Re: tiff and CVE-2016-10095

To: Guido Günther <agx@sigxcpu.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, Raphael Hertzog <hertzog@debian.org>, debian-lts@lists.debian.org, gcs@debian.org
Subject: Re: tiff and CVE-2016-10095
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 2 Jun 2017 12:41:57 +0200
Message-id: <[🔎] 20170602104157.GA29446@lorien.valinor.li>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Moritz Muehlenhoff <jmm@inutil.org>, Raphael Hertzog <hertzog@debian.org>, debian-lts@lists.debian.org, gcs@debian.org
In-reply-to: <[🔎] 20170602102929.6luh45ok355rmcy6@bogon.m.sigxcpu.org>
References: <[🔎] 20170602082529.phzpszptjyvuyuqx@bogon.m.sigxcpu.org> <[🔎] 20170602090206.GA2583@inutil.org> <[🔎] 20170602102929.6luh45ok355rmcy6@bogon.m.sigxcpu.org>

Hi Guido,

On Fri, Jun 02, 2017 at 12:29:29PM +0200, Guido Günther wrote:
> On Fri, Jun 02, 2017 at 11:02:06AM +0200, Moritz Muehlenhoff wrote:
> > On Fri, Jun 02, 2017 at 10:25:29AM +0200, Guido Günther wrote:
> > > Hi Moritz,
> > > I'm trying to figure out the reasoning for @51764. This marks tiff as
> > > affected by CVE-2016-10095. However from the upstream bug and the
> > > changes we made in wheezy it looks like the changes we made already are
> > > sufficient to fix the issue. Do you have a hint why you think this is
> > > not the case?
> > 
> > CVE-2016-10095 is the generic fix for the API. I'm not sure why that received 
> > a CVE ID, since it's not a vulnerability per se (which are in the call sites),
> > but it's not worth arguing and providing that in jessie might be useful for
> > building building custom tools still.
> 
> But then again the fix for this should be in Wheezy already as far as I
> can tell. Raphael (since you provided the upstream patches for ths), can
> you confirm?

The upload by Lazslo to unstable contains the following, which is upstream's
changelog enty:

    * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
    and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
    codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
    to behave differently depending on whether the codec is enabled or not, and
    thus can avoid stack based buffer overflows in a number of TIFF utilities
    such as tiffsplit, tiffcmp, thumbnail, etc.
    Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
    (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
    Fixes:
    http://bugzilla.maptools.org/show_bug.cgi?id=2580
    http://bugzilla.maptools.org/show_bug.cgi?id=2693
    http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
    http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
    http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
    http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
    http://bugzilla.maptools.org/show_bug.cgi?id=2441
    http://bugzilla.maptools.org/show_bug.cgi?id=2433

I have not cross-checked, to what is applied to wheezy and fully correspond to
Raphael's 0063-Handle-properly-CODEC-specific-tags.patch. If so then yes it
would be fixed already in wheezy.

Regards,
Salvatore

Reply to:

References:
- tiff and CVE-2016-10095
  - From: Guido Günther <agx@sigxcpu.org>
- Re: tiff and CVE-2016-10095
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: tiff and CVE-2016-10095
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Re: tiff and CVE-2016-10095
Next by Date: Re: update of debian-security-support [was Re: Marking autotrace as unsuppported ?]
Previous by thread: Re: tiff and CVE-2016-10095
Next by thread: Re: tiff and CVE-2016-10095
Index(es):
- Date
- Thread