Lee Garrett <lgarr...@programmfabrik.de> wrote: > AFAICS stable is still affected by both CVEs. Can you confirm this? > Patches are available in the Ubuntu natty version of libtiff4.
Yes, I can confirm. Sorry about that. I checked against the natty package, and there are quite a few CVEs that we seem to have missed. I think probably these were not affected in the version in unstable, and I lost track of not having backported or considered them for stable. I have a new version of tiff (tiff-3.9.4-5+squeeze5) built against squeeze that is ready to upload. I've attached a patch from squeeze4 to squeeze5. The only changes were either adding some new patches (the ones mentioned in the changelog) or replacing some old patches that were affected by the new ones. This happened for two patches, and I checked the diffs to make sure the changes were actually the same. As always, I didn't touch any other aspect of the packages. I literally just replaced the patch files and the series file and updated the changelog. Please let me know whether I should do the upload or whether you will prepare a package for stable-security based on the attached patch. Thanks! -- Jay Berkenbilt <q...@debian.org>
diff -urN ../tiff-3.9.4-5+squeeze4/debian/changelog ./debian/changelog --- ../tiff-3.9.4-5+squeeze4/debian/changelog 2012-04-02 11:41:13.000000000 -0400 +++ ./debian/changelog 2012-09-22 12:05:39.852315189 -0400 @@ -1,3 +1,18 @@ +tiff (3.9.4-5+squeeze5) stable-security; urgency=high + + * Added several additional security patches taken from the Ubuntu Natty + (11.04) tiff package. + + CVE-2010-2482 + CVE-2010-2595 + CVE-2010-2597 + CVE-2010-2630 + CVE-2010-4665 + CVE-2012-2113 + CVE-2012-3401 + + -- Jay Berkenbilt <q...@debian.org> Sat, 22 Sep 2012 11:51:18 -0400 + tiff (3.9.4-5+squeeze4) stable-security; urgency=high * CVE-2012-1173 diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2482.patch ./debian/patches/CVE-2010-2482.patch --- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2482.patch 1969-12-31 19:00:00.000000000 -0500 +++ ./debian/patches/CVE-2010-2482.patch 2011-03-03 11:16:07.000000000 -0500 @@ -0,0 +1,52 @@ +Description: fix denial of service via invalid td_stripbytecount field +Origin: upstream, r1.24.2.7, r1.14.2.5 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=1996 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/597246 + +Index: tiff-3.9.4/libtiff/tif_ojpeg.c +=================================================================== +--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c 2011-03-03 10:40:33.000000000 -0500 ++++ tiff-3.9.4/libtiff/tif_ojpeg.c 2011-03-03 10:41:33.000000000 -0500 +@@ -1918,8 +1918,14 @@ + { + if (sp->in_buffer_file_pos>=sp->file_size) + sp->in_buffer_file_pos=0; ++ else if (sp->tif->tif_dir.td_stripbytecount==NULL) ++ sp->in_buffer_file_togo=sp->file_size-sp->in_buffer_file_pos; + else + { ++ if (sp->tif->tif_dir.td_stripbytecount == 0) { ++ TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing"); ++ return(0); ++ } + sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile]; + if (sp->in_buffer_file_togo==0) + sp->in_buffer_file_pos=0; +Index: tiff-3.9.4/tools/tiffsplit.c +=================================================================== +--- tiff-3.9.4.orig/tools/tiffsplit.c 2011-03-03 10:41:02.000000000 -0500 ++++ tiff-3.9.4/tools/tiffsplit.c 2011-03-03 10:41:36.000000000 -0500 +@@ -237,7 +237,10 @@ + tstrip_t s, ns = TIFFNumberOfStrips(in); + uint32 *bytecounts; + +- TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts); ++ if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) { ++ fprintf(stderr, "tiffsplit: strip byte counts are missing\n"); ++ return (0); ++ } + for (s = 0; s < ns; s++) { + if (bytecounts[s] > (uint32)bufsize) { + buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]); +@@ -267,7 +270,10 @@ + ttile_t t, nt = TIFFNumberOfTiles(in); + uint32 *bytecounts; + +- TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts); ++ if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) { ++ fprintf(stderr, "tiffsplit: tile byte counts are missing\n"); ++ return (0); ++ } + for (t = 0; t < nt; t++) { + if (bytecounts[t] > (uint32) bufsize) { + buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]); diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2595.patch ./debian/patches/CVE-2010-2595.patch --- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2595.patch 1969-12-31 19:00:00.000000000 -0500 +++ ./debian/patches/CVE-2010-2595.patch 2011-03-03 11:18:28.000000000 -0500 @@ -0,0 +1,31 @@ +Description: fix denial of service via invalid ReferenceBlackWhite values +Origin: upstream, libtiff/tif_color.c r1.12.2.2 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2208 + +Index: tiff-3.9.4/libtiff/tif_color.c +=================================================================== +--- tiff-3.9.4.orig/libtiff/tif_color.c 2011-03-03 10:42:19.000000000 -0500 ++++ tiff-3.9.4/libtiff/tif_color.c 2011-03-03 10:42:25.000000000 -0500 +@@ -183,13 +183,18 @@ + TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr, + uint32 *r, uint32 *g, uint32 *b) + { ++ int32 i; ++ + /* XXX: Only 8-bit YCbCr input supported for now */ + Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255); + +- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]]; +- *g = ycbcr->clamptab[ycbcr->Y_tab[Y] +- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)]; +- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]]; ++ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]; ++ *r = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] ++ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT); ++ *g = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]; ++ *b = CLAMP(i, 0, 255); + } + + /* diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2597.patch ./debian/patches/CVE-2010-2597.patch --- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2597.patch 1969-12-31 19:00:00.000000000 -0500 +++ ./debian/patches/CVE-2010-2597.patch 2011-03-03 11:21:05.000000000 -0500 @@ -0,0 +1,48 @@ +Description: fix denial of service via devide-by-zero +Origin: upstream, r1.19.2.3 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2215 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/593067 + +Index: tiff-3.9.4/libtiff/tif_strip.c +=================================================================== +--- tiff-3.9.4.orig/libtiff/tif_strip.c 2011-03-03 10:42:54.000000000 -0500 ++++ tiff-3.9.4/libtiff/tif_strip.c 2011-03-03 10:43:04.000000000 -0500 +@@ -124,9 +124,9 @@ + uint16 ycbcrsubsampling[2]; + tsize_t w, scanline, samplingarea; + +- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1 ); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1]; + if (samplingarea == 0) { +@@ -234,9 +234,9 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, +@@ -304,9 +304,9 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2630.patch ./debian/patches/CVE-2010-2630.patch --- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-2630.patch 1969-12-31 19:00:00.000000000 -0500 +++ ./debian/patches/CVE-2010-2630.patch 2011-03-03 11:23:51.000000000 -0500 @@ -0,0 +1,45 @@ +Description: fix denial of service via out-of-order tags +Origin: upstream, r1.92.2.13 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2210 + +Index: tiff-3.9.4/libtiff/tif_dirread.c +=================================================================== +--- tiff-3.9.4.orig/libtiff/tif_dirread.c 2011-03-03 10:43:39.000000000 -0500 ++++ tiff-3.9.4/libtiff/tif_dirread.c 2011-03-03 10:43:44.000000000 -0500 +@@ -83,6 +83,7 @@ + const TIFFFieldInfo* fip; + size_t fix; + uint16 dircount; ++ uint16 previous_tag = 0; + int diroutoforderwarning = 0, compressionknown = 0; + int haveunknowntags = 0; + +@@ -163,23 +164,24 @@ + + if (dp->tdir_tag == IGNORE) + continue; +- if (fix >= tif->tif_nfields) +- fix = 0; + + /* + * Silicon Beach (at least) writes unordered + * directory tags (violating the spec). Handle + * it here, but be obnoxious (maybe they'll fix it?). + */ +- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) { ++ if (dp->tdir_tag < previous_tag) { + if (!diroutoforderwarning) { + TIFFWarningExt(tif->tif_clientdata, module, + "%s: invalid TIFF directory; tags are not sorted in ascending order", + tif->tif_name); + diroutoforderwarning = 1; + } +- fix = 0; /* O(n^2) */ + } ++ previous_tag = dp->tdir_tag; ++ if (fix >= tif->tif_nfields || ++ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) ++ fix = 0; /* O(n^2) */ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-4665.patch ./debian/patches/CVE-2010-4665.patch --- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2010-4665.patch 1969-12-31 19:00:00.000000000 -0500 +++ ./debian/patches/CVE-2010-4665.patch 2012-04-02 10:57:37.000000000 -0400 @@ -0,0 +1,38 @@ +Description: fix denial of service and possible code execution via tiffdump +Origin: extracted from libtiff 3.9.5 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2218 + +Index: tiff-3.9.4/tools/tiffdump.c +=================================================================== +--- tiff-3.9.4.orig/tools/tiffdump.c 2010-06-08 14:50:44.000000000 -0400 ++++ tiff-3.9.4/tools/tiffdump.c 2012-04-02 10:54:36.462126292 -0400 +@@ -52,6 +52,11 @@ + # define O_BINARY 0 + #endif + ++/* Safe multiply which returns zero if there is an integer overflow */ ++#ifndef TIFFSafeMultiply ++# define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++#endif ++ + char* appname; + char* curfile; + int swabflag; +@@ -317,7 +322,7 @@ + printf(">\n"); + continue; + } +- space = dp->tdir_count * datawidth[dp->tdir_type]; ++ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); + if (space <= 0) { + printf(">\n"); + Error("Invalid count for tag %u", dp->tdir_tag); +@@ -709,7 +714,7 @@ + w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); + cc = dir->tdir_count * w; + if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 +- && read(fd, cp, cc) != -1) { ++ && read(fd, cp, cc) == cc) { + if (swabflag) { + switch (dir->tdir_type) { + case TIFF_SHORT: diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-1173.patch ./debian/patches/CVE-2012-1173.patch --- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-1173.patch 2012-04-02 11:40:12.000000000 -0400 +++ ./debian/patches/CVE-2012-1173.patch 2012-04-02 10:54:56.000000000 -0400 @@ -1,6 +1,23 @@ -diff -aur tiff-3.9.4.orig/libtiff/tif_getimage.c tiff-3.9.4/libtiff/tif_getimage.c ---- tiff-3.9.4.orig/libtiff/tif_getimage.c 2012-04-02 15:37:36.000000000 +0000 -+++ tiff-3.9.4/libtiff/tif_getimage.c 2012-04-02 15:39:31.000000000 +0000 +Description: fix arbitrary code execution via size overflow +Origin: thanks to Tom Lane of Red Hat + +Index: tiff-3.9.4/libtiff/tiffiop.h +=================================================================== +--- tiff-3.9.4.orig/libtiff/tiffiop.h 2010-06-11 22:55:16.000000000 -0400 ++++ tiff-3.9.4/libtiff/tiffiop.h 2012-04-02 10:54:54.058126125 -0400 +@@ -243,7 +243,7 @@ + #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) + + /* Safe multiply which returns zero if there is an integer overflow */ +-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) + + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) + #define TIFFmin(A,B) ((A)<(B)?(A):(B)) +Index: tiff-3.9.4/libtiff/tif_getimage.c +=================================================================== +--- tiff-3.9.4.orig/libtiff/tif_getimage.c 2012-04-02 10:54:42.714126234 -0400 ++++ tiff-3.9.4/libtiff/tif_getimage.c 2012-04-02 10:54:54.058126125 -0400 @@ -673,18 +673,24 @@ unsigned char* p2; unsigned char* pa; @@ -54,15 +71,3 @@ p1 = p0 + stripsize; p2 = p1 + stripsize; pa = (alpha?(p2+stripsize):NULL); -diff -aur tiff-3.9.4.orig/libtiff/tiffiop.h tiff-3.9.4/libtiff/tiffiop.h ---- tiff-3.9.4.orig/libtiff/tiffiop.h 2010-06-12 02:55:16.000000000 +0000 -+++ tiff-3.9.4/libtiff/tiffiop.h 2012-04-02 15:39:31.000000000 +0000 -@@ -243,7 +243,7 @@ - #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) - - /* Safe multiply which returns zero if there is an integer overflow */ --#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) -+#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) - - #define TIFFmax(A,B) ((A)>(B)?(A):(B)) - #define TIFFmin(A,B) ((A)<(B)?