Your message dated Sun, 28 Jun 2009 17:32:06 +0000
with message-id <[email protected]>
and subject line Bug#534137: fixed in tiff 3.8.2-12
has caused the Debian Bug report #534137,
regarding LZWDecodeCompat crash
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
534137: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534137
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: tiff
Version: 3.8.2-11
Severity: normal
Tags: patch
User: [email protected]
Usertags: origin-ubuntu karmic ubuntu-patch

Hello!

The attached TIFF will crash libtiff, as investigated by the PSP hacking
community[1], the Ubuntu bug report[2], and upstream[3].

Attached patch seems to solve the underflow, but has not been regression
tested.

Thanks,

-Kees

[1] http://www.lan.st/showthread.php?t=1856&page=3
[2] https://bugs.edge.launchpad.net/bugs/380149
[3] http://bugzilla.maptools.org/show_bug.cgi?id=2065

-- 
Kees Cook                                            @debian.org
Description: fix underflow loop in LZWDecodeCompat
Author: Kees Cook <[email protected]>
Ubuntu: https://bugs.edge.launchpad.net/bugs/380149

--- tiff-3.8.2~/libtiff/tif_lzw.c	2009-06-21 16:10:05.000000000 -0700
+++ tiff-3.8.2/libtiff/tif_lzw.c	2009-06-21 16:09:38.000000000 -0700
@@ -670,6 +670,7 @@
 		}
 		oldcodep = codep;
 		if (code >= 256) {
+			char *op_orig = op;
 			/*
 		 	 * Code maps to a string, copy string
 			 * value to output (written in reverse).
@@ -704,7 +705,7 @@
 			tp = op;
 			do {
 				*--tp = codep->value;
-			} while( (codep = codep->next) != NULL);
+			} while( (codep = codep->next) != NULL && tp > op_orig);
 		} else
 			*op++ = code, occ--;
 	}

--- End Message ---
--- Begin Message ---
Source: tiff
Source-Version: 3.8.2-12

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive:

libtiff-doc_3.8.2-12_all.deb
  to pool/main/t/tiff/libtiff-doc_3.8.2-12_all.deb
libtiff-opengl_3.8.2-12_i386.deb
  to pool/main/t/tiff/libtiff-opengl_3.8.2-12_i386.deb
libtiff-tools_3.8.2-12_i386.deb
  to pool/main/t/tiff/libtiff-tools_3.8.2-12_i386.deb
libtiff4-dev_3.8.2-12_i386.deb
  to pool/main/t/tiff/libtiff4-dev_3.8.2-12_i386.deb
libtiff4_3.8.2-12_i386.deb
  to pool/main/t/tiff/libtiff4_3.8.2-12_i386.deb
libtiffxx0c2_3.8.2-12_i386.deb
  to pool/main/t/tiff/libtiffxx0c2_3.8.2-12_i386.deb
tiff_3.8.2-12.diff.gz
  to pool/main/t/tiff/tiff_3.8.2-12.diff.gz
tiff_3.8.2-12.dsc
  to pool/main/t/tiff/tiff_3.8.2-12.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <[email protected]> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 28 Jun 2009 13:17:44 -0400
Source: tiff
Binary: libtiff4 libtiffxx0c2 libtiff4-dev libtiff-tools libtiff-opengl 
libtiff-doc
Architecture: source all i386
Version: 3.8.2-12
Distribution: unstable
Urgency: low
Maintainer: Jay Berkenbilt <[email protected]>
Changed-By: Jay Berkenbilt <[email protected]>
Description: 
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff4   - Tag Image File Format (TIFF) library
 libtiff4-dev - Tag Image File Format library (TIFF), development files
 libtiffxx0c2 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 534137
Changes: 
 tiff (3.8.2-12) unstable; urgency=low
 .
   * Apply patch to fix crash in lzw decoder that can be caused by certain
     invalid image files.  (Closes: #534137)
   * No longer ignore errors in preinst
   * Fixed new lintian warnings; updated standards version to 3.8.2.
Checksums-Sha1: 
 5f83651873ef6603d8e5d08530d08c2c29e1fe37 1184 tiff_3.8.2-12.dsc
 9b309ac0574f57d05b9bbc8d22dea41fed2d23f0 37902 tiff_3.8.2-12.diff.gz
 884d388f3481b016a69405144046921be6e37870 368536 libtiff-doc_3.8.2-12_all.deb
 f0ff269a146ab7495e004c3e4724093bceb88137 160400 libtiff4_3.8.2-12_i386.deb
 2df286c6040b28ac17c216b55507d92f1a021c8c 48750 libtiffxx0c2_3.8.2-12_i386.deb
 fb9a76938962304a3a027eaf121f3df5c685f247 274360 libtiff4-dev_3.8.2-12_i386.deb
 690d2cfcd03fd95db54df6e03df346ac0feaad9a 217626 libtiff-tools_3.8.2-12_i386.deb
 f9922b7c6da2b4f9481135489687dd033fba9342 53526 libtiff-opengl_3.8.2-12_i386.deb
Checksums-Sha256: 
 f8ebdbd3e5917454d97fcc70732525511c66a218eedaffe7bc3dcb3e73877ad2 1184 
tiff_3.8.2-12.dsc
 03ea036f23b5219e92ae1f1837ca0fd030aa410a50485f166e557b04f5b2c6e2 37902 
tiff_3.8.2-12.diff.gz
 9f2ae8be58ad4f9163b0bfebf355180cf5b200dd478fe287647dccf563d2575a 368536 
libtiff-doc_3.8.2-12_all.deb
 e79717e2c7c0dfc2444e54e4de529b98d7f6f639c05ca8dc448402298377f732 160400 
libtiff4_3.8.2-12_i386.deb
 66675ea7351e715e85a7c8f7a855c09f4dc598fa3c6a64848cba1ae9c1099bc3 48750 
libtiffxx0c2_3.8.2-12_i386.deb
 384acffd722ed6f961a671939b646c068e288f7414ac23179853bf1385254132 274360 
libtiff4-dev_3.8.2-12_i386.deb
 5cdb9e5a3785f90d0fa17d79ca9061567552de146ba2de7584b187cc87a82a0b 217626 
libtiff-tools_3.8.2-12_i386.deb
 c92462cc1226aa0e6b403191b920382ed3bef7685d475fcf5b157e767a5e936d 53526 
libtiff-opengl_3.8.2-12_i386.deb
Files: 
 85b476f98315e900086c6536f5503987 1184 libs optional tiff_3.8.2-12.dsc
 5e4151c85f88b8103ac8ca1f126a2202 37902 libs optional tiff_3.8.2-12.diff.gz
 bc104267907488da8a67ac5e307ea4d7 368536 doc optional 
libtiff-doc_3.8.2-12_all.deb
 0fe117d162a46479c97ce7d06199f451 160400 libs optional 
libtiff4_3.8.2-12_i386.deb
 25ea6593c6f5e69d26a594e453809203 48750 libs optional 
libtiffxx0c2_3.8.2-12_i386.deb
 948a8d39cadb04956e084abe0d8e56b7 274360 libdevel optional 
libtiff4-dev_3.8.2-12_i386.deb
 8034095daf6e4acc1286abccb603268f 217626 graphics optional 
libtiff-tools_3.8.2-12_i386.deb
 8d400340d6fac6e04b3e024be620e8a4 53526 graphics optional 
libtiff-opengl_3.8.2-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpHpnUACgkQEBVk6taI4Ke9uACgkgmPAOrnU8S3mwHzD39yD5OY
ifQAnjOCr1asSNM0/puv2u/lU2fUB62d
=YpzP
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to