squeeze update of tiff?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of tiff: https://security-tracker.debian.org/tracker/CVE-2015-7554 https://security-tracker.debian.org/tracker/CVE-2015-8665 https://security-tracker.debian.org/tracker/CVE-2015-8668 https://security-tracker.debian.org/tracker/CVE-2015-8683 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: http://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Ben Hutchings, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- Ben Hutchings - Debian developer, member of Linux kernel and LTS teams signature.asc Description: This is a digitally signed message part
squeeze update of tiff?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of tiff: https://security-tracker.debian.org/tracker/CVE-2015-7554 https://security-tracker.debian.org/tracker/CVE-2015-8665 https://security-tracker.debian.org/tracker/CVE-2015-8668 https://security-tracker.debian.org/tracker/CVE-2015-8683 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: http://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Ben Hutchings, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- Ben Hutchings - Debian developer, member of Linux kernel and LTS teams signature.asc Description: This is a digitally signed message part
Re: squeeze update of tiff?
On Wed, 2015-12-30 at 13:05 -0500, Jay Berkenbilt wrote: > Hello. I am no longer maintaining the tiff packages, but I have cc'ed > the new maintainers so that they can read the message quoted below and > respond if they are interested. I wonder whether it might make sense for > the debian-lts stuff to take into consideration when package maintainers > change. [...] Sorry, Jay, this was due to a bug in the contact-maintainers script. I'll re-send this to the current maintainers. Ben. -- Ben Hutchings - Debian developer, member of Linux kernel and LTS teams signature.asc Description: This is a digitally signed message part
Re: squeeze update of tiff?
Hi Ben and Laszlo, I have a git mirror[1] (git cvsimport) of upstream CVS and right now it's a tad bit confusing which patches are relevant to those CVEs. I will have more time cherry-picking the patches next week, so if somebody starts the work (even for unstable), I really won't mind. In fact it would be much appreciated. Also feel free to prepare Debian LTS update, I will share relevant patches, but we'll have to prepare security update for jessie and wheezy (+ tiff3 for wheezy), so feel free to take care about this in Debian LTS yourself. Cheers, Ondrej 1. https://github.com/oerdnj/libtiff.git On Thu, Dec 31, 2015, at 01:24, Ben Hutchings wrote: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Squeeze version of tiff: > https://security-tracker.debian.org/tracker/CVE-2015-7554 > https://security-tracker.debian.org/tracker/CVE-2015-8665 > https://security-tracker.debian.org/tracker/CVE-2015-8668 > https://security-tracker.debian.org/tracker/CVE-2015-8683 > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > http://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > Thank you very much. > > Ben Hutchings, > on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > > -- > Ben Hutchings - Debian developer, member of Linux kernel and LTS teams > > > Email had 1 attachment: > + signature.asc > 1k (application/pgp-signature) -- Ondřej Surý Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Re: squeeze update of tiff?
Hi Ondřej, Ben, On Thu, Dec 31, 2015 at 10:04 AM, Ondřej Surý wrote: > I have a git mirror[1] (git cvsimport) of upstream CVS and right now > it's a tad bit confusing which patches are relevant to those CVEs. I've packaged 4.0.6, fixed two CVEs and two other vulnerabilities that don't have an id. However CVE-2015-8668 is not yet fixed by upstream as I see. > I will have more time cherry-picking the patches next week, so if > somebody starts the work (even for unstable), I really won't mind. In > fact it would be much appreciated. I'm going to finish my investigations tomorrow even if my employer counts on me from 6am. Will do the upload and other fixes can come in later as upstream commit those. > Also feel free to prepare Debian LTS update, I will share relevant > patches, but we'll have to prepare security update for jessie and wheezy > (+ tiff3 for wheezy), so feel free to take care about this in Debian LTS > yourself. I can do the Wheezy + Jessie updates as well. But I've accepted Raphaël's advice not to do LTS security work so I follow Ondřej here: you can do the Squeeze LTS update yourself. Cheers, Laszlo/GCS
Re: squeeze update of tiff?
Hi László, hi Ondřej, On Do 31 Dez 2015 19:01:33 CET, László Böszörményi (GCS) wrote: On Thu, Dec 31, 2015 at 10:04 AM, Ondřej Surý wrote: I have a git mirror[1] (git cvsimport) of upstream CVS and right now it's a tad bit confusing which patches are relevant to those CVEs. I've packaged 4.0.6, fixed two CVEs and two other vulnerabilities that don't have an id. However CVE-2015-8668 is not yet fixed by upstream as I see. I will have more time cherry-picking the patches next week, so if somebody starts the work (even for unstable), I really won't mind. In fact it would be much appreciated. I'm going to finish my investigations tomorrow even if my employer counts on me from 6am. Will do the upload and other fixes can come in later as upstream commit those. Also feel free to prepare Debian LTS update, I will share relevant patches, but we'll have to prepare security update for jessie and wheezy (+ tiff3 for wheezy), so feel free to take care about this in Debian LTS yourself. I can do the Wheezy + Jessie updates as well. But I've accepted Raphaël's advice not to do LTS security work so I follow Ondřej here: you can do the Squeeze LTS update yourself. I (with my LTS team hat on) just signed up for looking at fixing tiff in squeeze-lts. @László: once you finished your research tomorrow, could you send a short summary with your findings (or even upload a new package version to unstable)? Thanks+>Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de pgp_42zjuAAts.pgp Description: Digitale PGP-Signatur
Re: squeeze update of tiff?
Hi, I've backported the patch for CVE-2015-8665 and CVE-2015-8683. Debdiff attached and packages uploaded to my personal repo. deb https://people.debian.org/~santiago/debian/ santiago-squeeze-lts/ deb-src https://people.debian.org/~santiago/debian/ santiago-squeeze-lts/ The packages seems to work well, but reviews are welcome. Santiago diff -Nru tiff-3.9.4/debian/changelog tiff-3.9.4/debian/changelog --- tiff-3.9.4/debian/changelog 2015-05-06 23:37:44.0 +0200 +++ tiff-3.9.4/debian/changelog 2016-01-20 10:23:45.0 +0100 @@ -1,3 +1,11 @@ +tiff (3.9.4-5+squeeze13~1) santiago-squeeze-lts; urgency=medium + + * Non-maintainer upload by the Debian LTS Team. + * Fix CVE-2015-8665: Out-of-bounds read in TIFFRGBAImage interface. + * Fix CVE-2015-8683: Out-of-bounds read in CIE Lab image format. + + -- Santiago Ruano Rincón Wed, 20 Jan 2016 06:27:59 +0100 + tiff (3.9.4-5+squeeze12) squeeze-lts; urgency=high * Non-maintainer upload by the Squeeze LTS team diff -Nru tiff-3.9.4/debian/patches/CVE-2015-8665_and_CVE-2015-8683.patch tiff-3.9.4/debian/patches/CVE-2015-8665_and_CVE-2015-8683.patch --- tiff-3.9.4/debian/patches/CVE-2015-8665_and_CVE-2015-8683.patch 1970-01-01 01:00:00.0 +0100 +++ tiff-3.9.4/debian/patches/CVE-2015-8665_and_CVE-2015-8683.patch 2016-01-20 13:21:48.0 +0100 @@ -0,0 +1,109 @@ +From f3f0cad770593eaef0766e5be896a6a034fc6313 Mon Sep 17 00:00:00 2001 +From: erouault +Date: Sat, 26 Dec 2015 17:32:03 + +Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in + TIFFRGBAImage interface in case of unsupported values of + SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to + TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by + limingxing and CVE-2015-8683 reported by zzf of Alibaba. + +--- + +Index: tiff-3.9.4/libtiff/tif_getimage.c +=== +--- tiff-3.9.4.orig/libtiff/tif_getimage.c tiff-3.9.4/libtiff/tif_getimage.c +@@ -245,6 +245,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T + int colorchannels; + uint16 *red_orig, *green_orig, *blue_orig; + int n_color; ++ ++ if( !TIFFRGBAImageOK(tif, emsg) ) ++ return 0; + + /* Initialize to normal values */ + img->row_offset = 0; +@@ -426,11 +429,29 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T + "Planarconfiguration", planarconfig); + return (0); + } ++ if( img->samplesperpixel != 3 || colorchannels != 3 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d, %s=%d", ++ "Samples/pixel", img->samplesperpixel, ++ "colorchannels", colorchannels); ++ return 0; ++ } ++ + TIFFSetField(tif, TIFFTAG_SGILOGDATAFMT, SGILOGDATAFMT_8BIT); + img->photometric = PHOTOMETRIC_RGB; /* little white lie */ + img->bitspersample = 8; + break; + case PHOTOMETRIC_CIELAB: ++ if( img->samplesperpixel != 3 || colorchannels != 3 || img->bitspersample != 8 ) ++ { ++ sprintf(emsg, ++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", ++ "Samples/pixel", img->samplesperpixel, ++ "colorchannels", colorchannels, ++ "Bits/sample", img->bitspersample); ++ return 0; ++ } + break; + default: + sprintf(emsg, "Sorry, can not handle image with %s=%d", +@@ -2352,25 +2373,29 @@ PickContigCase(TIFFRGBAImage* img) + case PHOTOMETRIC_RGB: + switch (img->bitspersample) { + case 8: +- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) ++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && ++ img->samplesperpixel >= 4) + img->put.contig = putRGBAAcontig8bittile; +- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) ++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && ++ img->samplesperpixel >= 4) + { + img->put.contig = putRGBUAc