Re: Bug#373854: libtiff-tools: DSA 1091-1 broke tiffsplit
Christoph Biedl wrote...
> Package: libtiff-tools
> Version: 3.7.2-5
> Severity: important
Let me elaborate on that.
How to repeat:
Use tiffsplit to split an arbitrary .tiff file:
| tiffsplit foo.tif foo.
This should result in a file name foo.aaa.tif (and foo.aab.tif and so on
if the .tiff contains more than one page). Since DSA 1091-1 a single
file "D" is created instead.
What goes wrong:
tiffsplit composes the name of the created file using the submitted
"prefix" with the serial appened (this is in fname) and the extension
".tif". The resulting name is written to "path".
Prior to DSA 1091-1 the vulnerable code was
| strcpy(path, fname);
| strcat(path, ".tif");
This was changed to
| snprintf(fname, sizeof(fname), "%s.tif", fname);
but should obviously be
| snprintf(path, sizeof(path), "%s.tif", fname);
and was discussed so in #369819.
Currently, in the subsequent
| out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
"path" is not defined, the file name is whatever is in the stack at the
time of "path"'s creation.
How to fix:
Exchange the according line in debian/patches/CVE-2006-2656.patch
Works for me.
Christoph
Reply to: