subject:"squeeze update of tiff\?"

squeeze update of tiff?

2015-12-29 Thread Ben Hutchings

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of tiff:
https://security-tracker.debian.org/tracker/CVE-2015-7554
https://security-tracker.debian.org/tracker/CVE-2015-8665
https://security-tracker.debian.org/tracker/CVE-2015-8668
https://security-tracker.debian.org/tracker/CVE-2015-8683

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Ben Hutchings,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

-- 
Ben Hutchings - Debian developer, member of Linux kernel and LTS teams




signature.asc
Description: This is a digitally signed message part

squeeze update of tiff?

2015-12-30 Thread Ben Hutchings

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of tiff:
https://security-tracker.debian.org/tracker/CVE-2015-7554
https://security-tracker.debian.org/tracker/CVE-2015-8665
https://security-tracker.debian.org/tracker/CVE-2015-8668
https://security-tracker.debian.org/tracker/CVE-2015-8683

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Ben Hutchings,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

-- 
Ben Hutchings - Debian developer, member of Linux kernel and LTS teams




signature.asc
Description: This is a digitally signed message part

Re: squeeze update of tiff?

2015-12-30 Thread Ben Hutchings

On Wed, 2015-12-30 at 13:05 -0500, Jay Berkenbilt wrote:
> Hello. I am no longer maintaining the tiff packages, but I have cc'ed
> the new maintainers so that they can read the message quoted below and
> respond if they are interested. I wonder whether it might make sense for
> the debian-lts stuff to take into consideration when package maintainers
> change.
[...]

Sorry, Jay, this was due to a bug in the contact-maintainers script.
I'll re-send this to the current maintainers.

Ben.

-- 
Ben Hutchings - Debian developer, member of Linux kernel and LTS teams



signature.asc
Description: This is a digitally signed message part

Re: squeeze update of tiff?

2015-12-31 Thread Ondřej Surý

Hi Ben and Laszlo,

I have a git mirror[1] (git cvsimport) of upstream CVS and right now
it's a tad bit confusing which patches are relevant to those CVEs.

I will have more time cherry-picking the patches next week, so if
somebody starts the work (even for unstable), I really won't mind. In
fact it would be much appreciated.

Also feel free to prepare Debian LTS update, I will share relevant
patches, but we'll have to prepare security update for jessie and wheezy
(+ tiff3 for wheezy), so feel free to take care about this in Debian LTS
yourself.

Cheers,
Ondrej

1. https://github.com/oerdnj/libtiff.git

On Thu, Dec 31, 2015, at 01:24, Ben Hutchings wrote:
> Hello dear maintainer(s),
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of tiff:
> https://security-tracker.debian.org/tracker/CVE-2015-7554
> https://security-tracker.debian.org/tracker/CVE-2015-8665
> https://security-tracker.debian.org/tracker/CVE-2015-8668
> https://security-tracker.debian.org/tracker/CVE-2015-8683
> 
> Would you like to take care of this yourself?
> 
> If yes, please follow the workflow we have defined here:
> http://wiki.debian.org/LTS/Development
> 
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
> 
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
> 
> Thank you very much.
> 
> Ben Hutchings,
>   on behalf of the Debian LTS team.
> 
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
> 
> -- 
> Ben Hutchings - Debian developer, member of Linux kernel and LTS teams
> 
> 
> Email had 1 attachment:
> + signature.asc
>   1k (application/pgp-signature)


-- 
Ondřej Surý 
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Re: squeeze update of tiff?

2015-12-31 Thread GCS

Hi Ondřej, Ben,

On Thu, Dec 31, 2015 at 10:04 AM, Ondřej Surý  wrote:
> I have a git mirror[1] (git cvsimport) of upstream CVS and right now
> it's a tad bit confusing which patches are relevant to those CVEs.
 I've packaged 4.0.6, fixed two CVEs and two other vulnerabilities
that don't have an id. However CVE-2015-8668 is not yet fixed by
upstream as I see.

> I will have more time cherry-picking the patches next week, so if
> somebody starts the work (even for unstable), I really won't mind. In
> fact it would be much appreciated.
 I'm going to finish my investigations tomorrow even if my employer
counts on me from 6am. Will do the upload and other fixes can come in
later as upstream commit those.

> Also feel free to prepare Debian LTS update, I will share relevant
> patches, but we'll have to prepare security update for jessie and wheezy
> (+ tiff3 for wheezy), so feel free to take care about this in Debian LTS
> yourself.
 I can do the Wheezy + Jessie updates as well. But I've accepted
Raphaël's advice not to do LTS security work so I follow Ondřej here:
you can do the Squeeze LTS update yourself.

Cheers,
Laszlo/GCS

Re: squeeze update of tiff?

2016-01-04 Thread Mike Gabriel

Hi László, hi Ondřej,

On Do 31 Dez 2015 19:01:33 CET, László Böszörményi (GCS) wrote:

On Thu, Dec 31, 2015 at 10:04 AM, Ondřej Surý wrote:

I have a git mirror[1] (git cvsimport) of upstream CVS and right now
it's a tad bit confusing which patches are relevant to those CVEs.

I've packaged 4.0.6, fixed two CVEs and two other vulnerabilities
that don't have an id. However CVE-2015-8668 is not yet fixed by
upstream as I see.

I will have more time cherry-picking the patches next week, so if
somebody starts the work (even for unstable), I really won't mind. In
fact it would be much appreciated.

I'm going to finish my investigations tomorrow even if my employer
counts on me from 6am. Will do the upload and other fixes can come in
later as upstream commit those.

Also feel free to prepare Debian LTS update, I will share relevant
patches, but we'll have to prepare security update for jessie and wheezy
(+ tiff3 for wheezy), so feel free to take care about this in Debian LTS
yourself.

I can do the Wheezy + Jessie updates as well. But I've accepted
Raphaël's advice not to do LTS security work so I follow Ondřej here:
you can do the Squeeze LTS update yourself.

I (with my LTS team hat on) just signed up for looking at fixing tiff
in squeeze-lts.

@László: once you finished your research tomorrow, could you send a
short summary with your findings (or even upload a new package version
to unstable)?

Thanks+>Greets,
Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de

pgp_42zjuAAts.pgp
Description: Digitale PGP-Signatur

Re: squeeze update of tiff?

2016-01-20 Thread Santiago Ruano Rincón

Hi,

I've backported the patch for CVE-2015-8665 and CVE-2015-8683. Debdiff
attached and packages uploaded to my personal repo. 

deb https://people.debian.org/~santiago/debian/ santiago-squeeze-lts/
deb-src https://people.debian.org/~santiago/debian/ santiago-squeeze-lts/

The packages seems to work well, but reviews are welcome.

Santiago
diff -Nru tiff-3.9.4/debian/changelog tiff-3.9.4/debian/changelog
--- tiff-3.9.4/debian/changelog 2015-05-06 23:37:44.0 +0200
+++ tiff-3.9.4/debian/changelog 2016-01-20 10:23:45.0 +0100
@@ -1,3 +1,11 @@
+tiff (3.9.4-5+squeeze13~1) santiago-squeeze-lts; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2015-8665: Out-of-bounds read in TIFFRGBAImage interface.
+  * Fix CVE-2015-8683: Out-of-bounds read in CIE Lab image format.
+
+ -- Santiago Ruano Rincón   Wed, 20 Jan 2016 06:27:59 
+0100
+
 tiff (3.9.4-5+squeeze12) squeeze-lts; urgency=high
 
   * Non-maintainer upload by the Squeeze LTS team
diff -Nru tiff-3.9.4/debian/patches/CVE-2015-8665_and_CVE-2015-8683.patch 
tiff-3.9.4/debian/patches/CVE-2015-8665_and_CVE-2015-8683.patch
--- tiff-3.9.4/debian/patches/CVE-2015-8665_and_CVE-2015-8683.patch 
1970-01-01 01:00:00.0 +0100
+++ tiff-3.9.4/debian/patches/CVE-2015-8665_and_CVE-2015-8683.patch 
2016-01-20 13:21:48.0 +0100
@@ -0,0 +1,109 @@
+From f3f0cad770593eaef0766e5be896a6a034fc6313 Mon Sep 17 00:00:00 2001
+From: erouault 
+Date: Sat, 26 Dec 2015 17:32:03 +
+Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
+ TIFFRGBAImage interface in case of unsupported values of
+ SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
+ TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
+ limingxing and CVE-2015-8683 reported by zzf of Alibaba.
+
+---
+
+Index: tiff-3.9.4/libtiff/tif_getimage.c
+===
+--- tiff-3.9.4.orig/libtiff/tif_getimage.c
 tiff-3.9.4/libtiff/tif_getimage.c
+@@ -245,6 +245,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
+   int colorchannels;
+   uint16 *red_orig, *green_orig, *blue_orig;
+   int n_color;
++  
++  if( !TIFFRGBAImageOK(tif, emsg) )
++  return 0;
+ 
+   /* Initialize to normal values */
+   img->row_offset = 0;
+@@ -426,11 +429,29 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
+   "Planarconfiguration", planarconfig);
+   return (0);
+   }
++  if( img->samplesperpixel != 3 || colorchannels != 3 )
++  {
++  sprintf(emsg,
++  "Sorry, can not handle image 
with %s=%d, %s=%d",
++  "Samples/pixel", 
img->samplesperpixel,
++  "colorchannels", colorchannels);
++  return 0;
++  }
++
+   TIFFSetField(tif, TIFFTAG_SGILOGDATAFMT, 
SGILOGDATAFMT_8BIT);
+   img->photometric = PHOTOMETRIC_RGB; /* 
little white lie */
+   img->bitspersample = 8;
+   break;
+   case PHOTOMETRIC_CIELAB:
++  if( img->samplesperpixel != 3 || colorchannels != 3 || 
img->bitspersample != 8 )
++  {
++  sprintf(emsg,
++  "Sorry, can not handle image 
with %s=%d, %s=%d and %s=%d",
++  "Samples/pixel", 
img->samplesperpixel,
++  "colorchannels", colorchannels,
++  "Bits/sample", 
img->bitspersample);
++  return 0;
++  }
+   break;
+   default:
+   sprintf(emsg, "Sorry, can not handle image with %s=%d",
+@@ -2352,25 +2373,29 @@ PickContigCase(TIFFRGBAImage* img)
+   case PHOTOMETRIC_RGB:
+   switch (img->bitspersample) {
+   case 8:
+-  if (img->alpha == 
EXTRASAMPLE_ASSOCALPHA)
++  if (img->alpha == 
EXTRASAMPLE_ASSOCALPHA &&
++  img->samplesperpixel >= 4)
+   img->put.contig = 
putRGBAAcontig8bittile;
+-  else if (img->alpha == 
EXTRASAMPLE_UNASSALPHA)
++  else if (img->alpha == 
EXTRASAMPLE_UNASSALPHA &&
++   img->samplesperpixel 
>= 4)
+   {
+ img->put.contig = 
putRGBUAc

squeeze update of tiff?

squeeze update of tiff?

Re: squeeze update of tiff?

Re: squeeze update of tiff?

Re: squeeze update of tiff?

Re: squeeze update of tiff?

Re: squeeze update of tiff?

7 matches

Site Navigation

Mail list logo

Footer information