Debian Bug report logs - #286815
[CAN-2004-1308] Directory entry count integer overflow vulnerability

version graph

Package: libtiff4; Maintainer for libtiff4 is Jay Berkenbilt <qjb@debian.org>; Source for libtiff4 is src:tiff3 (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 22 Dec 2004 12:48:02 UTC

Severity: critical

Tags: patch, security

Merged with 286833

Found in version 3.6.1-3

Fixed in version tiff/3.6.1-4

Done: Jay Berkenbilt <ejb@ql.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#286815; Package libtiff4. (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Josip Rodin <joy-packages@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libtiff4: Directory entry count integer overflow vulnerability
Date: Wed, 22 Dec 2004 13:33:15 +0100
[Message part 1 (text/plain, inline)]
Package: libtiff4
Version: 3.6.1-3
Severity: grave
Tags: security patch
Justification: user security hole

According to the iDefense advisory at
http://www.idefense.com/application/poi/display?id=174&type=vulnerabilities
tiff is vulnerable to to remote code execution through an integer overflow
in tif_dirread.c and tif_fax3.c.

There hasn't been an CVE assignment yet.

Attached patch (as proposed in the advisory) fixes this issue.

Cheers,
        Moritz

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.9-1-386
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Versions of packages libtiff4 depends on:
ii  libc6                       2.3.2.ds1-19 GNU C Library: Shared libraries an
ii  libjpeg62                   6b-9         The Independent JPEG Group's JPEG 
ii  zlib1g                      1:1.2.2-4    compression library - runtime

-- no debconf information

[tiff-security-fix-heap-overflow.patch (text/x-c, attachment)]

Changed Bug title. Request was from Hendrik Weimer <hendrik@enyo.de> to control@bugs.debian.org. (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#286815; Package libtiff4. (full text, mbox, link).

Acknowledgement sent to Jay Berkenbilt <ejb@ql.org>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. (full text, mbox, link).

Message #12 received at 286815@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <ejb@ql.org>
To: jmm@inutil.org, 286815@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#286815: libtiff4: Directory entry count integer overflow vulnerability
Date: Wed, 22 Dec 2004 15:28:26 +0000
tags 286815 + pending
thanks

I have prepared 3.6.1-4 and will contact my usual sponsor.  Thanks for
the report.

(This bug has already been fixed in 3.7.1.  I have 3.7.1 packages
ready to upload, but they're blocked by a pending update to the
override file.  3.7.0-2, uploaded to experimental, introduced one new
binary package.  In other words, when 3.7.1 is uploaded, this will
stay fixed.)

-- 
Jay Berkenbilt <ejb@ql.org>
http://www.ql.org/q/

Tags added: pending Request was from Jay Berkenbilt <ejb@ql.org> to control@bugs.debian.org. (full text, mbox, link).

Severity set to `critical'. Request was from Jay Berkenbilt <ejb@ql.org> to control@bugs.debian.org. (full text, mbox, link).

Merged 286815 286833. Request was from Jay Berkenbilt <ejb@ql.org> to control@bugs.debian.org. (full text, mbox, link).

Reply sent to Jay Berkenbilt <ejb@ql.org>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (full text, mbox, link).

Message #23 received at 286815-close@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <ejb@ql.org>
To: 286815-close@bugs.debian.org
Subject: Bug#286815: fixed in tiff 3.6.1-4
Date: Thu, 23 Dec 2004 02:47:13 -0500
Source: tiff
Source-Version: 3.6.1-4

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive:

libtiff-tools_3.6.1-4_i386.deb
  to pool/main/t/tiff/libtiff-tools_3.6.1-4_i386.deb
libtiff4-dev_3.6.1-4_i386.deb
  to pool/main/t/tiff/libtiff4-dev_3.6.1-4_i386.deb
libtiff4_3.6.1-4_i386.deb
  to pool/main/t/tiff/libtiff4_3.6.1-4_i386.deb
tiff_3.6.1-4.diff.gz
  to pool/main/t/tiff/tiff_3.6.1-4.diff.gz
tiff_3.6.1-4.dsc
  to pool/main/t/tiff/tiff_3.6.1-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286815@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <ejb@ql.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 22 Dec 2004 10:20:52 -0500
Source: tiff
Binary: libtiff4 libtiff-tools libtiff4-dev
Architecture: source i386
Version: 3.6.1-4
Distribution: unstable
Urgency: high
Maintainer: Josip Rodin <joy-packages@debian.org>
Changed-By: Jay Berkenbilt <ejb@ql.org>
Description: 
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff4   - Tag Image File Format library
 libtiff4-dev - Tag Image File Format library, development files
Closes: 286815
Changes: 
 tiff (3.6.1-4) unstable; urgency=high
 .
   * Fix heap overflow security bug [CAN-2004-1308].  (Closes: #286815)
Files: 
 d2068f7c5ec8a2825ad7beb8958b03b2 663 libs optional tiff_3.6.1-4.dsc
 2a195b9b1050dd4455860ee0fc2c02aa 23261 libs optional tiff_3.6.1-4.diff.gz
 e6034e8bf69f492fc1fe19fc51b723ee 104876 libs optional libtiff4_3.6.1-4_i386.deb
 cf2b094ca17a49c536cfa2aadeb6224a 447144 devel optional libtiff4-dev_3.6.1-4_i386.deb
 6f21dc684f3d648859dbf48fae037d7b 160412 graphics optional libtiff-tools_3.6.1-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBynGNIgfFlOyXCJ0RAoTYAJ41v9cTQjY60cAYw9b6IaQSHnRSXACcCAYN
RIomI639vgsZq+18I2FoKbY=
=yL0f
-----END PGP SIGNATURE-----

Bug unarchived. Request was from Stefano Zacchiroli <zack@debian.org> to control@bugs.debian.org. (Sun, 10 Apr 2011 08:44:36 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 09 May 2011 07:34:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Oct 11 12:07:21 2017; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.