Debian Bug report logs - #309739
libtiff4: vulnerable to CAN-2005-1544

Package: tiff; Maintainer for tiff is Jay Berkenbilt <qjb@debian.org>;

Reported by: Martin Pitt <martin@piware.de>

Date: Thu, 19 May 2005 08:18:01 UTC

Severity: critical

Tags: security, woody

Done: Jay Berkenbilt <qjb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#309739; Package libtiff4. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin@piware.de>:
New Bug report received and forwarded. Copy sent to Jay Berkenbilt <qjb@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin@piware.de>
To: submit@bugs.debian.org
Subject: libtiff4: vulnerable to CAN-2005-1544
Date: Thu, 19 May 2005 10:17:07 +0200
[Message part 1 (text/plain, inline)]
Package: libtiff4
Version: 3.7.2-2
Severity: critical
Tags: security

Hi!

Libtiff is vulnerable to another exploitable segfault, see

  http://bugzilla.remotesensing.org/show_bug.cgi?id=843

for details.

However, please don't take the patch attached to that bug report, it's
incomplete. Upstream CVS has the complete patch, you can also grab it
from

  http://bugs.gentoo.org/attachment.cgi?id=58276

For Sid you should probably just package the new upstream version, but
for Sarge the patch is fine (I already ported it to 3.6.1 for Ubuntu's
releases and tested it).

Thanks,

Martin
-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#309739; Package libtiff4. Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 309739@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Martin Pitt <martin@piware.de>
Cc: 309739@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#309739: libtiff4: vulnerable to CAN-2005-1544
Date: Thu, 19 May 2005 05:30:02 -0400
Martin Pitt <martin@piware.de> wrote:

> Package: libtiff4
> Version: 3.7.2-2
> Severity: critical
> Tags: security
>
> Hi!
>
> Libtiff is vulnerable to another exploitable segfault, see
>
>   http://bugzilla.remotesensing.org/show_bug.cgi?id=843
>
> for details.
>
> However, please don't take the patch attached to that bug report, it's
> incomplete. Upstream CVS has the complete patch, you can also grab it
> from
>
>   http://bugs.gentoo.org/attachment.cgi?id=58276

Thanks.  Debian Debian security: I am leaving today for vacation and
will be completely unreachable for at least a day or two.  I should be
able to deal with the current version today before I leave, so no NMU
should be necessary for the version in sid/sarge.  I don't have a way
right now to deal with the version in woody, so I'd have to request
that the security team take care of it as they have done in the past.
I won't have time to deal with it today before I leave, I'm afraid.

> For Sid you should probably just package the new upstream version, but
> for Sarge the patch is fine (I already ported it to 3.6.1 for Ubuntu's
> releases and tested it).

Um, sid already has the latest upstream version, so I'm not sure what
you mean, unless 3.7.3 is about to be released.  I follow the upstream
mailing list though and I haven't heard about it.  Am I missing
something?  Breezy also has the 3.7.2-2ubuntu1 which differs from the
debian version only in that it has already undergone the C++ ABI
transition (for libtiffxx0).  Martin, will you take care of applying
this patch to the Breezy version?

-- 
Jay Berkenbilt <qjb@debian.org>



Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#309739; Package libtiff4. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@canonical.com>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>. Full text and rfc822 format available.

Message #15 received at 309739@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@canonical.com>
To: Jay Berkenbilt <qjb@debian.org>
Cc: 309739@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#309739: libtiff4: vulnerable to CAN-2005-1544
Date: Thu, 19 May 2005 11:49:22 +0200
[Message part 1 (text/plain, inline)]
Hi Jay!

Jay Berkenbilt [2005-05-19  5:30 -0400]:
> Thanks.  Debian Debian security: I am leaving today for vacation and
> will be completely unreachable for at least a day or two.  I should be
> able to deal with the current version today before I leave, so no NMU
> should be necessary for the version in sid/sarge.  I don't have a way
> right now to deal with the version in woody, so I'd have to request
> that the security team take care of it as they have done in the past.
> I won't have time to deal with it today before I leave, I'm afraid.

libtiff4 isn't even in woody. I didn't check whether this flaw affects
woody's TIFF library, though.

