Bug#693541: unblock: tiff/4.0.2-5

To: submit@bugs.debian.org
Subject: Bug#693541: unblock: tiff/4.0.2-5
From: Jay Berkenbilt <qjb@debian.org>
Date: Sat, 17 Nov 2012 13:44:26 -0500
Message-id: <[🔎] 20121117134426.0432811875.qww314159@soup>
Reply-to: Jay Berkenbilt <qjb@debian.org>, 693541@bugs.debian.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package tiff 4.0.2-5, which includes a patch to address
CVE-2012-4564 and which closes RC bug #692345.

diff -Nru tiff-4.0.2/debian/changelog tiff-4.0.2/debian/changelog
--- tiff-4.0.2/debian/changelog	2012-10-05 17:39:16.000000000 -0400
+++ tiff-4.0.2/debian/changelog	2012-11-17 12:40:40.000000000 -0500
@@ -1,3 +1,10 @@
+tiff (4.0.2-5) unstable; urgency=high
+
+  * Add fix for CVE-2012-4564, a heap-buffer overflow.  Thanks Adrian La
+    Duca for doing all the work to prepare this upload.  (Closes: #692345)
+
+ -- Jay Berkenbilt <qjb@debian.org>  Sat, 17 Nov 2012 12:40:25 -0500
+
 tiff (4.0.2-4) unstable; urgency=high
 
   * Previous change was uploaded with the wrong CVE number.  I updated the
diff -Nru tiff-4.0.2/debian/patches/CVE-2012-4564.patch tiff-4.0.2/debian/patches/CVE-2012-4564.patch
--- tiff-4.0.2/debian/patches/CVE-2012-4564.patch	1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/CVE-2012-4564.patch	2012-11-17 12:39:17.000000000 -0500
@@ -0,0 +1,31 @@
+Index: tiff-4.0.2/tools/ppm2tiff.c
+===================================================================
+--- tiff-4.0.2.orig/tools/ppm2tiff.c	2010-04-10 15:22:34.000000000 -0400
++++ tiff-4.0.2/tools/ppm2tiff.c	2012-11-16 13:00:44.654825029 -0500
+@@ -89,6 +89,7 @@
+ 	int c;
+ 	extern int optind;
+ 	extern char* optarg;
++	tmsize_t scanline_size;
+ 
+ 	if (argc < 2) {
+ 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -237,8 +238,16 @@
+ 	}
+ 	if (TIFFScanlineSize(out) > linebytes)
+ 		buf = (unsigned char *)_TIFFmalloc(linebytes);
+-	else
+-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++	else {
++		scanline_size = TIFFScanlineSize(out);
++		if (scanline_size != 0)
++			buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++		else {
++			fprintf(stderr, "%s: scanline size overflow\n",infile);
++			(void) TIFFClose(out);
++			exit(-2);
++			}
++		}
+ 	if (resolution > 0) {
+ 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff -Nru tiff-4.0.2/debian/patches/series tiff-4.0.2/debian/patches/series
--- tiff-4.0.2/debian/patches/series	2012-10-05 17:07:54.000000000 -0400
+++ tiff-4.0.2/debian/patches/series	2012-11-17 12:39:17.000000000 -0500
@@ -1,3 +1,4 @@
 opengl.patch
 CVE-2012-3401.patch
 CVE-2012-4447.patch
+CVE-2012-4564.patch

Reply to:

Follow-Ups:
- Bug#693541: marked as done (unblock: tiff/4.0.2-5)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#693538: unblock: claws-mail-extra-plugins/3.8.1-2
Next by Date: Bug#693538: marked as done (unblock: claws-mail-extra-plugins/3.8.1-2)
Previous by thread: Bug#693538: marked as done (unblock: claws-mail-extra-plugins/3.8.1-2)
Next by thread: Bug#693541: marked as done (unblock: tiff/4.0.2-5)
Index(es):
- Date
- Thread