[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1006550: buster-pu: package tiff/4.1.0+git191117-2~deb10u4

Package: release.debian.org
User: release.debian.org@packages.debian.org
Tags: buster
Severity: normal

Hi RMs,

A security update of tiff for issues not warrant a DSA but still would
be good to have fixed.
Work done by Thorsten Alteholz that I've double checked. Debdiff is attached.

Thanks for consideration,
Laszlo/GCS

diff -Nru tiff-4.1.0+git191117/debian/changelog tiff-4.1.0+git191117/debian/changelog
--- tiff-4.1.0+git191117/debian/changelog	2021-10-31 09:31:11.000000000 +0100
+++ tiff-4.1.0+git191117/debian/changelog	2022-02-27 17:01:41.000000000 +0100
@@ -1,3 +1,20 @@
+tiff (4.1.0+git191117-2~deb10u4) buster; urgency=high
+
+  [ Thorsten Alteholz <debian@alteholz.de> ]
+  * CVE-2022-22844
+    out-of-bounds read in _TIFFmemcpy in certain situations involving a 
+    custom tag and 0x0200 as the second word of the DE field.
+  * CVE-2022-0562
+    Null source pointer passed as an argument to memcpy() function within 
+    TIFFReadDirectory(). This could result in a Denial of Service via
+    crafted TIFF files.
+  * CVE-2022-0561
+    Null source pointer passed as an argument to memcpy() function within 
+    TIFFFetchStripThing(). This could result in a Denial of Service via 
+    crafted TIFF files.
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 27 Feb 2022 17:01:41 +0100
+
 tiff (4.1.0+git191117-2~deb10u3) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch	1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch	2022-02-27 16:58:38.000000000 +0100
@@ -0,0 +1,26 @@
+From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 6 Feb 2022 13:08:38 +0100
+Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+Index: tiff-4.1.0+git191117/libtiff/tif_dirread.c
+===================================================================
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c	2022-02-22 23:44:35.619605527 +0100
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c	2022-02-22 23:46:28.843560813 +0100
+@@ -5682,8 +5682,9 @@
+ 			_TIFFfree(data);
+ 			return(0);
+ 		}
+-                _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+-                _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
++                if( dir->tdir_count )
++                        _TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64));
++                _TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64));
+ 		_TIFFfree(data);
+ 		data=resizeddata;
+ 	}
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch	1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch	2022-02-27 16:58:38.000000000 +0100
@@ -0,0 +1,24 @@
+From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 5 Feb 2022 20:36:41 +0100
+Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: tiff-4.1.0+git191117/libtiff/tif_dirread.c
+===================================================================
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c	2022-02-22 23:46:41.891555692 +0100
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c	2022-02-22 23:48:35.983511234 +0100
+@@ -4126,7 +4126,8 @@
+                     goto bad;
+                 }
+ 
+-                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++                if (old_extrasamples > 0)
++                    memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+                 _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+                 _TIFFfree(new_sampleinfo);
+         }
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch	1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch	2022-02-27 16:58:38.000000000 +0100
@@ -0,0 +1,45 @@
+From 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 25 Jan 2022 16:25:28 +0000
+Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
+ count is required (fixes #355)
+
+---
+ tools/tiffset.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+Index: tiff-4.1.0+git191117/tools/tiffset.c
+===================================================================
+--- tiff-4.1.0+git191117.orig/tools/tiffset.c	2022-02-22 23:52:43.803416440 +0100
++++ tiff-4.1.0+git191117/tools/tiffset.c	2022-02-22 23:53:04.479408633 +0100
+@@ -32,6 +32,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ 
+ #include "tiffio.h"
+ 
+@@ -133,9 +134,19 @@
+ 
+             arg_index++;
+             if (TIFFFieldDataType(fip) == TIFF_ASCII) {
+-                if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
+-                    fprintf( stderr, "Failed to set %s=%s\n",
+-                             TIFFFieldName(fip), argv[arg_index] );
++                if(TIFFFieldPassCount( fip )) {
++                    size_t len;
++                    len = strlen(argv[arg_index]) + 1;
++                    if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
++                            (uint16)len, argv[arg_index]) != 1)
++                        fprintf( stderr, "Failed to set %s=%s\n",
++                            TIFFFieldName(fip), argv[arg_index] );
++                } else {
++                    if (TIFFSetField(tiff, TIFFFieldTag(fip),
++                            argv[arg_index]) != 1)
++                        fprintf( stderr, "Failed to set %s=%s\n",
++                            TIFFFieldName(fip), argv[arg_index] );
++                }
+             } else if (TIFFFieldWriteCount(fip) > 0
+ 		       || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
+                 int     ret = 1;
diff -Nru tiff-4.1.0+git191117/debian/patches/series tiff-4.1.0+git191117/debian/patches/series
--- tiff-4.1.0+git191117/debian/patches/series	2021-10-31 09:31:11.000000000 +0100
+++ tiff-4.1.0+git191117/debian/patches/series	2022-02-27 16:58:38.000000000 +0100
@@ -3,3 +3,8 @@
 CVE-2020-35523.patch
 CVE-2020-35524.patch
 TIFFTAG_PREDICTOR-is-not-supported-for-WebP.patch
+
+CVE-2022-0561.patch
+CVE-2022-0562.patch
+CVE-2022-22844.patch
+
Reply to: