Package: release.debian.org User: release.debian....@packages.debian.org Tags: bullseye Severity: normal
Hi RMs, A security update of tiff for issues not warrant a DSA but still would be good to have fixed. Work done by Thorsten Alteholz that I've double checked. Debdiff is attached. Thanks for consideration, Laszlo/GCS
diff -Nru tiff-4.2.0/debian/changelog tiff-4.2.0/debian/changelog --- tiff-4.2.0/debian/changelog 2020-12-21 15:06:46.000000000 +0100 +++ tiff-4.2.0/debian/changelog 2022-02-27 17:02:02.000000000 +0100 @@ -1,3 +1,20 @@ +tiff (4.2.0-1+deb11u1) bullseye; urgency=high + + [ Thorsten Alteholz <deb...@alteholz.de> ] + * CVE-2022-22844 + out-of-bounds read in _TIFFmemcpy in certain situations involving a + custom tag and 0x0200 as the second word of the DE field. + * CVE-2022-0562 + Null source pointer passed as an argument to memcpy() function within + TIFFReadDirectory(). This could result in a Denial of Service via + crafted TIFF files. + * CVE-2022-0561 + Null source pointer passed as an argument to memcpy() function within + TIFFFetchStripThing(). This could result in a Denial of Service via + crafted TIFF files. + + -- Laszlo Boszormenyi (GCS) <g...@debian.org> Sun, 27 Feb 2022 17:02:02 +0100 + tiff (4.2.0-1) unstable; urgency=medium * New upstream release. diff -Nru tiff-4.2.0/debian/patches/CVE-2022-0561.patch tiff-4.2.0/debian/patches/CVE-2022-0561.patch --- tiff-4.2.0/debian/patches/CVE-2022-0561.patch 1970-01-01 01:00:00.000000000 +0100 +++ tiff-4.2.0/debian/patches/CVE-2022-0561.patch 2022-02-27 16:57:51.000000000 +0100 @@ -0,0 +1,26 @@ +From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.roua...@spatialys.com> +Date: Sun, 6 Feb 2022 13:08:38 +0100 +Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +--- + libtiff/tif_dirread.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +Index: tiff-4.2.0/libtiff/tif_dirread.c +=================================================================== +--- tiff-4.2.0.orig/libtiff/tif_dirread.c 2022-02-22 23:56:43.727328819 +0100 ++++ tiff-4.2.0/libtiff/tif_dirread.c 2022-02-22 23:56:43.727328819 +0100 +@@ -5765,8 +5765,9 @@ + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64)); +- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64)); ++ if( dir->tdir_count ) ++ _TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64)); ++ _TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64)); + _TIFFfree(data); + data=resizeddata; + } diff -Nru tiff-4.2.0/debian/patches/CVE-2022-0562.patch tiff-4.2.0/debian/patches/CVE-2022-0562.patch --- tiff-4.2.0/debian/patches/CVE-2022-0562.patch 1970-01-01 01:00:00.000000000 +0100 +++ tiff-4.2.0/debian/patches/CVE-2022-0562.patch 2022-02-27 16:57:51.000000000 +0100 @@ -0,0 +1,24 @@ +From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.roua...@spatialys.com> +Date: Sat, 5 Feb 2022 20:36:41 +0100 +Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +--- + libtiff/tif_dirread.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: tiff-4.2.0/libtiff/tif_dirread.c +=================================================================== +--- tiff-4.2.0.orig/libtiff/tif_dirread.c 2022-02-22 23:56:49.919326843 +0100 ++++ tiff-4.2.0/libtiff/tif_dirread.c 2022-02-22 23:56:49.915326845 +0100 +@@ -4173,7 +4173,8 @@ + goto bad; + } + +- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); ++ if (old_extrasamples > 0) ++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); + _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); + _TIFFfree(new_sampleinfo); + } diff -Nru tiff-4.2.0/debian/patches/CVE-2022-22844.patch tiff-4.2.0/debian/patches/CVE-2022-22844.patch --- tiff-4.2.0/debian/patches/CVE-2022-22844.patch 1970-01-01 01:00:00.000000000 +0100 +++ tiff-4.2.0/debian/patches/CVE-2022-22844.patch 2022-02-27 16:57:51.000000000 +0100 @@ -0,0 +1,45 @@ +From 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001 +From: 4ugustus <wangdw.augus...@qq.com> +Date: Tue, 25 Jan 2022 16:25:28 +0000 +Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where + count is required (fixes #355) + +--- + tools/tiffset.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +Index: tiff-4.2.0/tools/tiffset.c +=================================================================== +--- tiff-4.2.0.orig/tools/tiffset.c 2022-02-22 23:56:54.187325478 +0100 ++++ tiff-4.2.0/tools/tiffset.c 2022-02-22 23:56:54.183325479 +0100 +@@ -32,6 +32,7 @@ + #include <stdio.h> + #include <string.h> + #include <stdlib.h> ++#include <stdint.h> + + #include "tiffio.h" + +@@ -148,9 +149,19 @@ + + arg_index++; + if (TIFFFieldDataType(fip) == TIFF_ASCII) { +- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) +- fprintf( stderr, "Failed to set %s=%s\n", +- TIFFFieldName(fip), argv[arg_index] ); ++ if(TIFFFieldPassCount( fip )) { ++ size_t len; ++ len = strlen(argv[arg_index]) + 1; ++ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), ++ (uint16)len, argv[arg_index]) != 1) ++ fprintf( stderr, "Failed to set %s=%s\n", ++ TIFFFieldName(fip), argv[arg_index] ); ++ } else { ++ if (TIFFSetField(tiff, TIFFFieldTag(fip), ++ argv[arg_index]) != 1) ++ fprintf( stderr, "Failed to set %s=%s\n", ++ TIFFFieldName(fip), argv[arg_index] ); ++ } + } else if (TIFFFieldWriteCount(fip) > 0 + || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { + int ret = 1; diff -Nru tiff-4.2.0/debian/patches/series tiff-4.2.0/debian/patches/series --- tiff-4.2.0/debian/patches/series 2020-12-13 07:52:33.000000000 +0100 +++ tiff-4.2.0/debian/patches/series 2022-02-27 16:57:51.000000000 +0100 @@ -1 +1,5 @@ fix_TIFFReadRawStrip_man_page_typo.patch + +CVE-2022-0561.patch +CVE-2022-0562.patch +CVE-2022-22844.patch