I applied the fix for this CVE. Patch attached.
However, then I found out I can't reproduce the bug under Debian/Jessie,
with or without the security update.
Version 4.0.3-12.3+deb8u7 in Jessie+security:
(jessie-i386-default)root@silverfish:/home/brian/tree/debian/lts/packages/tiff/tiff-4.0.3# tiff2bw /tmp/poc /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
TIFFScanlineSize: Integer arithmetic overflow.
TIFFReadDirectory: Cannot handle zero scanline size.
(jessie-i386-default)root@silverfish:/home/brian/tree/debian/lts/packages/tiff/tiff-4.0.3# echo $?
255
4.0.3-12.3+deb8u8 with patch applied:
(jessie-amd64-default)root@silverfish:/tmp/brian/tmpz5ka6n27/build/amd64# tiff2bw /tmp/poc /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
LZWDecode: Not enough data at scanline 0 (short 6442004472 bytes).
TIFFWriteDirectoryTagData: IO error writing tag data.
(jessie-amd64-default)root@silverfish:/tmp/brian/tmpz5ka6n27/build/amd64# echo $?
0
Diff attached. So I suspect this security issue may have already been
fixed.
However it looks like this patch might also fixed some out-of-memory
conditions also. So maybe worth applying regardless.
Kind of troubling that it returns a 0 exit code after the patch.
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/