Debian Bug report logs - #534137
LZWDecodeCompat crash

version graph

Package: tiff; Maintainer for tiff is Jay Berkenbilt <qjb@debian.org>;

Reported by: Kees Cook <kees@debian.org>

Date: Mon, 22 Jun 2009 00:09:01 UTC

Severity: normal

Tags: patch, security

Found in version 3.8.2-11

Fixed in version tiff/3.8.2-12

Done: Jay Berkenbilt <qjb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#534137; Package tiff. (Mon, 22 Jun 2009 00:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kees Cook <kees@debian.org>:
New Bug report received and forwarded. Copy sent to Jay Berkenbilt <qjb@debian.org>. (Mon, 22 Jun 2009 00:09:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Kees Cook <kees@debian.org>
To: Debian Bugs <submit@bugs.debian.org>
Subject: LZWDecodeCompat crash
Date: Sun, 21 Jun 2009 17:06:09 -0700
[Message part 1 (text/plain, inline)]
Package: tiff
Version: 3.8.2-11
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu karmic ubuntu-patch

Hello!

The attached TIFF will crash libtiff, as investigated by the PSP hacking
community[1], the Ubuntu bug report[2], and upstream[3].

Attached patch seems to solve the underflow, but has not been regression
tested.

Thanks,

-Kees

[1] http://www.lan.st/showthread.php?t=1856&page=3
[2] https://bugs.edge.launchpad.net/bugs/380149
[3] http://bugzilla.maptools.org/show_bug.cgi?id=2065

-- 
Kees Cook                                            @debian.org
[lzw_underflow.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#534137; Package tiff. (Sun, 28 Jun 2009 16:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. (Sun, 28 Jun 2009 16:33:02 GMT) Full text and rfc822 format available.

Message #10 received at 534137@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Kees Cook <kees@debian.org>
Cc: 534137@bugs.debian.org
Subject: Re: Bug#534137: LZWDecodeCompat crash
Date: Sun, 28 Jun 2009 12:30:39 -0400
Kees Cook <kees@debian.org> wrote:

> The attached TIFF will crash libtiff, as investigated by the PSP hacking
> community[1], the Ubuntu bug report[2], and upstream[3].
>
> Attached patch seems to solve the underflow, but has not been regression
> tested.

I've looked through the upstream bug report you mentioned, and I have
applied Jeffrey Pfau's patch instead.  After applying this patch, I am
able to view your sample image, and the corrupted LZW table scanline
error is issued.  Thanks for drawing my attention to this problem!

I really hope they get around to release 3.9.0 one of these days.  I'm
tempted to roll my own 3.9.0-pre release and upload it.

-- 
Jay Berkenbilt <qjb@debian.org>




Reply sent to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility. (Sun, 28 Jun 2009 18:03:05 GMT) Full text and rfc822 format available.

Notification sent to Kees Cook <kees@debian.org>:
Bug acknowledged by developer. (Sun, 28 Jun 2009 18:03:05 GMT) Full text and rfc822 format available.

Message #15 received at 534137-close@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 534137-close@bugs.debian.org
Subject: Bug#534137: fixed in tiff 3.8.2-12
Date: Sun, 28 Jun 2009 17:32:06 +0000
Source: tiff
Source-Version: 3.8.2-12

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive:

libtiff-doc_3.8.2-12_all.deb
  to pool/main/t/tiff/libtiff-doc_3.8.2-12_all.deb
libtiff-opengl_3.8.2-12_i386.deb
  to pool/main/t/tiff/libtiff-opengl_3.8.2-12_i386.deb
libtiff-tools_3.8.2-12_i386.deb
  to pool/main/t/tiff/libtiff-tools_3.8.2-12_i386.deb
libtiff4-dev_3.8.2-12_i386.deb
  to pool/main/t/tiff/libtiff4-dev_3.8.2-12_i386.deb
libtiff4_3.8.2-12_i386.deb
  to pool/main/t/tiff/libtiff4_3.8.2-12_i386.deb
libtiffxx0c2_3.8.2-12_i386.deb
  to pool/main/t/tiff/libtiffxx0c2_3.8.2-12_i386.deb
tiff_3.8.2-12.diff.gz
  to pool/main/t/tiff/tiff_3.8.2-12.diff.gz
tiff_3.8.2-12.dsc
  to pool/main/t/tiff/tiff_3.8.2-12.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 534137@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 28 Jun 2009 13:17:44 -0400
Source: tiff
Binary: libtiff4 libtiffxx0c2 libtiff4-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all i386
Version: 3.8.2-12
Distribution: unstable
Urgency: low
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description: 
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff4   - Tag Image File Format (TIFF) library
 libtiff4-dev - Tag Image File Format library (TIFF), development files
 libtiffxx0c2 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 534137
Changes: 
 tiff (3.8.2-12) unstable; urgency=low
 .
   * Apply patch to fix crash in lzw decoder that can be caused by certain
     invalid image files.  (Closes: #534137)
   * No longer ignore errors in preinst
   * Fixed new lintian warnings; updated standards version to 3.8.2.
Checksums-Sha1: 
 5f83651873ef6603d8e5d08530d08c2c29e1fe37 1184 tiff_3.8.2-12.dsc
 9b309ac0574f57d05b9bbc8d22dea41fed2d23f0 37902 tiff_3.8.2-12.diff.gz
 884d388f3481b016a69405144046921be6e37870 368536 libtiff-doc_3.8.2-12_all.deb
 f0ff269a146ab7495e004c3e4724093bceb88137 160400 libtiff4_3.8.2-12_i386.deb
 2df286c6040b28ac17c216b55507d92f1a021c8c 48750 libtiffxx0c2_3.8.2-12_i386.deb
 fb9a76938962304a3a027eaf121f3df5c685f247 274360 libtiff4-dev_3.8.2-12_i386.deb
 690d2cfcd03fd95db54df6e03df346ac0feaad9a 217626 libtiff-tools_3.8.2-12_i386.deb
 f9922b7c6da2b4f9481135489687dd033fba9342 53526 libtiff-opengl_3.8.2-12_i386.deb
Checksums-Sha256: 
 f8ebdbd3e5917454d97fcc70732525511c66a218eedaffe7bc3dcb3e73877ad2 1184 tiff_3.8.2-12.dsc
 03ea036f23b5219e92ae1f1837ca0fd030aa410a50485f166e557b04f5b2c6e2 37902 tiff_3.8.2-12.diff.gz
 9f2ae8be58ad4f9163b0bfebf355180cf5b200dd478fe287647dccf563d2575a 368536 libtiff-doc_3.8.2-12_all.deb
 e79717e2c7c0dfc2444e54e4de529b98d7f6f639c05ca8dc448402298377f732 160400 libtiff4_3.8.2-12_i386.deb
 66675ea7351e715e85a7c8f7a855c09f4dc598fa3c6a64848cba1ae9c1099bc3 48750 libtiffxx0c2_3.8.2-12_i386.deb
 384acffd722ed6f961a671939b646c068e288f7414ac23179853bf1385254132 274360 libtiff4-dev_3.8.2-12_i386.deb
 5cdb9e5a3785f90d0fa17d79ca9061567552de146ba2de7584b187cc87a82a0b 217626 libtiff-tools_3.8.2-12_i386.deb
 c92462cc1226aa0e6b403191b920382ed3bef7685d475fcf5b157e767a5e936d 53526 libtiff-opengl_3.8.2-12_i386.deb
Files: 
 85b476f98315e900086c6536f5503987 1184 libs optional tiff_3.8.2-12.dsc
 5e4151c85f88b8103ac8ca1f126a2202 37902 libs optional tiff_3.8.2-12.diff.gz
 bc104267907488da8a67ac5e307ea4d7 368536 doc optional libtiff-doc_3.8.2-12_all.deb
 0fe117d162a46479c97ce7d06199f451 160400 libs optional libtiff4_3.8.2-12_i386.deb
 25ea6593c6f5e69d26a594e453809203 48750 libs optional libtiffxx0c2_3.8.2-12_i386.deb
 948a8d39cadb04956e084abe0d8e56b7 274360 libdevel optional libtiff4-dev_3.8.2-12_i386.deb
 8034095daf6e4acc1286abccb603268f 217626 graphics optional libtiff-tools_3.8.2-12_i386.deb
 8d400340d6fac6e04b3e024be620e8a4 53526 graphics optional libtiff-opengl_3.8.2-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpHpnUACgkQEBVk6taI4Ke9uACgkgmPAOrnU8S3mwHzD39yD5OY
ifQAnjOCr1asSNM0/puv2u/lU2fUB62d
=YpzP
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#534137; Package tiff. (Thu, 09 Jul 2009 09:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>. (Thu, 09 Jul 2009 09:21:02 GMT) Full text and rfc822 format available.

Message #20 received at 534137@bugs.debian.org (full text, mbox):

From: Guido Günther <agx@sigxcpu.org>
To: 534137@bugs.debian.org
Subject: Security Upload for Lenny
Date: Thu, 9 Jul 2009 11:15:33 +0200
tags 534137 + security

Hi,
since this is security related, doesn't it need to be fixed in Lenny as
well?
Cheers,
 -- Guido




Tags added: security Request was from Guido Günther <agx@sigxcpu.org> to control@bugs.debian.org. (Thu, 09 Jul 2009 09:21:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#534137; Package tiff. (Sun, 12 Jul 2009 19:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. (Sun, 12 Jul 2009 19:12:03 GMT) Full text and rfc822 format available.

Message #27 received at 534137@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Guido Günther <agx@sigxcpu.org>
Cc: 534137@bugs.debian.org
Subject: Re: Bug#534137: Security Upload for Lenny
Date: Sun, 12 Jul 2009 15:09:18 -0400
Thanks -- I've raised the issue with the security team.  We'll see what
happens.

-- 
Jay Berkenbilt <qjb@debian.org>




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 10 Aug 2009 07:31:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 08:05:25 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.