Re: Bug#373854: libtiff-tools: DSA 1091-1 broke tiffsplit
tags 373854 +pending
thanks
Christoph Biedl <cbiedl@gmx.de> wrote:
> What goes wrong:
>
> tiffsplit composes the name of the created file using the submitted
> "prefix" with the serial appened (this is in fname) and the extension
> ".tif". The resulting name is written to "path".
>
> Prior to DSA 1091-1 the vulnerable code was
> | strcpy(path, fname);
> | strcat(path, ".tif");
>
> This was changed to
> | snprintf(fname, sizeof(fname), "%s.tif", fname);
> but should obviously be
> | snprintf(path, sizeof(path), "%s.tif", fname);
> and was discussed so in #369819.
I believe this analysis is obviously correct. This same error was not
made in the sid version of this upload, so the sid version is actually
okay. I believe regressions introduced in stable-security are
generally also fixed in stable-security, so I've attached a patch to
change 3.7.2-5 to 3.7.2-6 that fixes this problem. I've marked the
bug "pending" assuming that the security team will accept the proposed
fix. Thanks for your analysis and fix!
--
Jay Berkenbilt <qjb@debian.org>
--- debian/changelog.qdist 2006-06-19 18:45:05.813893781 -0400
+++ debian/changelog 2006-06-19 18:49:59.708719707 -0400
@@ -1,3 +1,10 @@
+tiff (3.7.2-6) stable-security; urgency=high
+
+ * Fix regression introduced by CVE-2006-2656.patch. Thanks Christoph
+ Biedl. (Closes: #373854)
+
+ -- Jay Berkenbilt <qjb@debian.org> Mon, 19 Jun 2006 18:49:39 -0400
+
tiff (3.7.2-5) stable-security; urgency=high
* Non-maintainer upload by the Security Team
--- debian/patches/CVE-2006-2656.patch.qdist 2006-06-19 18:45:05.808894413 -0400
+++ debian/patches/CVE-2006-2656.patch 2006-06-19 18:47:22.846560837 -0400
@@ -18,7 +18,7 @@
newfilename();
- strcpy(path, fname);
- strcat(path, ".tif");
-+ snprintf(fname, sizeof(fname), "%s.tif", fname);
++ snprintf(path, sizeof(path), "%s.tif", fname);
out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
if (out == NULL)
return (-2);
Reply to: