff-3.9.4-5+squeeze5/debian/patches/CVE-2012-4777.patch	1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/CVE-2012-4777.patch	2012-10-05 16:51:57.205609335 -0400
@@ -0,0 +1,13 @@
+Index: tiff-3.9.4/libtiff/tif_pixarlog.c
+===================================================================
+--- tiff-3.9.4.orig/libtiff/tif_pixarlog.c	2010-06-08 14:50:42.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_pixarlog.c	2012-10-05 16:51:49.201609547 -0400
+@@ -663,7 +663,7 @@
+ 				      td->td_rowsperstrip), sizeof(uint16));
+ 	if (tbuf_size == 0)
+ 		return (0);
+-	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
++	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
+ 	if (sp->tbuf == NULL)
+ 		return (0);
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
diff -urN ../tiff-3.9.4-5+squeeze5/debian/patches/series ./debian/patches/series
--- ../tiff-3.9.4-5+squeeze5/debian/patches/series	2012-07-16 09:50:46.000000000 -0400
+++ ./debian/patches/series	2012-10-05 16:51:20.493610319 -0400
@@ -16,3 +16,4 @@
 CVE-2012-2088.patch
 CVE-2012-2113.patch
 CVE-2012-3401.patch
+CVE-2012-4777.patch

[Message part 3 (text/plain, inline)]

-- 
Jay Berkenbilt <qjb@debian.org>

Message #71 received at 678140@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: Lee Garrett <lgarrett@programmfabrik.de>

Cc: 678140@bugs.debian.org, Luciano Bello <luciano@debian.org>, team@security.debian.org

Subject: Re: Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Date: Fri, 05 Oct 2012 17:46:09 -0400

Please disregard my email in response to this thread on CVE-2012-4777,
which is the wrong number.  I have fixed it to be 2012-4447 and have
discussed it in an appropriate thread with the right subject, audience,
and bug number.

Message #76 received at 678140@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Jay Berkenbilt <qjb@debian.org>

Cc: Lee Garrett <lgarrett@programmfabrik.de>, 678140@bugs.debian.org, Luciano Bello <luciano@debian.org>, team@security.debian.org

Subject: Re: Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

Date: Sun, 7 Oct 2012 11:26:30 +0200

> To address CVE-2012-4777, I will be uploading 3.9.4-5+squeeze6 with the
> attached differences.

> diff -urN ../tiff-3.9.4-5+squeeze5/debian/changelog ./debian/changelog
> --- ../tiff-3.9.4-5+squeeze5/debian/changelog	2012-09-26 13:46:28.000000000 -0400
> +++ ./debian/changelog	2012-10-05 16:54:07.553605838 -0400
> @@ -1,3 +1,11 @@
> +tiff (3.9.4-5+squeeze6) stable-security; urgency=high
> +
> +  * Add fix for CVE-2012-4777, a buffer overrun.  (Closes: #688944)
> +  * CVE-2012-2088 was actually included in previous version but not listed
> +    in the change log.
> +
> + -- Jay Berkenbilt <qjb@debian.org>  Fri, 05 Oct 2012 16:54:07 -0400
> +
>  tiff (3.9.4-5+squeeze5) stable-security; urgency=high
>  
>    * Added several additional security patches taken from the Ubuntu Natty
> diff -urN ../tiff-3.9.4-5+squeeze5/debian/patches/CVE-2012-4777.patch ./debian/patches/CVE-2012-4777.patch
> --- ../tiff-3.9.4-5+squeeze5/debian/patches/CVE-2012-4777.patch	1969-12-31 19:00:00.000000000 -0500
> +++ ./debian/patches/CVE-2012-4777.patch	2012-10-05 16:51:57.205609335 -0400
> @@ -0,0 +1,13 @@
> +Index: tiff-3.9.4/libtiff/tif_pixarlog.c
> +===================================================================
> +--- tiff-3.9.4.orig/libtiff/tif_pixarlog.c	2010-06-08 14:50:42.000000000 -0400
> ++++ tiff-3.9.4/libtiff/tif_pixarlog.c	2012-10-05 16:51:49.201609547 -0400
> +@@ -663,7 +663,7 @@
> + 				      td->td_rowsperstrip), sizeof(uint16));
> + 	if (tbuf_size == 0)
> + 		return (0);
> +-	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
> ++	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
> + 	if (sp->tbuf == NULL)
> + 		return (0);
> + 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
> diff -urN ../tiff-3.9.4-5+squeeze5/debian/patches/series ./debian/patches/series
> --- ../tiff-3.9.4-5+squeeze5/debian/patches/series	2012-07-16 09:50:46.000000000 -0400
> +++ ./debian/patches/series	2012-10-05 16:51:20.493610319 -0400
> @@ -16,3 +16,4 @@
>  CVE-2012-2088.patch
>  CVE-2012-2113.patch
>  CVE-2012-3401.patch
> +CVE-2012-4777.patch

Looks good, please upload.

Cheers,
        Moritz

Send a report that this bug log contains spam.