> Um, sid already has the latest upstream version, so I'm not sure what
> you mean, unless 3.7.3 is about to be released.  

Oh, I faintly remember having read something about a new version, but
I didn't check. 

> I follow the upstream mailing list though and I haven't heard about
> it.  

In this case you should apply the patch to unstable and upload with
high urgency so that the version can be pushed into Sarge, I suppose.

> Breezy also has the 3.7.2-2ubuntu1 which differs from the debian
> version only in that it has already undergone the C++ ABI transition
> (for libtiffxx0).  

Yeah, since yesterday.

> Martin, will you take care of applying this patch to the Breezy
> version?

Yes, of course. :-) It currently doesn't build because of a library of
our new X.org, but that's an entirely different problem. I already
ported the patch itself.

Martin

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#309739; Package libtiff4. Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 309739@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: debian-release@lists.debian.org
Cc: team@security.debian.org, 309739@bugs.debian.org
Subject: tiff security problem: planning to upload 3.7.2-3 to sid
Date: Thu, 19 May 2005 06:08:37 -0400
[Message part 1 (text/plain, inline)]
Unless I hear otherwise, I'm planning on uploading tiff 3.7.2-3
(currently prepared and ready; closes RC security bug 309739,
urgency=high) to sid this morning and to then request its approval for
sarge.  If you would like me to handle this in some other way, please
let me know ASAP.  I'm leaving for vacation today and intend to do
this upload in the next few hours.

I'm attaching two versions of the patch.  The first one,
CAN-2005-1544-readable.patch, was generated with diff -uw.  It ignores
whitespace, so it would not apply properly to the source, but it is
compact and easy to read for the benefit of the release team.  The
second patch is the real patch applied to the code.  It is larger than
the change warrants because of indentation changes in the code, but is
functionally identical.

Both versions of the patch were generated from upstream's CVS after
verifying with upstream's bug tracking system and looking at the patch
applied to the gentoo packages.  The change is quite straightforward
and is pretty self-evident from reading the patch generated without
extraneous whitespace changes.  When reading an array whose length is
supposed to be the value of bits per sample, the old code failed to
validate the actual amount of data in the file.  The new code
allocates the amount of memory required for what's actually in the
file and ensures that the samples value doesn't exceed that amount.
The same code change is repeated three times: once for short, once for
long, and once for "any" in tif_dirread.c.  I'm hoping that, with this
description, you'll be able to approve the change at a glance.  I've
also done a quick check over tif_dirread.c to make sure that these are
really the only occurrences of the offending code and that the three
functions really do need exactly the same fix and have also done my
usual testing of the libraries and tools to test for unintended
consequences.  This patch are the only difference between 3.7.2-2 and
3.7.2-3.  (It is quite clear anyway that there is no possibility of
any ABI breakage.)

Thanks for your consideration.

-- 
Jay Berkenbilt <qjb@debian.org>

[CAN-2005-1544-readable.patch (text/x-patch, inline)]
Index: libtiff/tif_dirread.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
retrieving revision 1.51
retrieving revision 1.53
diff -w -u -r1.51 -r1.53
--- libtiff/tif_dirread.c	3 Mar 2005 16:00:01 -0000	1.51
+++ libtiff/tif_dirread.c	6 May 2005 14:35:50 -0000	1.53
@@ -1310,12 +1310,16 @@
 		uint16 buf[10];
 		uint16* v = buf;
 
-		if (samples > NITEMS(buf))
-			v = (uint16*) CheckMalloc(tif, samples, sizeof(uint16),
+        if (dir->tdir_count > NITEMS(buf))
+            v = (uint16*) CheckMalloc(tif, dir->tdir_count, sizeof(uint16),
 						  "to fetch per-sample values");
 		if (v && TIFFFetchShortArray(tif, dir, v)) {
 			uint16 i;
-			for (i = 1; i < samples; i++)
+            int check_count = dir->tdir_count;
+            if( samples < check_count )
+                check_count = samples;
+
+            for (i = 1; i < check_count; i++)
 				if (v[i] != v[0]) {
 					TIFFError(tif->tif_name,
 		"Cannot handle different per-sample values for field \"%s\"",
@@ -1347,12 +1351,16 @@
 		uint32 buf[10];
 		uint32* v = buf;
 
