Debian Bug report logs - #694693
tiff: CVE-2012-5581

version graph

Package: libtiff4; Maintainer for libtiff4 is Jay Berkenbilt <qjb@debian.org>; Source for libtiff4 is src:tiff3.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 29 Nov 2012 08:21:01 UTC

Severity: grave

Tags: security

Found in version tiff3/3.9.6-9

Fixed in version tiff3/3.9.6-10

Done: Jay Berkenbilt <qjb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#694693; Package tiff. (Thu, 29 Nov 2012 08:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jay Berkenbilt <qjb@debian.org>. (Thu, 29 Nov 2012 08:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tiff: CVE-2012-5581
Date: Thu, 29 Nov 2012 09:15:10 +0100
Package: tiff
Severity: grave
Tags: security
Justification: user security hole

Hi Jay,
another security issue was discovered by Red Hat's Huzaifa S. Sidhpurwala:
The Red Hat bug contains the necessary details:
https://bugzilla.redhat.com/show_bug.cgi?id=867235

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#694693; Package tiff. (Thu, 29 Nov 2012 14:51:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. (Thu, 29 Nov 2012 14:51:09 GMT) Full text and rfc822 format available.

Message #10 received at 694693@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 694693@bugs.debian.org
Subject: Re: Bug#694693: tiff: CVE-2012-5581
Date: Thu, 29 Nov 2012 09:46:41 -0500
Moritz Muehlenhoff <jmm@inutil.org> wrote:

>
> Hi Jay,
> another security issue was discovered by Red Hat's Huzaifa S. Sidhpurwala:
> The Red Hat bug contains the necessary details:
> https://bugzilla.redhat.com/show_bug.cgi?id=867235

Looking at the bugzilla issue, it's not completely clear to me whether
this was fixed in 4.0.2 or 4.0.3, and the patch will be pretty different
for the 3.x versions and the 4.x versions.  I'll see what I can do about
finding time very soon to address this.  I'm a little concerned about
Tom Lane's comment about a behavioral change:

https://bugzilla.redhat.com/show_bug.cgi?id=867235#c6

I'll look at it a little before blindly taking the diff.

-- 
Jay Berkenbilt <qjb@debian.org>



Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#694693; Package tiff. (Wed, 12 Dec 2012 17:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>. (Wed, 12 Dec 2012 17:57:08 GMT) Full text and rfc822 format available.

Message #15 received at 694693@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Jay Berkenbilt <qjb@debian.org>
Cc: 694693@bugs.debian.org
Subject: Re: Bug#694693: tiff: CVE-2012-5581
Date: Wed, 12 Dec 2012 18:52:26 +0100
[Message part 1 (text/plain, inline)]
On Thu, Nov 29, 2012 at 09:46:41AM -0500, Jay Berkenbilt wrote:
> Moritz Muehlenhoff <jmm@inutil.org> wrote:
> 
> >
> > Hi Jay,
> > another security issue was discovered by Red Hat's Huzaifa S. Sidhpurwala:
> > The Red Hat bug contains the necessary details:
> > https://bugzilla.redhat.com/show_bug.cgi?id=867235
> 
> Looking at the bugzilla issue, it's not completely clear to me whether
> this was fixed in 4.0.2 or 4.0.3, and the patch will be pretty different
> for the 3.x versions and the 4.x versions.  I'll see what I can do about
> finding time very soon to address this.  I'm a little concerned about
> Tom Lane's comment about a behavioral change:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=867235#c6
> 
> I'll look at it a little before blindly taking the diff.

I'm attaching the Ubuntu patch for 12.04 (based on 3.9.5-2)

Cheers,
        Moritz
[CVE-2012-5581.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#694693; Package tiff. (Sat, 15 Dec 2012 11:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. (Sat, 15 Dec 2012 11:24:03 GMT) Full text and rfc822 format available.

