Bug#595064: marked as done (libtiff crashes on OOB reads in putcontig8bitYCbCr11tile)

[Debian Bug Tracking System]

Your message dated Sat, 02 Oct 2010 17:47:15 +0000
with message-id <e1p26b1-000406...@franck.debian.org>
and subject line Bug#595064: fixed in tiff 3.9.4-4
has caused the Debian Bug report #595064,
regarding libtiff crashes on OOB reads in putcontig8bitYCbCr11tile
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
595064: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595064
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: tiff
Version: 3.9.4-2
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu maverick ubuntu-patch


In Ubuntu, we've applied the attached patch in lucid-security to
achieve the following:

  * debian/patches/fix-ycbcr-oob-read.patch fix crash on
    OOB reads in putcontig8bitYCbCr11tile (LP: #591605)

We thought you might be interested in doing the same.

The patch origin is from

  https://bugzilla.redhat.com/attachment.cgi?id=423329

and was committed on the 3.9 and 4.0 branch of libtiff. You can
see how it was applied on the 3.9 branch in the upstream cvs tree by
doing

  cvs diff -r 1.63.2.4 -r 1.63.2.5 libtiff/tif_getimage.c

The related launchpad bug is

  https://bugs.launchpad.net/bugs/591605

and includes a reproducer

  
https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605/+attachment/1421368/+files/sample.tif.gz

The upstream bug report is at

  http://bugzilla.maptools.org/show_bug.cgi?id=2216

Thanks!


-- System Information:
Debian Release: squeeze/sid
  APT prefers maverick-updates
  APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 
'maverick-proposed'), (500, 'maverick')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35-19-server (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru tiff-3.9.4/debian/patches/fix-ycbcr-oob-read.patch tiff-3.9.4/debian/patches/fix-ycbcr-oob-read.patch
--- tiff-3.9.4/debian/patches/fix-ycbcr-oob-read.patch	1969-12-31 16:00:00.000000000 -0800
+++ tiff-3.9.4/debian/patches/fix-ycbcr-oob-read.patch	2010-08-31 10:31:44.000000000 -0700
@@ -0,0 +1,18 @@
+Description: fix crash on OOB reads in putcontig8bitYCbCr11tile
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/591605
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=603081
+Origin: https://bugzilla.redhat.com/attachment.cgi?id=423329
+
+Index: tiff-3.9.2/libtiff/tif_getimage.c
+===================================================================
+--- tiff-3.9.2.orig/libtiff/tif_getimage.c	2010-06-16 10:47:29.147649657 -0700
++++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-16 10:48:06.103986457 -0700
+@@ -2399,7 +2399,7 @@
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_YCBCR:
+-			if (img->bitspersample == 8)
++			if ((img->bitspersample==8) && (img->samplesperpixel==3))
+ 			{
+ 				if (initYCbCrConversion(img)!=0)
+ 				{
diff -Nru tiff-3.9.4/debian/patches/series tiff-3.9.4/debian/patches/series
--- tiff-3.9.4/debian/patches/series	2010-08-13 17:11:51.000000000 -0700
+++ tiff-3.9.4/debian/patches/series	2010-08-31 10:31:44.000000000 -0700
@@ -2,3 +2,4 @@
 man-errors.patch
 man-spelling.patch
 tif_getimage.c-CVE-2010-2233.patch
+fix-ycbcr-oob-read.patch

--- End Message ---

--- Begin Message ---

Source: tiff
Source-Version: 3.9.4-4

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive:

libtiff-doc_3.9.4-4_all.deb
  to main/t/tiff/libtiff-doc_3.9.4-4_all.deb
libtiff-opengl_3.9.4-4_amd64.deb
  to main/t/tiff/libtiff-opengl_3.9.4-4_amd64.deb
libtiff-tools_3.9.4-4_amd64.deb
  to main/t/tiff/libtiff-tools_3.9.4-4_amd64.deb
libtiff4-dev_3.9.4-4_amd64.deb
  to main/t/tiff/libtiff4-dev_3.9.4-4_amd64.deb
libtiff4_3.9.4-4_amd64.deb
  to main/t/tiff/libtiff4_3.9.4-4_amd64.deb
libtiffxx0c2_3.9.4-4_amd64.deb
  to main/t/tiff/libtiffxx0c2_3.9.4-4_amd64.deb
tiff_3.9.4-4.debian.tar.gz
  to main/t/tiff/tiff_3.9.4-4.debian.tar.gz
tiff_3.9.4-4.dsc
  to main/t/tiff/tiff_3.9.4-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 595...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <q...@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 02 Oct 2010 13:17:12 -0400
Source: tiff
Binary: libtiff4 libtiffxx0c2 libtiff4-dev libtiff-tools libtiff-opengl 
libtiff-doc
Architecture: source all amd64
Version: 3.9.4-4
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <q...@debian.org>
Changed-By: Jay Berkenbilt <q...@debian.org>
Description: 
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff4   - Tag Image File Format (TIFF) library
 libtiff4-dev - Tag Image File Format library (TIFF), development files
 libtiffxx0c2 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 595064
Changes: 
 tiff (3.9.4-4) unstable; urgency=high
 .
   * Incorporated fix to CVE-2010-2483, "fix crash on OOB reads in
     putcontig8bitYCbCr11tile".  (Closes: #595064)
Checksums-Sha1: 
 c8a1c7bc99ef8e82c39467f0878fc500f3714426 1836 tiff_3.9.4-4.dsc
 8463e126e18e8a33aa2ef47ed2a28ceb6b0fda46 14655 tiff_3.9.4-4.debian.tar.gz
 d321b5fb883e6803b455eba35bd3b33e16d3feec 385772 libtiff-doc_3.9.4-4_all.deb
 07a1083264aa74df2436a31b2e7dc1885c7247b1 194220 libtiff4_3.9.4-4_amd64.deb
 7f99ac6f2244b9ec286f1854357f29106f2c1dce 58706 libtiffxx0c2_3.9.4-4_amd64.deb
 c5c2d9593c7758243d7f1920f266f9de1a18f336 321312 libtiff4-dev_3.9.4-4_amd64.deb
 9477b08a738c48837de23df6b7dea0e6582a83dc 301802 libtiff-tools_3.9.4-4_amd64.deb
 07be0da5540607fa2d04656d21feda501c1e980c 64132 libtiff-opengl_3.9.4-4_amd64.deb
Checksums-Sha256: 
 fbc114586d983868898d2e71857e2196c4efde72b66a35bb9de1e77ff3748952 1836 
tiff_3.9.4-4.dsc
 75e539a874e6c310d039ee965d69949c7d8f1a79f51980d0d3494b930a5ee45d 14655 
tiff_3.9.4-4.debian.tar.gz
 d35c907e82eefb78f459099744bdeb1830f3a5c93ba0e16ddfaa71013e57344d 385772 
libtiff-doc_3.9.4-4_all.deb
 c937ae6ea86f4860e4fb4984f580f43368a567198452db8c65116279c99bd2f3 194220 
libtiff4_3.9.4-4_amd64.deb
 889d7fa1511a0f0ea49d1a2be49d9f48f869dea7e83a08c737352dd16899c09a 58706 
libtiffxx0c2_3.9.4-4_amd64.deb
 0b264a9db0d6e1c1bcd14451e2c827de46e6c18ed6ffdaed65b7c4d4cf23eef0 321312 
libtiff4-dev_3.9.4-4_amd64.deb
 477917d1d1309bf755550ae72868c8c6071d000699fe698857612c8ae845704d 301802 
libtiff-tools_3.9.4-4_amd64.deb
 f37cec96ff71dc0df44ee1b46c690e82eb88b44d9ced80d8d0d28facfa49b95e 64132 
libtiff-opengl_3.9.4-4_amd64.deb
Files: 
 0f1b0917eebf51f7be222128ce8b6dee 1836 libs optional tiff_3.9.4-4.dsc
 c7c5ee9a0de57b23047525fb1296d9b1 14655 libs optional tiff_3.9.4-4.debian.tar.gz
 ea9326e0eb07c6de4dcc4daf822fdf14 385772 doc optional 
libtiff-doc_3.9.4-4_all.deb
 fd54b73cf697053aaf0eb13e8cee66ca 194220 libs optional 
libtiff4_3.9.4-4_amd64.deb
 c8f81936d1ec1df6c74a7ca4a4526682 58706 libs optional 
libtiffxx0c2_3.9.4-4_amd64.deb
 37ca0faf1f5309c4e24651051b5c7ecd 321312 libdevel optional 
libtiff4-dev_3.9.4-4_amd64.deb
 661b6a7b376267c7fcb8c3763c0d34d5 301802 graphics optional 
libtiff-tools_3.9.4-4_amd64.deb
 30aacaa6299059ac131c0ece4d4ea0a4 64132 graphics optional 
libtiff-opengl_3.9.4-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMp21tAAoJEIp10QmYASx+y0cP/3Uu/IarvXG332CTFHm8Guy2
s07SF+SXKd7m2jNZC4uxxguGfac+ItbUJcVPSJh7XfcVGZCblbHeVMo/UwdNg/Dg
Nch1e/Ukrvi0yzTKE/xDO1xBoY3hjN5GHYvQzkMMMbt6u03Xh2TfMtSg2I1Il6Y8
OdGmSgMk05iysP1xUsB0mkhnZOl17nzQY4towBy4U0gkcqf7n3t7Vj00Kdk5USYw
f8gIPNWCJQSVxuU/3x/Heaw9u18ppUSO5dkvnGYFmw0RLAlTA7wRopWZFCn3bajZ
u9OE96kT3oVb+8UUi1R5kmC2BIWc125e4WZ864ZpAfzI9uh8+2+f2YHsd3j9VXMh
1bHylt6JnW8Y+B07qqOkgW3rRfSOG7PojMG+ovgCBP7AcEvdAMzkwewlbjFpF+iW
jme92SNeMujcCAJFKn1ptRNFYDA0hf7uzT7cWGrKuHelkCaYLFi6FbS696buKSBe
J47/+Ju7BfrjSgwj3RxPlarCddVNrtGJwoFPsHgQFiOVi71a/Rwp94+8fW3OSn88
+GisZep4vPYKdpfBFWs6lmzRqnYdaJ6NaiLBEP5tIaMyXOiSffxUAoxfBiRW0T6n
H5OBd16yC6mD87uHmE6EOskm18DmqAu1IZvC9mKOOi4nPKxVW3qOe6Eqd+JqthXO
kHXUgUkGpRZx/SKo/Y8s
=1M/J
-----END PGP SIGNATURE-----

--- End Message ---