Debian Bug report logs -
#369819
libtiff-tools: Buffer overflow in tiffsplit [CVE-2006-2656]
Reported by: Martin Pitt <martin.pitt@ubuntu.com>
Date: Thu, 1 Jun 2006 14:48:09 UTC
Severity: normal
Tags: patch, security
Found in version tiff/3.7.4-1
Fixed in version tiff/3.8.2-3
Done: Jay Berkenbilt <qjb@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#369819; Package libtiff-tools.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Jay Berkenbilt <qjb@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libtiff-tools
Version: 3.7.4-1
Severity: normal
Tags: security patch
Recently, a buffer overflow in tiffsplit has been discovered:
http://marc.theaimsgroup.com/?l=vuln-dev&m=114857412916909&w=2
You can execute arbitrary code with crafted long file names or
prefixes. Of course this is pretty lame usually, but it can become an
issue if tiffsplit is used with untrusted input in an automated
system. Which should be only theoretical, but since it is easy to
patch, it can as well be fixed properly. (Also, Fedora fixed it,
and we don't want to loose our reputation, do we? :) )
Find the patch here:
http://patches.ubuntu.com/patches/tiff.CVE-2006-2656.diff
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#369819; Package libtiff-tools.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>.
(full text, mbox, link).
Message #10 received at 369819@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi again,
btw, this can be checked with
touch x.tif; tiffsplit x.tif `perl -e 'print "a"x40000;'`
Greetings,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#369819; Package libtiff-tools.
(full text, mbox, link).
Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #15 received at 369819@bugs.debian.org (full text, mbox, reply):
Martin Pitt <martin.pitt@ubuntu.com> wrote:
> Package: libtiff-tools
> Version: 3.7.4-1
> Severity: normal
> Tags: security patch
>
> Recently, a buffer overflow in tiffsplit has been discovered:
>
> http://marc.theaimsgroup.com/?l=vuln-dev&m=114857412916909&w=2
>
> You can execute arbitrary code with crafted long file names or
> prefixes. Of course this is pretty lame usually, but it can become an
> issue if tiffsplit is used with untrusted input in an automated
> system. Which should be only theoretical, but since it is easy to
> patch, it can as well be fixed properly. (Also, Fedora fixed it,
> and we don't want to loose our reputation, do we? :) )
>
> Find the patch here:
>
> http://patches.ubuntu.com/patches/tiff.CVE-2006-2656.diff
>
> Thanks,
>
> Martin
Thanks. I have confirmed that both the tiff in sarge and sid are
vulnerable. I'll apply the patch and prepare new versions for both
sarge and sid and will notify the security team when the uploads are
ready.
--
Jay Berkenbilt <qjb@debian.org>
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#369819; Package libtiff-tools.
(full text, mbox, link).
Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #20 received at 369819@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I've fixed this libtiff-tools problem. The problem is fixed in
3.8.2-3 (which I am about to upload) and in 3.7.2-5. Attached is a
patch that brings 3.7.2-4 to 3.7.2-5. I haven't built or tested it
under srage, but I have verified that the 3.7.2-5 package as created
by this patch in debian/patches applies cleanly. (Nested patches.
Hooray.) Please let me know if there's anything else I need to do.
--
Jay Berkenbilt <qjb@debian.org>
[tiff_3.7.2-5.patch (text/x-patch, inline)]
diff -urN tiff-3.7.2.orig/debian/changelog tiff-3.7.2/debian/changelog
--- tiff-3.7.2.orig/debian/changelog 2006-06-01 21:33:48.587122666 -0400
+++ tiff-3.7.2/debian/changelog 2006-06-01 21:32:30.206036908 -0400
@@ -1,3 +1,14 @@
+tiff (3.7.2-5) stable-security; urgency=high
+
+ * SECURITY UPDATE: Arbitrary command execution with crafted long file
+ names. Thanks to Martin Pitt for forwarding this.
+ Add debian/patches/tiffsplit-fname-overflow.patch:
+ - tools/tiffsplit.c: Use snprintf instead of strcpy for copying the
+ user-specified file name into a statically sized buffer.