-		if (samples > NITEMS(buf))
-			v = (uint32*) CheckMalloc(tif, samples, sizeof(uint32),
+        if (dir->tdir_count > NITEMS(buf))
+            v = (uint32*) CheckMalloc(tif, dir->tdir_count, sizeof(uint32),
 						  "to fetch per-sample values");
 		if (v && TIFFFetchLongArray(tif, dir, v)) {
 			uint16 i;
-			for (i = 1; i < samples; i++)
+            int check_count = dir->tdir_count;
+
+            if( samples < check_count )
+                check_count = samples;
+            for (i = 1; i < check_count; i++)
 				if (v[i] != v[0]) {
 					TIFFError(tif->tif_name,
 		"Cannot handle different per-sample values for field \"%s\"",
@@ -1384,12 +1392,16 @@
 		double buf[10];
 		double* v = buf;
 
-		if (samples > NITEMS(buf))
-			v = (double*) CheckMalloc(tif, samples, sizeof (double),
+        if (dir->tdir_count > NITEMS(buf))
+            v = (double*) CheckMalloc(tif, dir->tdir_count, sizeof (double),
 						  "to fetch per-sample values");
 		if (v && TIFFFetchAnyArray(tif, dir, v)) {
 			uint16 i;
-			for (i = 1; i < samples; i++)
+            int check_count = dir->tdir_count;
+            if( samples < check_count )
+                check_count = samples;
+
+            for (i = 1; i < check_count; i++)
 				if (v[i] != v[0]) {
 					TIFFError(tif->tif_name,
 		"Cannot handle different per-sample values for field \"%s\"",
[CAN-2005-1544.patch (text/x-patch, inline)]
Index: libtiff/tif_dirread.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
retrieving revision 1.51
retrieving revision 1.53
diff -u -r1.51 -r1.53
--- libtiff/tif_dirread.c	3 Mar 2005 16:00:01 -0000	1.51
+++ libtiff/tif_dirread.c	6 May 2005 14:35:50 -0000	1.53
@@ -1303,33 +1303,37 @@
 static int
 TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
 {
-	uint16 samples = tif->tif_dir.td_samplesperpixel;
-	int status = 0;
+    uint16 samples = tif->tif_dir.td_samplesperpixel;
+    int status = 0;
 
-	if (CheckDirCount(tif, dir, (uint32) samples)) {
-		uint16 buf[10];
-		uint16* v = buf;
-
-		if (samples > NITEMS(buf))
-			v = (uint16*) CheckMalloc(tif, samples, sizeof(uint16),
-						  "to fetch per-sample values");
-		if (v && TIFFFetchShortArray(tif, dir, v)) {
-			uint16 i;
-			for (i = 1; i < samples; i++)
-				if (v[i] != v[0]) {
-					TIFFError(tif->tif_name,
-		"Cannot handle different per-sample values for field \"%s\"",
-			   _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-					goto bad;
-				}
-			*pl = v[0];
-			status = 1;
-		}
-	bad:
-		if (v && v != buf)
-			_TIFFfree(v);
-	}
-	return (status);
+    if (CheckDirCount(tif, dir, (uint32) samples)) {
+        uint16 buf[10];
+        uint16* v = buf;
+
+        if (dir->tdir_count > NITEMS(buf))
+            v = (uint16*) CheckMalloc(tif, dir->tdir_count, sizeof(uint16),
+                                      "to fetch per-sample values");
+        if (v && TIFFFetchShortArray(tif, dir, v)) {
+            uint16 i;
+            int check_count = dir->tdir_count;
+            if( samples < check_count )
+                check_count = samples;
+
+            for (i = 1; i < check_count; i++)
+                if (v[i] != v[0]) {
+                    TIFFError(tif->tif_name,
+                              "Cannot handle different per-sample values for field \"%s\"",
+                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+                    goto bad;
+                }
+            *pl = v[0];
+            status = 1;
+        }
+      bad:
+        if (v && v != buf)
+            _TIFFfree(v);
+    }
+    return (status);
 }
 
 /*
@@ -1340,33 +1344,37 @@
 static int
 TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
 {
-	uint16 samples = tif->tif_dir.td_samplesperpixel;
-	int status = 0;
+    uint16 samples = tif->tif_dir.td_samplesperpixel;
+    int status = 0;
 
-	if (CheckDirCount(tif, dir, (uint32) samples)) {
-		uint32 buf[10];
-		uint32* v = buf;
-
-		if (samples > NITEMS(buf))
-			v = (uint32*) CheckMalloc(tif, samples, sizeof(uint32),
-						  "to fetch per-sample values");
-		if (v && TIFFFetchLongArray(tif, dir, v)) {
-			uint16 i;
-			for (i = 1; i < samples; i++)
-				if (v[i] != v[0]) {
-					TIFFError(tif->tif_name,
-		"Cannot handle different per-sample values for field \"%s\"",
-			   _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-					goto bad;
-				}
-			*pl = v[0];
-			status = 1;
-		}
-	bad:
-		if (v && v != buf)
-			_TIFFfree(v);
-	}
-	return (status);
+    if (CheckDirCount(tif, dir, (uint32) samples)) {
+        uint32 buf[10];
+        uint32* v = buf;
+
+        if (dir->tdir_count > NITEMS(buf))
+            v = (uint32*) CheckMalloc(tif, dir->tdir_count, sizeof(uint32),
+                                      "to fetch per-sample values");
+        if (v && TIFFFetchLongArray(tif, dir, v)) {
+            uint16 i;
+            int check_count = dir->tdir_count;
+
+            if( samples < check_count )
+                check_count = samples;
+            for (i = 1; i < check_count; i++)
+                if (v[i] != v[0]) {
+                    TIFFError(tif->tif_name,
+                              "Cannot handle different per-sample values for field \"%s\"",
+                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+                    goto bad;
+                }
+            *pl = v[0];
+            status = 1;
+        }
+      bad:
+        if (v && v != buf)
+            _TIFFfree(v);
+    }
+    return (status);
 }
 
 /*
@@ -1377,33 +1385,37 @@
 static int
 TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
 {
-	uint16 samples = tif->tif_dir.td_samplesperpixel;
-	int status = 0;
+    uint16 samples = tif->tif_dir.td_samplesperpixel;
+    int status = 0;
 
-	if (CheckDirCount(tif, dir, (uint32) samples)) {
-		double buf[10];
-		double* v = buf;
-
-		if (samples > NITEMS(buf))
-			v = (double*) CheckMalloc(tif, samples, sizeof (double),
-						  "to fetch per-sample values");
-		if (v && TIFFFetchAnyArray(tif, dir, v)) {
-			uint16 i;
-			for (i = 1; i < samples; i++)
-				if (v[i] != v[0]) {
-					TIFFError(tif->tif_name,
-		"Cannot handle different per-sample values for field \"%s\"",
-			   _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-					goto bad;
-				}
-			*pl = v[0];
-			status = 1;
-		}
-	bad:
-		if (v && v != buf)
-			_TIFFfree(v);
-	}
-	return (status);
+    if (CheckDirCount(tif, dir, (uint32) samples)) {
+        double buf[10];
+        double* v = buf;
+
+        if (dir->tdir_count > NITEMS(buf))
+            v = (double*) CheckMalloc(tif, dir->tdir_count, sizeof (double),
+                                      "to fetch per-sample values");
+        if (v && TIFFFetchAnyArray(tif, dir, v)) {
+            uint16 i;
+            int check_count = dir->tdir_count;
+            if( samples < check_count )
+                check_count = samples;
+
+            for (i = 1; i < check_count; i++)
+                if (v[i] != v[0]) {
+                    TIFFError(tif->tif_name,
+                              "Cannot handle different per-sample values for field \"%s\"",
+                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+                    goto bad;
+                }
+            *pl = v[0];
+            status = 1;
+        }
+      bad:
+        if (v && v != buf)
+            _TIFFfree(v);
+    }
+    return (status);
 }
 #undef NITEMS
 
[Message part 4 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#309739; Package libtiff4. Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #25 received at 309739@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Martin Pitt <martin.pitt@canonical.com>
Cc: 309739@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#309739: libtiff4: vulnerable to CAN-2005-1544
Date: Thu, 19 May 2005 06:35:58 -0400
[Message part 1 (text/plain, inline)]
Martin Pitt <martin.pitt@canonical.com> wrote:

> libtiff4 isn't even in woody. I didn't check whether this flaw affects
> woody's TIFF library, though.

But libtiff3g is, and this bug is there.  Security: I'm attaching a
patch against the woody version.  THIS IS UNTESTED.  I extracted the
source package for the current woody version (3.5.5-6.woody5) and
hand-applied the patch to the extracted version (i.e. on top of other
packages already there).  The offending code is there only twice in
the woody version.  (It's there three times in the current version.)
The attached patch should apply against that.  As I said, I haven't
tested or even attempted to build it in a woody environment since I
don't have a woody build environment set up and have no time today!  I
did build it in a sid environment, so I know it at least compiles, but
I didn't run it.  I hope this saves you at least some effort.

>> Martin, will you take care of applying this patch to the Breezy
>> version?
>
> Yes, of course. :-) It currently doesn't build because of a library of
> our new X.org, but that's an entirely different problem. I already
> ported the patch itself.

Okay, see Ubuntu bug 10952. :-)  I'm probably duplicating your effort
but maybe it will still be useful.

-- 
Jay Berkenbilt <qjb@debian.org>

[CAN-2005-1544-woody-untested.patch (text/x-patch, inline)]
--- libtiff/tif_dirread.c~	2005-05-19 06:26:07.896339528 -0400
+++ libtiff/tif_dirread.c	2005-05-19 06:30:14.865794464 -0400
@@ -1178,12 +1178,16 @@
 		uint16 buf[10];
 		uint16* v = buf;
 
-		if (samples > NITEMS(buf))
-			v = (uint16*) CheckMalloc(tif, samples, sizeof (uint16),
+		if (dir->tdir_count > NITEMS(buf))
+			v = (uint16*) CheckMalloc(tif, dir->tdir_count, sizeof(uint16),
 						  "to fetch per-sample values");
 		if (v && TIFFFetchShortArray(tif, dir, v)) {
 			int i;
-			for (i = 1; i < samples; i++)
+			int check_count = dir->tdir_count;
+			if( samples < check_count )
+			    check_count = samples;
+
+			for (i = 1; i < check_count; i++)
 				if (v[i] != v[0]) {
 					TIFFError(tif->tif_name,
 		"Cannot handle different per-sample values for field \"%s\"",
@@ -1215,12 +1219,16 @@
 		double buf[10];
 		double* v = buf;
 
-		if (samples > NITEMS(buf))
-			v = (double*) CheckMalloc(tif, samples, sizeof (double),
+		if (dir->tdir_count > NITEMS(buf))
+			v = (double*) CheckMalloc(tif, dir->tdir_count, sizeof (double),
 						  "to fetch per-sample values");
 		if (v && TIFFFetchAnyArray(tif, dir, v)) {
 			int i;
-			for (i = 1; i < samples; i++)
+			int check_count = dir->tdir_count;
+			if( samples < check_count )
+			    check_count = samples;
+
+			for (i = 1; i < check_count; i++)
 				if (v[i] != v[0]) {
 					TIFFError(tif->tif_name,
 		"Cannot handle different per-sample values for field \"%s\"",
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Pitt <martin@piware.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 309739-close@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 309739-close@bugs.debian.org
Subject: Bug#309739: fixed in tiff 3.7.2-3
Date: Thu, 19 May 2005 11:32:20 -0400
Source: tiff
Source-Version: 3.7.2-3

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive:

libtiff-opengl_3.7.2-3_i386.deb
  to pool/main/t/tiff/libtiff-opengl_3.7.2-3_i386.deb
libtiff-tools_3.7.2-3_i386.deb
  to pool/main/t/tiff/libtiff-tools_3.7.2-3_i386.deb
libtiff4-dev_3.7.2-3_i386.deb
  to pool/main/t/tiff/libtiff4-dev_3.7.2-3_i386.deb
libtiff4_3.7.2-3_i386.deb
  to pool/main/t/tiff/libtiff4_3.7.2-3_i386.deb
libtiffxx0_3.7.2-3_i386.deb
  to pool/main/t/tiff/libtiffxx0_3.7.2-3_i386.deb
tiff_3.7.2-3.diff.gz
  to pool/main/t/tiff/tiff_3.7.2-3.diff.gz
tiff_3.7.2-3.dsc
  to pool/main/t/tiff/tiff_3.7.2-3.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 309739@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 19 May 2005 05:41:28 -0400
Source: tiff
Binary: libtiff-opengl libtiffxx0 libtiff4 libtiff-tools libtiff4-dev
Architecture: source i386
Version: 3.7.2-3
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description: 
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff4   - Tag Image File Format (TIFF) library
 libtiff4-dev - Tag Image File Format library (TIFF), development files
 libtiffxx0 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 309739
Changes: 
 tiff (3.7.2-3) unstable; urgency=high
 .
   * Fix for exploitable segmentation fault on files with bad BitsPerSample
     values.  (Closes: #309739)
     [libtiff/tif_dirread.c, CAN-2005-1544]
     Thanks to Martin Pitt for the report.
Files: 
 14ed5f799c0d34b3f4d258abb76b448a 735 libs optional tiff_3.7.2-3.dsc
 1fc94f29d3a15165419a247d700ccbdd 9149 libs optional tiff_3.7.2-3.diff.gz
 1e41dddfdcc5e433282e3594dd7487da 451754 libs optional libtiff4_3.7.2-3_i386.deb
 eba84b0e5ed28fe006e21966d1617cc5 40262 libs optional libtiffxx0_3.7.2-3_i386.deb
 13272b256ec7ab7c7d3db0cbc388cfcf 250716 libdevel optional libtiff4-dev_3.7.2-3_i386.deb
 3d369fa5c93aa1e456c1832e7f94eb25 205830 graphics optional libtiff-tools_3.7.2-3_i386.deb
 936dddcc6265d3468c14bfbcb4a9b9b6 44828 graphics optional libtiff-opengl_3.7.2-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCjK2REBVk6taI4KcRAuGHAKC9rmUracGLJutKXObvOGWy1cE3oQCgnQi6
uS13arrWpS1oW5y1TjRBTd0=
=SR9K
-----END PGP SIGNATURE-----




Bug reopened, originator not changed. Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: woody Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#309739; Package libtiff4. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>. Full text and rfc822 format available.

Message #39 received at 309739@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 309739@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, Jay Berkenbilt <qjb@debian.org>
Subject: Re: Processed: Unfixed in Woody
Date: Thu, 9 Jun 2005 10:25:34 -0700
[Message part 1 (text/plain, inline)]
On Thu, Jun 09, 2005 at 07:03:18AM -0700, Debian Bug Tracking System wrote:
> Processing commands for control@bugs.debian.org:

> > reopen 309739
> Bug#309739: libtiff4: vulnerable to CAN-2005-1544
> Bug reopened, originator not changed.

> > tags 309739 woody
> Bug#309739: libtiff4: vulnerable to CAN-2005-1544
> Tags were: security
> Tags added: woody

Why was this bug reopened?  There is no libtiff4 package in woody.

-- 
Steve Langasek
postmodern programmer
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#309739; Package libtiff4. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>. Full text and rfc822 format available.

Message #44 received at 309739@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Steve Langasek <vorlon@debian.org>
Cc: 309739@bugs.debian.org, Jay Berkenbilt <qjb@debian.org>, control@bugs.debian.org
Subject: Re: Processed: Unfixed in Woody
Date: Thu, 9 Jun 2005 19:51:40 +0200
reassign 309739 tiff
thanks

Steve Langasek wrote:
> > > reopen 309739
> > Bug#309739: libtiff4: vulnerable to CAN-2005-1544
> > Bug reopened, originator not changed.
> 
> > > tags 309739 woody
> > Bug#309739: libtiff4: vulnerable to CAN-2005-1544
> > Tags were: security
> > Tags added: woody
> 
> Why was this bug reopened?  There is no libtiff4 package in woody.

But tiff3g is affected, so I'm reassigning this to the source package.

Cheers,
        Moritz



Bug reassigned from package `libtiff4' to `tiff'. Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#309739; Package tiff. Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #51 received at 309739@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 309739@bugs.debian.org, jmm@inutil.org, vorlon@debian.org
Subject: CAN-2005-1544 (tiff3g segfault)
Date: Sun, 19 Jun 2005 22:17:21 -0400
Hello all....I just got back into town tonight and am digging through
>1500 messages.  Somehow I don't see the one about this bug, but I
noticed in the package tracking system that the bug has been reopened.

I had actually sent a patch to team@security.debian.org against the
version of tiff in woody to fix this problem, and I tested that the
woody version of tiff builds okay in sid with the patch.  I don't have
a woody environment to test in, and I didn't actually run the version
compiled in sid from the woody sources.  In any case, you can find the
patch here:

http://bugs.debian.org/cgi-bin/bugreport.cgi/CAN-2005-1544-woody-untested.patch?bug=309739&msg=15&att=1

The patch wasn't too hard to generate against the older tiff sources
based on reading the effected code, but as I said, it hasn't been
thoroughly tested.

I will follow up with the security team soon to see what's going on.

--Jay

-- 
Jay Berkenbilt <qjb@debian.org>



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#309739; Package tiff. Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #56 received at 309739@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: team@security.debian.org
Cc: 309739@bugs.debian.org
Subject: woody is still vulnerable to CAN-2005-1544
Date: Sat, 09 Jul 2005 16:04:03 -0400
[Message part 1 (text/plain, inline)]
Some time ago, a bug was posted about tiff being vulnerable to
CAN-2005-1544: a bug that caused and exploitable segmentation fault on
files with certain bad BitsPerSample values (making it a potential DOS
bug).  The fix is already in sarge.  I had posted a patch against the
version of the package in Woody some time ago, but I had not tested
it.  I have now built and tested this in a woody environment, and I
believe that it does resolve the problem.  The attached patch is
identical to the other one except that it also patches
debian/changelog.  Feel free to disregard that part and treat this a
security NMU.  The portion of the patch that updates tif_dirread.c
should be fine.  Bug 309739 is still open (tagged woody).  My patch to
the changelog closes it.  If this gets uploaded in some other way,
someone can manually close the bug.  Please let me know if there's
anything else I need to do with this.  Thanks!

-- 
Jay Berkenbilt <qjb@debian.org>

[CAN-2005-1544.woody.patch (text/x-patch, inline)]
diff -ur tiff-3.5.5.old/debian/changelog tiff-3.5.5/debian/changelog
--- tiff-3.5.5.old/debian/changelog	2005-07-09 15:33:22.444177800 -0400
+++ tiff-3.5.5/debian/changelog	2005-07-09 15:36:33.679924042 -0400
@@ -1,3 +1,10 @@
+tiff (3.5.5-7) unstable; urgency=low
+
+  * Fix for exploitable segmentation fault on files with bad BitsPerSample
+    values. [libtiff/tif_dirread.c, CAN-2005-1544]. Closes: #309739
+
+ -- Jay Berkenbilt <qjb@debian.org>  Sat,  9 Jul 2005 15:36:18 -0400
+
 tiff (3.5.5-6.woody5) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team
diff -ur tiff-3.5.5.old/libtiff/tif_dirread.c tiff-3.5.5/libtiff/tif_dirread.c
--- tiff-3.5.5.old/libtiff/tif_dirread.c	2005-07-09 15:33:22.432179070 -0400
+++ tiff-3.5.5/libtiff/tif_dirread.c	2005-07-09 15:32:53.358256890 -0400
@@ -1178,12 +1178,16 @@
 		uint16 buf[10];
 		uint16* v = buf;
 
-		if (samples > NITEMS(buf))
-			v = (uint16*) CheckMalloc(tif, samples, sizeof (uint16),
+		if (dir->tdir_count > NITEMS(buf))
+			v = (uint16*) CheckMalloc(tif, dir->tdir_count, sizeof(uint16),
 						  "to fetch per-sample values");
 		if (v && TIFFFetchShortArray(tif, dir, v)) {
 			int i;
-			for (i = 1; i < samples; i++)
+			int check_count = dir->tdir_count;
+			if( samples < check_count )
+			    check_count = samples;
+
+			for (i = 1; i < check_count; i++)
 				if (v[i] != v[0]) {
 					TIFFError(tif->tif_name,
 		"Cannot handle different per-sample values for field \"%s\"",
@@ -1215,12 +1219,16 @@
 		double buf[10];
 		double* v = buf;
 
-		if (samples > NITEMS(buf))
-			v = (double*) CheckMalloc(tif, samples, sizeof (double),
+		if (dir->tdir_count > NITEMS(buf))
+			v = (double*) CheckMalloc(tif, dir->tdir_count, sizeof (double),
 						  "to fetch per-sample values");
 		if (v && TIFFFetchAnyArray(tif, dir, v)) {
 			int i;
-			for (i = 1; i < samples; i++)
+			int check_count = dir->tdir_count;
+			if( samples < check_count )
+			    check_count = samples;
+
+			for (i = 1; i < check_count; i++)
 				if (v[i] != v[0]) {
 					TIFFError(tif->tif_name,
 		"Cannot handle different per-sample values for field \"%s\"",
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#309739; Package tiff. Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #61 received at 309739@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: team@security.debian.org
Cc: 309739@bugs.debian.org
Subject: Re: woody is still vulnerable to CAN-2005-1544
Date: Sat, 09 Jul 2005 16:22:11 -0400
Jay Berkenbilt <qjb@debian.org> wrote:

> The attached patch is identical to the other one except that it also
> patches debian/changelog.  Feel free to disregard that part and
> treat this a security NMU.

Of course, my patch had a distribution of unstable which is obviously
wrong.  But you would have definitely noticed that. :-)

-- 
Jay Berkenbilt <qjb@debian.org>



Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#309739; Package tiff. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>. Full text and rfc822 format available.

Message #66 received at 309739@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Jay Berkenbilt <qjb@debian.org>
Cc: team@security.debian.org, 309739@bugs.debian.org
Subject: Re: woody is still vulnerable to CAN-2005-1544
Date: Sun, 10 Jul 2005 12:52:27 +0200
Jay Berkenbilt wrote:
> 
> Some time ago, a bug was posted about tiff being vulnerable to
> CAN-2005-1544: a bug that caused and exploitable segmentation fault on
> files with certain bad BitsPerSample values (making it a potential DOS
> bug).  The fix is already in sarge.  I had posted a patch against the
> version of the package in Woody some time ago, but I had not tested
> it.  I have now built and tested this in a woody environment, and I
> believe that it does resolve the problem.  The attached patch is
> identical to the other one except that it also patches
> debian/changelog.  Feel free to disregard that part and treat this a
> security NMU.  The portion of the patch that updates tif_dirread.c
> should be fine.  Bug 309739 is still open (tagged woody).  My patch to
> the changelog closes it.  If this gets uploaded in some other way,
> someone can manually close the bug.  Please let me know if there's
> anything else I need to do with this.  Thanks!

Hmm, I must hav missed your earlier mail somehow.  I haven't even
stored a trace of this issue.  I'm pushing it into the buildd network
now.  Thanks a lot.

Regards,

	Joey

-- 
Every use of Linux is a proper use of Linux.  -- Jon 'maddog' Hall



Reply sent to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Pitt <martin@piware.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #71 received at 309739-done@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 309739-done@bugs.debian.org
Subject: fixed in oldstable-security
Date: Fri, 15 Jul 2005 16:09:00 -0400
This bug has been fixed in 3.5.5-7, available as an oldstable security
update.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 02:18:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 00:09:52 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.