Some time ago, a bug was posted about tiff being vulnerable to CAN-2005-1544: a bug that caused and exploitable segmentation fault on files with certain bad BitsPerSample values (making it a potential DOS bug). The fix is already in sarge. I had posted a patch against the version of the package in Woody some time ago, but I had not tested it. I have now built and tested this in a woody environment, and I believe that it does resolve the problem. The attached patch is identical to the other one except that it also patches debian/changelog. Feel free to disregard that part and treat this a security NMU. The portion of the patch that updates tif_dirread.c should be fine. Bug 309739 is still open (tagged woody). My patch to the changelog closes it. If this gets uploaded in some other way, someone can manually close the bug. Please let me know if there's anything else I need to do with this. Thanks!
-- Jay Berkenbilt <[EMAIL PROTECTED]>
diff -ur tiff-3.5.5.old/debian/changelog tiff-3.5.5/debian/changelog
--- tiff-3.5.5.old/debian/changelog 2005-07-09 15:33:22.444177800 -0400
+++ tiff-3.5.5/debian/changelog 2005-07-09 15:36:33.679924042 -0400
@@ -1,3 +1,10 @@
+tiff (3.5.5-7) unstable; urgency=low
+
+ * Fix for exploitable segmentation fault on files with bad BitsPerSample
+ values. [libtiff/tif_dirread.c, CAN-2005-1544]. Closes: #309739
+
+ -- Jay Berkenbilt <[EMAIL PROTECTED]> Sat, 9 Jul 2005 15:36:18 -0400
+
tiff (3.5.5-6.woody5) stable-security; urgency=high
* Non-maintainer upload by the Security Team
diff -ur tiff-3.5.5.old/libtiff/tif_dirread.c tiff-3.5.5/libtiff/tif_dirread.c
--- tiff-3.5.5.old/libtiff/tif_dirread.c 2005-07-09 15:33:22.432179070 -0400
+++ tiff-3.5.5/libtiff/tif_dirread.c 2005-07-09 15:32:53.358256890 -0400
@@ -1178,12 +1178,16 @@
uint16 buf[10];
uint16* v = buf;
- if (samples > NITEMS(buf))
- v = (uint16*) CheckMalloc(tif, samples, sizeof (uint16),
+ if (dir->tdir_count > NITEMS(buf))
+ v = (uint16*) CheckMalloc(tif, dir->tdir_count, sizeof(uint16),
"to fetch per-sample values");
if (v && TIFFFetchShortArray(tif, dir, v)) {
int i;
- for (i = 1; i < samples; i++)
+ int check_count = dir->tdir_count;
+ if( samples < check_count )
+ check_count = samples;
+
+ for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
TIFFError(tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
@@ -1215,12 +1219,16 @@
double buf[10];
double* v = buf;
- if (samples > NITEMS(buf))
- v = (double*) CheckMalloc(tif, samples, sizeof (double),
+ if (dir->tdir_count > NITEMS(buf))
+ v = (double*) CheckMalloc(tif, dir->tdir_count, sizeof (double),
"to fetch per-sample values");
if (v && TIFFFetchAnyArray(tif, dir, v)) {
int i;
- for (i = 1; i < samples; i++)
+ int check_count = dir->tdir_count;
+ if( samples < check_count )
+ check_count = samples;
+
+ for (i = 1; i < check_count; i++)
if (v[i] != v[0]) {
TIFFError(tif->tif_name,
"Cannot handle different per-sample values for field \"%s\"",
pgpMAAfsx7meY.pgp
Description: PGP signature
