Bug#1006550: marked as done (buster-pu: package tiff/4.1.0+git191117-2~deb10u4)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 6 Aug 2022 14:05:59 +0200
with message-id <CAKjSHr24Rh3cQCXm-HcWhStw95dq9pzfscw66SLq5_m=DjpHvQ@mail.gmail.com>
and subject line Re: Bug#1006550: buster-pu: package tiff/4.1.0+git191117-2~deb10u4
has caused the Debian Bug report #1006550,
regarding buster-pu: package tiff/4.1.0+git191117-2~deb10u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1006550: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006550
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Cc: Thorsten Alteholz <debian@alteholz.de>
• Subject: buster-pu: package tiff/4.1.0+git191117-2~deb10u4
• From: László Böszörményi (GCS) <gcs@debian.org>
• Date: Sun, 27 Feb 2022 18:01:15 +0100
• Message-id: <CAKjSHr0_DPJkBn7KUCjmfTWLvKG1fR10efs3YppfinioHBN7xw@mail.gmail.com>

Package: release.debian.org
User: release.debian.org@packages.debian.org
Tags: buster
Severity: normal

Hi RMs,

A security update of tiff for issues not warrant a DSA but still would
be good to have fixed.
Work done by Thorsten Alteholz that I've double checked. Debdiff is attached.

Thanks for consideration,
Laszlo/GCS

diff -Nru tiff-4.1.0+git191117/debian/changelog tiff-4.1.0+git191117/debian/changelog
--- tiff-4.1.0+git191117/debian/changelog	2021-10-31 09:31:11.000000000 +0100
+++ tiff-4.1.0+git191117/debian/changelog	2022-02-27 17:01:41.000000000 +0100
@@ -1,3 +1,20 @@
+tiff (4.1.0+git191117-2~deb10u4) buster; urgency=high
+
+  [ Thorsten Alteholz <debian@alteholz.de> ]
+  * CVE-2022-22844
+    out-of-bounds read in _TIFFmemcpy in certain situations involving a 
+    custom tag and 0x0200 as the second word of the DE field.
+  * CVE-2022-0562
+    Null source pointer passed as an argument to memcpy() function within 
+    TIFFReadDirectory(). This could result in a Denial of Service via
+    crafted TIFF files.
+  * CVE-2022-0561
+    Null source pointer passed as an argument to memcpy() function within 
+    TIFFFetchStripThing(). This could result in a Denial of Service via 
+    crafted TIFF files.
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 27 Feb 2022 17:01:41 +0100
+
 tiff (4.1.0+git191117-2~deb10u3) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch	1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch	2022-02-27 16:58:38.000000000 +0100
@@ -0,0 +1,26 @@
+From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 6 Feb 2022 13:08:38 +0100
+Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+Index: tiff-4.1.0+git191117/libtiff/tif_dirread.c
+===================================================================
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c	2022-02-22 23:44:35.619605527 +0100
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c	2022-02-22 23:46:28.843560813 +0100
+@@ -5682,8 +5682,9 @@
+ 			_TIFFfree(data);
+ 			return(0);
+ 		}
+-                _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+-                _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
++                if( dir->tdir_count )
++                        _TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64));
++                _TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64));
+ 		_TIFFfree(data);
+ 		data=resizeddata;
+ 	}
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch	1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch	2022-02-27 16:58:38.000000000 +0100
@@ -0,0 +1,24 @@
+From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 5 Feb 2022 20:36:41 +0100
+Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: tiff-4.1.0+git191117/libtiff/tif_dirread.c
+===================================================================
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c	2022-02-22 23:46:41.891555692 +0100
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c	2022-02-22 23:48:35.983511234 +0100
+@@ -4126,7 +4126,8 @@
+                     goto bad;
+                 }
+ 
+-                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++                if (old_extrasamples > 0)
++                    memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+                 _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+                 _TIFFfree(new_sampleinfo);
+         }
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch	1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch	2022-02-27 16:58:38.000000000 +0100
@@ -0,0 +1,45 @@
+From 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 25 Jan 2022 16:25:28 +0000
+Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
+ count is required (fixes #355)
+
+---
+ tools/tiffset.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+Index: tiff-4.1.0+git191117/tools/tiffset.c
+===================================================================
+--- tiff-4.1.0+git191117.orig/tools/tiffset.c	2022-02-22 23:52:43.803416440 +0100
++++ tiff-4.1.0+git191117/tools/tiffset.c	2022-02-22 23:53:04.479408633 +0100
+@@ -32,6 +32,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ 
+ #include "tiffio.h"
+ 
+@@ -133,9 +134,19 @@
+ 
+             arg_index++;
+             if (TIFFFieldDataType(fip) == TIFF_ASCII) {
+-                if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
+-                    fprintf( stderr, "Failed to set %s=%s\n",
+-                             TIFFFieldName(fip), argv[arg_index] );
++                if(TIFFFieldPassCount( fip )) {
++                    size_t len;
++                    len = strlen(argv[arg_index]) + 1;
++                    if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
++                            (uint16)len, argv[arg_index]) != 1)
++                        fprintf( stderr, "Failed to set %s=%s\n",
++                            TIFFFieldName(fip), argv[arg_index] );
++                } else {
++                    if (TIFFSetField(tiff, TIFFFieldTag(fip),
++                            argv[arg_index]) != 1)
++                        fprintf( stderr, "Failed to set %s=%s\n",
++                            TIFFFieldName(fip), argv[arg_index] );
++                }
+             } else if (TIFFFieldWriteCount(fip) > 0
+ 		       || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
+                 int     ret = 1;
diff -Nru tiff-4.1.0+git191117/debian/patches/series tiff-4.1.0+git191117/debian/patches/series
--- tiff-4.1.0+git191117/debian/patches/series	2021-10-31 09:31:11.000000000 +0100
+++ tiff-4.1.0+git191117/debian/patches/series	2022-02-27 16:58:38.000000000 +0100
@@ -3,3 +3,8 @@
 CVE-2020-35523.patch
 CVE-2020-35524.patch
 TIFFTAG_PREDICTOR-is-not-supported-for-WebP.patch
+
+CVE-2022-0561.patch
+CVE-2022-0562.patch
+CVE-2022-22844.patch
+

--- End Message ---

--- Begin Message ---

• To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Cc: 1006550-done@bugs.debian.org
• Subject: Re: Bug#1006550: buster-pu: package tiff/4.1.0+git191117-2~deb10u4
• From: László Böszörményi (GCS) <gcs@debian.org>
• Date: Sat, 6 Aug 2022 14:05:59 +0200
• Message-id: <CAKjSHr24Rh3cQCXm-HcWhStw95dq9pzfscw66SLq5_m=DjpHvQ@mail.gmail.com>
• In-reply-to: <[🔎] db0268befcd37bab8cc0dc240601b4712f3fec56.camel@adam-barratt.org.uk>
• References: <CAKjSHr0_DPJkBn7KUCjmfTWLvKG1fR10efs3YppfinioHBN7xw@mail.gmail.com> <209615a55f4a8ee6901a9fe7bd3a71416a09aced.camel@adam-barratt.org.uk> <[🔎] db0268befcd37bab8cc0dc240601b4712f3fec56.camel@adam-barratt.org.uk>

On Fri, Aug 5, 2022 at 9:49 PM Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
> Ping? We're in the process of organising the final point release for
> buster, as support for it transitions over to the LTS team, so if you
> would still like to fix it via pu then the upload needs to happen soon.
 My bad, sorry about that. There were other security issues as well
and I've patched them. With those, the security update was accepted by
the Security Team and DSA was released.

Regards,
Laszlo/GCS

--- End Message ---