Message #20 received at 694693@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 694693@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#694693: tiff: CVE-2012-5581
Date: Sat, 15 Dec 2012 06:20:22 -0500
reassign 694693 libtiff4 3.9.6-9
thanks

Moritz Muehlenhoff <jmm@inutil.org> wrote:

> On Thu, Nov 29, 2012 at 09:46:41AM -0500, Jay Berkenbilt wrote:
>> Moritz Muehlenhoff <jmm@inutil.org> wrote:
>> 
>> >
>> > Hi Jay,
>> > another security issue was discovered by Red Hat's Huzaifa S. Sidhpurwala:
>> > The Red Hat bug contains the necessary details:
>> > https://bugzilla.redhat.com/show_bug.cgi?id=867235
>> 
>> Looking at the bugzilla issue, it's not completely clear to me whether
>> this was fixed in 4.0.2 or 4.0.3, and the patch will be pretty different
>> for the 3.x versions and the 4.x versions.  I'll see what I can do about
>> finding time very soon to address this.  I'm a little concerned about
>> Tom Lane's comment about a behavioral change:
>> 
>> https://bugzilla.redhat.com/show_bug.cgi?id=867235#c6
>> 
>> I'll look at it a little before blindly taking the diff.
>
> I'm attaching the Ubuntu patch for 12.04 (based on 3.9.5-2)

Sorry for the delay on this.  The upstream fix for this problem was in
CVS revision 1.111 of tif_dir.c, and the release 4.0.2 tag is on
revision 1.113.  I also verified looking at the source that 4.0.2
already incorporates this fix, so CVE-2012-5581 does not affect the tiff
package in sid/wheezy.  However, it does affect the tiff3 package and
the tiff package in squeeze.  I am reassigning the bug to libtiff4 and
will upload tiff3 momentarily with the patch that the Red Hat security
team backported.  I will request and unblock.  I will also prepare a
patch for squeeze and follow the usual procedure.

One of the nice things about tiff is that, if you wait long enough,
someone else will do most of the work. :-/

-- 
Jay Berkenbilt <qjb@debian.org>



Bug reassigned from package 'tiff' to 'libtiff4'. Request was from Jay Berkenbilt <qjb@debian.org> to control@bugs.debian.org. (Sat, 15 Dec 2012 11:24:05 GMT) Full text and rfc822 format available.

Marked as found in versions tiff3/3.9.6-9. Request was from Jay Berkenbilt <qjb@debian.org> to control@bugs.debian.org. (Sat, 15 Dec 2012 11:24:06 GMT) Full text and rfc822 format available.

Reply sent to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility. (Sat, 15 Dec 2012 11:36:06 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sat, 15 Dec 2012 11:36:06 GMT) Full text and rfc822 format available.

Message #29 received at 694693-close@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 694693-close@bugs.debian.org
Subject: Bug#694693: fixed in tiff3 3.9.6-10
Date: Sat, 15 Dec 2012 11:33:45 +0000
Source: tiff3
Source-Version: 3.9.6-10

We believe that the bug you reported is fixed in the latest version of
tiff3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 694693@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated tiff3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 15 Dec 2012 06:04:00 -0500
Source: tiff3
Binary: libtiff4 libtiffxx0c2 libtiff4-dev
Architecture: source amd64
Version: 3.9.6-10
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description: 
 libtiff4   - Tag Image File Format (TIFF) library (old version)
 libtiff4-dev - Tag Image File Format (TIFF) library (old version), development f
 libtiffxx0c2 - Tag Image File Format (TIFF) library (old version) -- C++ interfa
Closes: 694693
Changes: 
 tiff3 (3.9.6-10) unstable; urgency=high
 .
   * Add fix for CVE-2012-5581, reimplementing DOTRANGE handling to make it
     safer.  Thanks to Red Hat security team for backporting the fix.
     (Closes: #694693)
Checksums-Sha1: 
 7e60341734401505a5e94e308c976ec71ecb5396 1933 tiff3_3.9.6-10.dsc
 d552220ed5a5b42019e10f956ca4995424cc4c57 18060 tiff3_3.9.6-10.debian.tar.gz
 70be195259e8455d99d9c8a6f2a9e91f58f432cf 201996 libtiff4_3.9.6-10_amd64.deb
 b081b2c1ec07c1b921aecb337e7a6dfcc5dce65d 63332 libtiffxx0c2_3.9.6-10_amd64.deb
 1d643c970c297d8e243e3942cb75a734d9b9772d 337066 libtiff4-dev_3.9.6-10_amd64.deb
Checksums-Sha256: 
 a5c2a4c9ac1abc4b6495b2dd28d0efe2166ff2521e9f1e5fceb752ffd8f20c1c 1933 tiff3_3.9.6-10.dsc
 a168b32ed7cf85d1ce87e0570acc18b1466ad96d8c18534ef84e9305e60908d6 18060 tiff3_3.9.6-10.debian.tar.gz
 d9562a9856c144cb07579f711e8e9c2f180e07760b3eefd05a8c1163662bc7b7 201996 libtiff4_3.9.6-10_amd64.deb
 74a05f49494cd790725a43d145924795e8adac717997256ecb1e21dd46d612ba 63332 libtiffxx0c2_3.9.6-10_amd64.deb
 cbbfa8c02b5d96f0eb5e2c2c1c49eb308d779378a2f897a7d8388c4d2630cc10 337066 libtiff4-dev_3.9.6-10_amd64.deb
Files: 
 465d02e837cb92d986397ef863ea26e8 1933 oldlibs optional tiff3_3.9.6-10.dsc
 e02cc06af5c0e5d5b0a2c4425a98435d 18060 oldlibs optional tiff3_3.9.6-10.debian.tar.gz
 421f3589b3b1092b2938a938a7dcad54 201996 oldlibs optional libtiff4_3.9.6-10_amd64.deb
 2575461487c1996a2d8e23fd0bf4e28d 63332 oldlibs optional libtiffxx0c2_3.9.6-10_amd64.deb
 b4ae4d396c50419b778475f6847a8365 337066 libdevel optional libtiff4-dev_3.9.6-10_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQzF0wAAoJEIp10QmYASx+lqgQAIb54SxBpq38QXYKL4KRxKv+
FaCub0ktB32DiJBHChDJ/vsuEDfcypADx9ow0huvnbsz2wXhfr6MWbbRtuWweNRU
4P6ruBRu698czDDv5tXxQaELFvaTAuvk0fjzf7GxzExSW9jj85tTci43P36YkRgi
i+ZURT10gpKZ0fmRj/YVHLlZqSetGQMp4/HncI1xi1r1Ah5Xe8kur8KbvlJf895k
nsCR3yoOIrr1v4lkFbOPmZSJNW60FquR09BltfDf6bZa0C5aIMXSgZKaMQKOFSEH
1w74V3epftecFcFm09uWeTcTm4QMWzqkygyFlH8PhdhM6P0u7Yel55NNgeXATaiT
WkokG05FlY/3r/zNEyrOzdvSZNX9b5kdosnrKLW5bJXM7XKtvjPp9gpvkCHnWe6p
90DeTYcpuQ9pXIeNLKFTyOiIhVj9i/FHPOBiaaaGhA50JdY+w/MSjN5Ihg0kS2bb
zM/fa2B4LdXag/HiPNxumbOkcT6BbnzQRoj2D+8PUndm4i8TkvubiVkOI//AA8th
GlzsaQDum2IegbQ0Fsb1RaoPlnBGTPN/mkS/tXwBN4mMzsT63miEWK8IOq/WogNO
h8L2RquIsI2FdfosXyljw5Vo+V5Ufu0Wckdz+clxnJDVPpfWNzBoudoHaF+x0KbF
yrktXDr8GKnqQj14IqK7
=dcHV
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 15 Jan 2013 07:29:04 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 03:00:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.