CVE-2006-0405: DoS through null pointer dereference

Debian Bug report logs - #350715
CVE-2006-0405: DoS through null pointer dereference

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2006-0405: DoS through null pointer dereference

Date: Tue, 31 Jan 2006 12:09:09 +0100

Package: tiff
Severity: important
Tags: security

Hi,
3.8.0 seems to have introduced two regressions that have DoS potential:

| The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0 
| allows remote attackers to cause a denial of service (application
| crash) via a crafted TIFF image that triggers a NULL pointer
| dereference, possibly due to changes in type declarations and/or
| the TIFFVSetField function.

http://bugzilla.remotesensing.org/show_bug.cgi?id=1029
http://bugzilla.remotesensing.org/show_bug.cgi?id=1034
 
oldstable and stable do not seem to be affected, can you please verify/
confirm?

This is CVE-2006-0405, please mention it in the changelog when fixing it.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Message #10 received at 350715@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 350715@bugs.debian.org

Subject: Re: Bug#350715: CVE-2006-0405: DoS through null pointer dereference

Date: Tue, 31 Jan 2006 19:14:11 -0500

Moritz Muehlenhoff <jmm@inutil.org> wrote:

> Package: tiff
> Severity: important
> Tags: security
>
> Hi,
> 3.8.0 seems to have introduced two regressions that have DoS potential:
>
> | The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0 
> | allows remote attackers to cause a denial of service (application
> | crash) via a crafted TIFF image that triggers a NULL pointer
> | dereference, possibly due to changes in type declarations and/or
> | the TIFFVSetField function.
>
> http://bugzilla.remotesensing.org/show_bug.cgi?id=1029
> http://bugzilla.remotesensing.org/show_bug.cgi?id=1034
>  
> oldstable and stable do not seem to be affected, can you please verify/
> confirm?
>
> This is CVE-2006-0405, please mention it in the changelog when fixing it.

I'll check into this right away.  Thanks.

-- 
Jay Berkenbilt <qjb@debian.org>

Message #15 received at 350715@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 350715@bugs.debian.org

Subject: Re: Bug#350715: CVE-2006-0405: DoS through null pointer dereference

Date: Tue, 31 Jan 2006 21:21:56 -0500

Moritz Muehlenhoff <jmm@inutil.org> wrote:

> 3.8.0 seems to have introduced two regressions that have DoS potential:
>
> | The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0
> | allows remote attackers to cause a denial of service (application
> | crash) via a crafted TIFF image that triggers a NULL pointer
> | dereference, possibly due to changes in type declarations and/or
> | the TIFFVSetField function.
>
> http://bugzilla.remotesensing.org/show_bug.cgi?id=1029
> http://bugzilla.remotesensing.org/show_bug.cgi?id=1034
>
> oldstable and stable do not seem to be affected, can you please verify/
> confirm?
>
> This is CVE-2006-0405, please mention it in the changelog when fixing it.

As far as I can tell, a satisfactory patch has not been attached to
one of these bug reports.  The patches that are included there all
seem to have later been demonstrated to cause other problems, and none
of them have been blessed by the upstream maintainers.

For now, I have subscribed myself to the two bugs in upstream's
bugzilla so I can monitor this and include a patch into the debian
package as soon as one is generated.  I may even be able to study the
problem myself, but not before the weekend.

Please let me know if you feel that there's something else I should do
beyond this.  If you think this problem is significant enough to
prevent tiff from migrating to testing, the severity can be updated to
serious, but either way, I'll keep watching the issue and upload a
fixed version as soon as a fix is available.  Thanks for the report.

-- 
Jay Berkenbilt <qjb@debian.org>

Message #20 received at 350715@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 350715@bugs.debian.org

Subject: Re: Bug#350715: CVE-2006-0405: DoS through null pointer dereference

Date: Fri, 03 Feb 2006 12:00:38 -0500

Upstream appears to have a fix for this problem.  I will test and
prepare new packages tonight.

-- 
Jay Berkenbilt <qjb@debian.org>

Message #25 received at 350715-close@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: 350715-close@bugs.debian.org

Subject: Bug#350715: fixed in tiff 3.8.0-2

Date: Fri, 03 Feb 2006 20:06:55 -0800

Source: tiff
Source-Version: 3.8.0-2

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive:

libtiff-opengl_3.8.0-2_i386.deb
  to pool/main/t/tiff/libtiff-opengl_3.8.0-2_i386.deb
libtiff-tools_3.8.0-2_i386.deb
  to pool/main/t/tiff/libtiff-tools_3.8.0-2_i386.deb
libtiff4-dev_3.8.0-2_i386.deb
  to pool/main/t/tiff/libtiff4-dev_3.8.0-2_i386.deb
libtiff4_3.8.0-2_i386.deb
  to pool/main/t/tiff/libtiff4_3.8.0-2_i386.deb
libtiffxx0c2_3.8.0-2_i386.deb
  to pool/main/t/tiff/libtiffxx0c2_3.8.0-2_i386.deb
tiff_3.8.0-2.diff.gz
  to pool/main/t/tiff/tiff_3.8.0-2.diff.gz
tiff_3.8.0-2.dsc
  to pool/main/t/tiff/tiff_3.8.0-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 350715@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  3 Feb 2006 21:48:39 -0500
Source: tiff
Binary: libtiff-opengl libtiffxx0c2 libtiff4 libtiff-tools libtiff4-dev
Architecture: source i386
Version: 3.8.0-2
Distribution: unstable
Urgency: low
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description: 
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff4   - Tag Image File Format (TIFF) library
 libtiff4-dev - Tag Image File Format library (TIFF), development files
 libtiffxx0c2 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 350715 351223
Changes: 
 tiff (3.8.0-2) unstable; urgency=low
 .
   * Applied fixes from upstream to address a memory access violation
     [CVE-2006-0405].  (Closes: #350715, #351223)
Files: 
 603981475e60c4ca5e2202fdf1ff12be 738 libs optional tiff_3.8.0-2.dsc
 8294f3ca3d586223f7836720e07d0a5f 10790 libs optional tiff_3.8.0-2.diff.gz
 8b3c492c9cdf26eb9bd92633a7ec7b81 475258 libs optional libtiff4_3.8.0-2_i386.deb
 e0d40692b0ea60b79ee6c66e4cdbe6df 45292 libs optional libtiffxx0c2_3.8.0-2_i386.deb
 089e04f0d08505adbb4abc7d4548a97f 272116 libdevel optional libtiff4-dev_3.8.0-2_i386.deb
 e0b801a2b96382391479ec297edfc78c 215512 graphics optional libtiff-tools_3.8.0-2_i386.deb
 3a367ed0b1aca40e8fd8504ac6b44432 49748 graphics optional libtiff-opengl_3.8.0-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD5Bi6EBVk6taI4KcRAru+AJ9gtReJfk5KYPiPzrVMj0/Ab5qTKwCgqkIH
bpURW3yEqXQDzg4JNsJR61M=
=c/f4
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.