+ CVE-2006-2656
+
+ -- Jay Berkenbilt <qjb@debian.org> Thu, 1 Jun 2006 21:24:21 -0400
+
tiff (3.7.2-4) stable-security; urgency=high
* Backported upstream patches to fix out-of-bounds read
diff -urN tiff-3.7.2.orig/debian/patches/tiffsplit-fname-overflow.patch tiff-3.7.2/debian/patches/tiffsplit-fname-overflow.patch
--- tiff-3.7.2.orig/debian/patches/tiffsplit-fname-overflow.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-3.7.2/debian/patches/tiffsplit-fname-overflow.patch 2006-06-01 21:31:34.679060386 -0400
@@ -0,0 +1,19 @@
+--- tiff-3.7.2/tools/tiffsplit.c.orig 2004-06-05 04:11:26.000000000 -0400
++++ tiff-3.7.2/tools/tiffsplit.c 2006-06-01 21:31:17.464237849 -0400
+@@ -54,14 +54,13 @@
+ return (-3);
+ }
+ if (argc > 2)
+- strcpy(fname, argv[2]);
++ snprintf(fname, sizeof(fname), "%s", argv[2]);
+ in = TIFFOpen(argv[1], "r");
+ if (in != NULL) {
+ do {
+ char path[1024+1];
+ newfilename();
+- strcpy(path, fname);
+- strcat(path, ".tif");
++ snprintf(path, sizeof(path), "%s.tif", fname);
+ out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
+ if (out == NULL)
+ return (-2);
Reply sent to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Martin Pitt <martin.pitt@ubuntu.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #25 received at 369819-close@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 3.8.2-3
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive:
libtiff-opengl_3.8.2-3_i386.deb
to pool/main/t/tiff/libtiff-opengl_3.8.2-3_i386.deb
libtiff-tools_3.8.2-3_i386.deb
to pool/main/t/tiff/libtiff-tools_3.8.2-3_i386.deb
libtiff4-dev_3.8.2-3_i386.deb
to pool/main/t/tiff/libtiff4-dev_3.8.2-3_i386.deb
libtiff4_3.8.2-3_i386.deb
to pool/main/t/tiff/libtiff4_3.8.2-3_i386.deb
libtiffxx0c2_3.8.2-3_i386.deb
to pool/main/t/tiff/libtiffxx0c2_3.8.2-3_i386.deb
tiff_3.8.2-3.diff.gz
to pool/main/t/tiff/tiff_3.8.2-3.diff.gz
tiff_3.8.2-3.dsc
to pool/main/t/tiff/tiff_3.8.2-3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 369819@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 1 Jun 2006 21:24:21 -0400
Source: tiff
Binary: libtiff-opengl libtiffxx0c2 libtiff4 libtiff-tools libtiff4-dev
Architecture: source i386
Version: 3.8.2-3
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description:
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff4 - Tag Image File Format (TIFF) library
libtiff4-dev - Tag Image File Format library (TIFF), development files
libtiffxx0c2 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 369819
Changes:
tiff (3.8.2-3) unstable; urgency=high
.
* SECURITY UPDATE: Arbitrary command execution with crafted long file
names. Thanks to Martin Pitt for forwarding this.
Add debian/patches/tiffsplit-fname-overflow.patch:
- tools/tiffsplit.c: Use snprintf instead of strcpy for copying the
user-specified file name into a statically sized buffer.
CVE-2006-2656. (Closes: #369819)
* Update standards version to 3.7.2. No changes required.
* Moved doc-base information to libtiff4 instead of libtiff4-dev.
Files:
defcedd0776ec02c895194174dd84ce6 749 libs optional tiff_3.8.2-3.dsc
ce1688b70825ebd04bcf11a0417cdb0f 9401 libs optional tiff_3.8.2-3.diff.gz
2984d40edf9a56b5f110f89fc86e8862 481978 libs optional libtiff4_3.8.2-3_i386.deb
ace9a166905dc6d3c7c14576ad8ff7f1 5122 libs optional libtiffxx0c2_3.8.2-3_i386.deb
fcd5803bcbb15e209adb0210224cc4e7 233796 libdevel optional libtiff4-dev_3.8.2-3_i386.deb
d1f52fb2af99602567e9567569b77936 176882 graphics optional libtiff-tools_3.8.2-3_i386.deb
bb0c7fabadb6f3f2b76ee3c0d8ff0b1f 9734 graphics optional libtiff-opengl_3.8.2-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEf7wGEBVk6taI4KcRAp14AKDYhkuLrJRKTyT01hEkPlLn/4PDDACgm9UD
Cl+Z2qBQf5mPMIllyqOY+14=
=Ta2D
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#369819; Package libtiff-tools.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>.
(full text, mbox, link).
Message #30 received at 369819@bugs.debian.org (full text, mbox, reply):
Jay Berkenbilt wrote:
>
> I've fixed this libtiff-tools problem. The problem is fixed in
> 3.8.2-3 (which I am about to upload) and in 3.7.2-5. Attached is a
> patch that brings 3.7.2-4 to 3.7.2-5. I haven't built or tested it
> under srage, but I have verified that the 3.7.2-5 package as created
> by this patch in debian/patches applies cleanly. (Nested patches.
> Hooray.) Please let me know if there's anything else I need to do.
Thanks a lot. I had built a similar update, will push woody and sarge
updates and note 3.8.2-3 as fixed version in sid.
Regards,
Joey
--
Long noun chains don't automatically imply security. -- Bruce Schneier
Please always Cc to me when replying to me on the lists.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 19:25:29 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Stefano Zacchiroli <zack@debian.org>
to control@bugs.debian.org.
(Sun, 10 Apr 2011 08:48:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 09 May 2011 07:35:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:56:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon