Debian Bug report logs - #366588
CVE-2006-2120: denial of service (crash) via a crafted TIFF image

version graph

Package: libtiff4; Maintainer for libtiff4 is Jay Berkenbilt <qjb@debian.org>; Source for libtiff4 is src:tiff3.

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Tue, 9 May 2006 19:33:04 UTC

Severity: grave

Tags: security

Found in version libtiff4/3.7.2-3sarge1

Fixed in version 3.8.2-1

Done: Jay Berkenbilt <qjb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jay Berkenbilt <qjb@debian.org>:
Bug#366588; Package libtiff4. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jay Berkenbilt <qjb@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-2120: denial of service (crash) via a crafted TIFF image
Date: Tue, 09 May 2006 21:06:59 +0200
Package: libtiff4
Version: 3.7.2-3sarge1
Severity: grave
Tags: security
Justification: user security hole



As far as I could see, this is not fixed in sarge:

Name: CVE-2006-2120
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2120
http://bugzilla.remotesensing.org/show_bug.cgi?id=1065

The TIFFToRGB function in libtiff before 3.8.1 allows remote attackers
to cause a denial of service (crash) via a crafted TIFF image with
Yr/Yg/Yb values that exceed the YCR/YCG/YCB values, which triggers an
out-of-bounds read.


The function name is actually TIFFXYZToRGB. I am sorry that I am too
late for DSA 1054.

Cheers,
Stefan



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#366588; Package libtiff4. Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 366588@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Stefan Fritsch <sf@sfritsch.de>
Cc: 366588@bugs.debian.org
Subject: Re: Bug#366588: CVE-2006-2120: denial of service (crash) via a crafted TIFF image
Date: Wed, 10 May 2006 11:43:27 -0400
Stefan Fritsch <sf@sfritsch.de> wrote:

> Name: CVE-2006-2120
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2120
> http://bugzilla.remotesensing.org/show_bug.cgi?id=1065

Thank you for the report.  I have recently become aware of this and am
expecting to prepare a fix on Thursday.

-- 
Jay Berkenbilt <qjb@debian.org>



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#366588; Package libtiff4. Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 366588@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 366588@bugs.debian.org
Cc: control@bugs.debian.org
Subject: pending
Date: Sun, 14 May 2006 10:06:52 -0400
[Message part 1 (text/plain, inline)]
tags 366588 +pending
found 366588 3.7.2-3sarge1
notfound 366588 3.8.2-1
notfound 366588 3.8.2-2
thanks

I have sent a patch to the security team for the sarge version.  If
they agree, presumably a new version will be upload soon and a woody
version will also be prepared.  Here is the patch.  It is basically
the changes from revision 1.11 to 1.12 of tif_color.c

I have also attempted to use the found and notfound commands to keep
this bug from counting against the transition of 3.8.2-2 to etch,
though I'm not sure I've done it right.

-- 
Jay Berkenbilt <qjb@debian.org>

[CVE-2006-2120.patch (text/x-patch, inline)]
--- libtiff/tif_color.c.qdist	2005-01-15 10:42:50.000000000 -0500
+++ libtiff/tif_color.c	2006-05-14 09:47:02.115457504 -0400
@@ -92,6 +92,11 @@
 	Yg = TIFFmax( Yg, cielab->display.d_Y0G );
 	Yb = TIFFmax( Yb, cielab->display.d_Y0B );
 
+	/* Avoid overflow in case of wrong input values */
+	Yr = TIFFmin(Yr, cielab->display.d_YCR);
+	Yg = TIFFmin(Yg, cielab->display.d_YCG);
+	Yb = TIFFmin(Yb, cielab->display.d_YCB);
+
 	/* Turn luminosity to colour value. */
 	i = TIFFmin(cielab->range,
 		    (int)((Yr - cielab->display.d_Y0R) / cielab->rstep));

Tags added: pending Request was from Jay Berkenbilt <qjb@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 3.7.2-3sarge1. Request was from Jay Berkenbilt <qjb@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as not found in version 3.8.2-1. Request was from Jay Berkenbilt <qjb@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as not found in version 3.8.2-2. Request was from Jay Berkenbilt <qjb@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #28 received at 366588-done@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 366588-done@bugs.debian.org
Subject: bug does not effect sid or etch
Date: Wed, 24 May 2006 10:23:45 -0400
Version: 3.8.2-1

This bug applies to sarge only; marking it done as of 3.8.2-1.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 00:31:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 08:54:15 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.