(A):(B)) diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-2088.patch ./debian/patches/CVE-2012-2088.patch --- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-2088.patch 1969-12-31 19:00:00.000000000 -0500 +++ ./debian/patches/CVE-2012-2088.patch 2012-07-04 10:55:05.000000000 -0400 @@ -0,0 +1,133 @@ +Description: fix possible arbitrary code execution via buffer overflow + due to type-conversion flaw +Origin: thanks to Red Hat +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1016324 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678140 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=832864 + +Index: tiff-3.9.5/libtiff/tif_strip.c +=================================================================== +--- tiff-3.9.5.orig/libtiff/tif_strip.c 2011-01-03 23:31:28.000000000 -0500 ++++ tiff-3.9.5/libtiff/tif_strip.c 2012-07-04 10:08:25.007573859 -0400 +@@ -107,6 +107,7 @@ + TIFFVStripSize(TIFF* tif, uint32 nrows) + { + TIFFDirectory *td = &tif->tif_dir; ++ uint32 stripsize; + + if (nrows == (uint32) -1) + nrows = td->td_imagelength; +@@ -122,7 +123,7 @@ + * YCbCr data for the extended image. + */ + uint16 ycbcrsubsampling[2]; +- tsize_t w, scanline, samplingarea; ++ uint32 w, scanline, samplingarea; + + TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, + ycbcrsubsampling + 0, +@@ -141,13 +142,27 @@ + nrows = TIFFroundup(nrows, ycbcrsubsampling[1]); + /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ + scanline = multiply(tif, nrows, scanline, "TIFFVStripSize"); +- return ((tsize_t) +- summarize(tif, scanline, +- multiply(tif, 2, scanline / samplingarea, +- "TIFFVStripSize"), "TIFFVStripSize")); ++ /* a zero anywhere in here means overflow, must return zero */ ++ if (scanline > 0) { ++ uint32 extra = ++ multiply(tif, 2, scanline / samplingarea, ++ "TIFFVStripSize"); ++ if (extra > 0) ++ stripsize = summarize(tif, scanline, extra, ++ "TIFFVStripSize"); ++ else ++ stripsize = 0; ++ } else ++ stripsize = 0; + } else +- return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif), +- "TIFFVStripSize")); ++ stripsize = multiply(tif, nrows, TIFFScanlineSize(tif), ++ "TIFFVStripSize"); ++ /* Because tsize_t is signed, we might have conversion overflow */ ++ if (((tsize_t) stripsize) < 0) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVStripSize"); ++ stripsize = 0; ++ } ++ return (tsize_t) stripsize; + } + + +Index: tiff-3.9.5/libtiff/tif_tile.c +=================================================================== +--- tiff-3.9.5.orig/libtiff/tif_tile.c 2010-06-08 14:50:43.000000000 -0400 ++++ tiff-3.9.5/libtiff/tif_tile.c 2012-07-04 10:08:25.007573859 -0400 +@@ -174,7 +174,7 @@ + TIFFTileRowSize(TIFF* tif) + { + TIFFDirectory *td = &tif->tif_dir; +- tsize_t rowsize; ++ uint32 rowsize; + + if (td->td_tilelength == 0 || td->td_tilewidth == 0) + return ((tsize_t) 0); +@@ -193,7 +193,7 @@ + TIFFVTileSize(TIFF* tif, uint32 nrows) + { + TIFFDirectory *td = &tif->tif_dir; +- tsize_t tilesize; ++ uint32 tilesize; + + if (td->td_tilelength == 0 || td->td_tilewidth == 0 || + td->td_tiledepth == 0) +@@ -209,12 +209,12 @@ + * horizontal/vertical subsampling area include + * YCbCr data for the extended image. + */ +- tsize_t w = ++ uint32 w = + TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]); +- tsize_t rowsize = ++ uint32 rowsize = + TIFFhowmany8(multiply(tif, w, td->td_bitspersample, + "TIFFVTileSize")); +- tsize_t samplingarea = ++ uint32 samplingarea = + td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1]; + if (samplingarea == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling"); +@@ -223,15 +223,27 @@ + nrows = TIFFroundup(nrows, td->td_ycbcrsubsampling[1]); + /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ + tilesize = multiply(tif, nrows, rowsize, "TIFFVTileSize"); +- tilesize = summarize(tif, tilesize, +- multiply(tif, 2, tilesize / samplingarea, +- "TIFFVTileSize"), ++ /* a zero anywhere in here means overflow, must return zero */ ++ if (tilesize > 0) { ++ uint32 extra = ++ multiply(tif, 2, tilesize / samplingarea, + "TIFFVTileSize"); ++ if (extra > 0) ++ tilesize = summarize(tif, tilesize, extra, ++ "TIFFVTileSize"); ++ else ++ tilesize = 0; ++ } + } else + tilesize = multiply(tif, nrows, TIFFTileRowSize(tif), + "TIFFVTileSize"); +- return ((tsize_t) +- multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize")); ++ tilesize = multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize"); ++ /* Because tsize_t is signed, we might have conversion overflow */ ++ if (((tsize_t) tilesize) < 0) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVTileSize"); ++ tilesize = 0; ++ } ++ return (tsize_t) tilesize; + } + + /* diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-2113.patch ./debian/patches/CVE-2012-2113.patch --- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-2113.patch 1969-12-31 19:00:00.000000000 -0500 +++ ./debian/patches/CVE-2012-2113.patch 2012-07-04 11:19:13.000000000 -0400 @@ -0,0 +1,259 @@ +Description: fix possible arbitrary code execution via integer + overflows in tiff2pdf +Origin: thanks to Red Hat +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1016324 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678140 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=810551 + +Index: tiff-3.9.4/tools/tiff2pdf.c +=================================================================== +--- tiff-3.9.4.orig/tools/tiff2pdf.c 2012-07-04 10:59:50.839652872 -0400 ++++ tiff-3.9.4/tools/tiff2pdf.c 2012-07-04 11:18:28.903681500 -0400 +@@ -44,6 +44,7 @@ + # include <io.h> + #endif + ++#include "tiffiop.h" + #include "tiffio.h" + + #ifndef HAVE_GETOPT +@@ -414,6 +415,34 @@ + (void) handle, (void) data, (void) offset; + } + ++static uint64 ++checkAdd64(uint64 summand1, uint64 summand2, T2P* t2p) ++{ ++ uint64 bytes = summand1 + summand2; ++ ++ if (bytes - summand1 != summand2) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ bytes = 0; ++ } ++ ++ return bytes; ++} ++ ++static uint64 ++checkMultiply64(uint64 first, uint64 second, T2P* t2p) ++{ ++ uint64 bytes = first * second; ++ ++ if (second && bytes / second != first) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ bytes = 0; ++ } ++ ++ return bytes; ++} ++ + /* + + This is the main function. +@@ -1828,9 +1857,7 @@ + tstrip_t i=0; + tstrip_t stripcount=0; + #endif +-#ifdef OJPEG_SUPPORT +- tsize_t k = 0; +-#endif ++ uint64 k = 0; + + if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ + #ifdef CCITT_SUPPORT +@@ -1858,19 +1885,25 @@ + } + stripcount=TIFFNumberOfStrips(input); + for(i=0;i<stripcount;i++){ +- k += sbc[i]; ++ k = checkAdd64(k, sbc[i], t2p); + } + if(TIFFGetField(input, TIFFTAG_JPEGIFOFFSET, &(t2p->tiff_dataoffset))){ + if(t2p->tiff_dataoffset != 0){ + if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){ + if(t2p->tiff_datasize < k) { +- t2p->pdf_ojpegiflength=t2p->tiff_datasize; +- t2p->tiff_datasize+=k; +- t2p->tiff_datasize+=6; +- t2p->tiff_datasize+=2*stripcount; + TIFFWarning(TIFF2PDF_MODULE, + "Input file %s has short JPEG interchange file byte count", + TIFFFileName(input)); ++ t2p->pdf_ojpegiflength=t2p->tiff_datasize; ++ k = checkAdd64(k, t2p->tiff_datasize, t2p); ++ k = checkAdd64(k, 6, t2p); ++ k = checkAdd64(k, stripcount, t2p); ++ k = checkAdd64(k, stripcount, t2p); ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } + return; +@@ -1883,9 +1916,14 @@ + } + } + } +- t2p->tiff_datasize+=k; +- t2p->tiff_datasize+=2*stripcount; +- t2p->tiff_datasize+=2048; ++ k = checkAdd64(k, stripcount, t2p); ++ k = checkAdd64(k, stripcount, t2p); ++ k = checkAdd64(k, 2048, t2p); ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } + #endif +@@ -1894,11 +1932,11 @@ + uint32 count = 0; + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0 ){ + if(count > 4){ +- t2p->tiff_datasize += count; +- t2p->tiff_datasize -= 2; /* don't use EOI of header */ ++ k += count; ++ k -= 2; /* don't use EOI of header */ + } + } else { +- t2p->tiff_datasize = 2; /* SOI for first strip */ ++ k = 2; /* SOI for first strip */ + } + stripcount=TIFFNumberOfStrips(input); + if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){ +@@ -1909,18 +1947,33 @@ + return; + } + for(i=0;i<stripcount;i++){ +- t2p->tiff_datasize += sbc[i]; +- t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */ ++ k = checkAdd64(k, sbc[i], t2p); ++ k -=4; /* don't use SOI or EOI of strip */ ++ } ++ k = checkAdd64(k, 2, t2p); /* use EOI of last strip */ ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; + } +- t2p->tiff_datasize +=2; /* use EOI of last strip */ + return; + } + #endif + (void) 0; + } +- t2p->tiff_datasize=TIFFScanlineSize(input) * t2p->tiff_length; ++ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); + if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ +- t2p->tiff_datasize*= t2p->tiff_samplesperpixel; ++ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ++ } ++ if (k == 0) { ++ /* Assume we had overflow inside TIFFScanlineSize */ ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } ++ ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; + } + + return; +@@ -1938,6 +1991,7 @@ + #ifdef JPEG_SUPPORT + unsigned char* jpt; + #endif ++ uint64 k; + + edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); + edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); +@@ -1949,14 +2003,17 @@ + #endif + ){ + t2p->tiff_datasize=TIFFTileSize(input); ++ if (t2p->tiff_datasize == 0) { ++ /* Assume we had overflow inside TIFFTileSize */ ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } else { + TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc); +- t2p->tiff_datasize=tbc[tile]; ++ k=tbc[tile]; + #ifdef OJPEG_SUPPORT + if(t2p->tiff_compression==COMPRESSION_OJPEG){ +- t2p->tiff_datasize+=2048; +- return; ++ k = checkAdd64(k, 2048, t2p); + } + #endif + #ifdef JPEG_SUPPORT +@@ -1964,18 +2021,35 @@ + uint32 count = 0; + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt)!=0){ + if(count > 4){ +- t2p->tiff_datasize += count; +- t2p->tiff_datasize -= 4; /* don't use EOI of header or SOI of tile */ ++ k = checkAdd64(k, count, t2p); ++ k -= 4; /* don't use EOI of header or SOI of tile */ ++ ++ + } + } + } + #endif ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } + } +- t2p->tiff_datasize=TIFFTileSize(input); ++ k = TIFFTileSize(input); + if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ +- t2p->tiff_datasize*= t2p->tiff_samplesperpixel; ++ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ++ } ++ if (k == 0) { ++ /* Assume we had overflow inside TIFFTileSize */ ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } ++ ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; + } + + return; +@@ -2068,6 +2142,10 @@ + uint32 max_striplength=0; + #endif + ++ /* Fail if prior error (in particular, can't trust tiff_datasize) */ ++ if (t2p->t2p_error != T2P_ERR_OK) ++ return(0); ++ + if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ + #ifdef CCITT_SUPPORT + if(t2p->pdf_compression == T2P_COMPRESS_G4){ +@@ -2641,6 +2719,10 @@ + uint32 xuint32=0; + #endif + ++ /* Fail if prior error (in particular, can't trust tiff_datasize) */ ++ if (t2p->t2p_error != T2P_ERR_OK) ++ return(0); ++ + edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); + edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); + diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-3401.patch ./debian/patches/CVE-2012-3401.patch --- ../tiff-3.9.4-5+squeeze4/debian/patches/CVE-2012-3401.patch 1969-12-31 19:00:00.000000000 -0500 +++ ./debian/patches/CVE-2012-3401.patch 2012-07-16 09:50:51.000000000 -0400 @@ -0,0 +1,16 @@ +Description: fix possible arbitrary code execution via heap overflow + in tiff2pdf. +Origin: Patch thanks to Huzaifa Sidhpurwala <huzai...@redhat.com> + +Index: tiff-3.9.4/tools/tiff2pdf.c +=================================================================== +--- tiff-3.9.4.orig/tools/tiff2pdf.c 2012-07-16 09:44:41.000000000 -0400 ++++ tiff-3.9.4/tools/tiff2pdf.c 2012-07-16 09:50:48.740976594 -0400 +@@ -1119,6 +1119,7 @@ + "Can't set directory %u of input file %s", + i, + TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; + return; + } + if(TIFFGetField(input, TIFFTAG_PAGENUMBER, &pagen, &paged)){ diff -urN ../tiff-3.9.4-5+squeeze4/debian/patches/series ./debian/patches/series --- ../tiff-3.9.4-5+squeeze4/debian/patches/series 2012-04-02 11:40:38.000000000 -0400 +++ ./debian/patches/series 2012-07-16 09:50:46.000000000 -0400 @@ -4,7 +4,15 @@ man-spelling.patch tif_getimage.c-CVE-2010-2233.patch fix-ycbcr-oob-read.patch +CVE-2010-2482.patch +CVE-2010-2595.patch +CVE-2010-2597.patch +CVE-2010-2630.patch CVE-2011-0192.patch CVE-2011-1167.patch CVE-2009-5022.patch +CVE-2010-4665.patch CVE-2012-1173.patch +CVE-2012-2088.patch +CVE-2012-2113.patch +CVE-2012-3401.patch
