Your message dated Wed, 19 Jul 2023 18:13:24 +0100
with message-id
<6532a164f2f72c66a8f64e39ac37db994fcb9281.ca...@adam-barratt.org.uk>
and subject line Re: Bug#1006551: bullseye-pu: package tiff/4.2.0-1+deb11u1
has caused the Debian Bug report #1006551,
regarding bullseye-pu: package tiff/4.2.0-1+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1006551: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006551
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian....@packages.debian.org
Tags: bullseye
Severity: normal
Hi RMs,
A security update of tiff for issues not warrant a DSA but still would
be good to have fixed.
Work done by Thorsten Alteholz that I've double checked. Debdiff is attached.
Thanks for consideration,
Laszlo/GCS
diff -Nru tiff-4.2.0/debian/changelog tiff-4.2.0/debian/changelog
--- tiff-4.2.0/debian/changelog 2020-12-21 15:06:46.000000000 +0100
+++ tiff-4.2.0/debian/changelog 2022-02-27 17:02:02.000000000 +0100
@@ -1,3 +1,20 @@
+tiff (4.2.0-1+deb11u1) bullseye; urgency=high
+
+ [ Thorsten Alteholz <deb...@alteholz.de> ]
+ * CVE-2022-22844
+ out-of-bounds read in _TIFFmemcpy in certain situations involving a
+ custom tag and 0x0200 as the second word of the DE field.
+ * CVE-2022-0562
+ Null source pointer passed as an argument to memcpy() function within
+ TIFFReadDirectory(). This could result in a Denial of Service via
+ crafted TIFF files.
+ * CVE-2022-0561
+ Null source pointer passed as an argument to memcpy() function within
+ TIFFFetchStripThing(). This could result in a Denial of Service via
+ crafted TIFF files.
+
+ -- Laszlo Boszormenyi (GCS) <g...@debian.org> Sun, 27 Feb 2022 17:02:02 +0100
+
tiff (4.2.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru tiff-4.2.0/debian/patches/CVE-2022-0561.patch tiff-4.2.0/debian/patches/CVE-2022-0561.patch
--- tiff-4.2.0/debian/patches/CVE-2022-0561.patch 1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.2.0/debian/patches/CVE-2022-0561.patch 2022-02-27 16:57:51.000000000 +0100
@@ -0,0 +1,26 @@
+From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.roua...@spatialys.com>
+Date: Sun, 6 Feb 2022 13:08:38 +0100
+Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+Index: tiff-4.2.0/libtiff/tif_dirread.c
+===================================================================
+--- tiff-4.2.0.orig/libtiff/tif_dirread.c 2022-02-22 23:56:43.727328819 +0100
++++ tiff-4.2.0/libtiff/tif_dirread.c 2022-02-22 23:56:43.727328819 +0100
+@@ -5765,8 +5765,9 @@
+ _TIFFfree(data);
+ return(0);
+ }
+- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
++ if( dir->tdir_count )
++ _TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64));
++ _TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64));
+ _TIFFfree(data);
+ data=resizeddata;
+ }
diff -Nru tiff-4.2.0/debian/patches/CVE-2022-0562.patch tiff-4.2.0/debian/patches/CVE-2022-0562.patch
--- tiff-4.2.0/debian/patches/CVE-2022-0562.patch 1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.2.0/debian/patches/CVE-2022-0562.patch 2022-02-27 16:57:51.000000000 +0100
@@ -0,0 +1,24 @@
+From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.roua...@spatialys.com>
+Date: Sat, 5 Feb 2022 20:36:41 +0100
+Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: tiff-4.2.0/libtiff/tif_dirread.c
+===================================================================
+--- tiff-4.2.0.orig/libtiff/tif_dirread.c 2022-02-22 23:56:49.919326843 +0100
++++ tiff-4.2.0/libtiff/tif_dirread.c 2022-02-22 23:56:49.915326845 +0100
+@@ -4173,7 +4173,8 @@
+ goto bad;
+ }
+
+- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++ if (old_extrasamples > 0)
++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+ _TIFFfree(new_sampleinfo);
+ }
diff -Nru tiff-4.2.0/debian/patches/CVE-2022-22844.patch tiff-4.2.0/debian/patches/CVE-2022-22844.patch
--- tiff-4.2.0/debian/patches/CVE-2022-22844.patch 1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.2.0/debian/patches/CVE-2022-22844.patch 2022-02-27 16:57:51.000000000 +0100
@@ -0,0 +1,45 @@
+From 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augus...@qq.com>
+Date: Tue, 25 Jan 2022 16:25:28 +0000
+Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
+ count is required (fixes #355)
+
+---
+ tools/tiffset.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+Index: tiff-4.2.0/tools/tiffset.c
+===================================================================
+--- tiff-4.2.0.orig/tools/tiffset.c 2022-02-22 23:56:54.187325478 +0100
++++ tiff-4.2.0/tools/tiffset.c 2022-02-22 23:56:54.183325479 +0100
+@@ -32,6 +32,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <stdint.h>
+
+ #include "tiffio.h"
+
+@@ -148,9 +149,19 @@
+
+ arg_index++;
+ if (TIFFFieldDataType(fip) == TIFF_ASCII) {
+- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
+- fprintf( stderr, "Failed to set %s=%s\n",
+- TIFFFieldName(fip), argv[arg_index] );
++ if(TIFFFieldPassCount( fip )) {
++ size_t len;
++ len = strlen(argv[arg_index]) + 1;
++ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
++ (uint16)len, argv[arg_index]) != 1)
++ fprintf( stderr, "Failed to set %s=%s\n",
++ TIFFFieldName(fip), argv[arg_index] );
++ } else {
++ if (TIFFSetField(tiff, TIFFFieldTag(fip),
++ argv[arg_index]) != 1)
++ fprintf( stderr, "Failed to set %s=%s\n",
++ TIFFFieldName(fip), argv[arg_index] );
++ }
+ } else if (TIFFFieldWriteCount(fip) > 0
+ || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
+ int ret = 1;
diff -Nru tiff-4.2.0/debian/patches/series tiff-4.2.0/debian/patches/series
--- tiff-4.2.0/debian/patches/series 2020-12-13 07:52:33.000000000 +0100
+++ tiff-4.2.0/debian/patches/series 2022-02-27 16:57:51.000000000 +0100
@@ -1 +1,5 @@
fix_TIFFReadRawStrip_man_page_typo.patch
+
+CVE-2022-0561.patch
+CVE-2022-0562.patch
+CVE-2022-22844.patch
--- End Message ---
--- Begin Message ---
On Wed, 2023-07-19 at 16:58 +0800, Aron Xu wrote:
> Hi SRMs,
>
> I think this can be closed since tiff already has the deb11u4 version
> in bullseye through a previous security update.
>
Specifically, it looks like the proposed update was rolled into a
larger +deb11u1 update that went out via -security around the same time
that the pu request was acked.
Thanks for spotting; closing.
Regards,
Adam
--- End Message ---
