Your message dated Sat, 15 Dec 2012 19:44:21 +0100 with message-id <20121215184421.GA26230@radis.cristau.org> and subject line Re: Bug#695988: unblock: tiff3/3.9.6-10 has caused the Debian Bug report #695988, regarding unblock: tiff3/3.9.6-10 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 695988: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695988 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: tiff3/3.9.6-10
- From: Jay Berkenbilt <qjb@debian.org>
- Date: Sat, 15 Dec 2012 06:34:14 -0500
- Message-id: <[🔎] 20121215063414.0460232258.qww314159@soup>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package tiff3 This version of tiff3 addresses CVE-2012-5581 and closes RC bug 694693. The only change is the inclusion of the patch, which was prepared by the Ubuntu security team and was backported from upstream CVS by the Red Hat Security team. Debdiff attached. unblock tiff3/3.9.6-10 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dashdiff -Nru tiff3-3.9.6/debian/changelog tiff3-3.9.6/debian/changelog --- tiff3-3.9.6/debian/changelog 2012-10-05 17:32:44.000000000 -0400 +++ tiff3-3.9.6/debian/changelog 2012-12-15 06:13:58.000000000 -0500 @@ -1,3 +1,11 @@ +tiff3 (3.9.6-10) unstable; urgency=high + + * Add fix for CVE-2012-5581, reimplementing DOTRANGE handling to make it + safer. Thanks to Red Hat security team for backporting the fix. + (Closes: #694693) + + -- Jay Berkenbilt <qjb@debian.org> Sat, 15 Dec 2012 06:04:00 -0500 + tiff3 (3.9.6-9) unstable; urgency=high * Previous change was uploaded with the wrong CVE number. I updated the diff -Nru tiff3-3.9.6/debian/patches/CVE-2012-5581.patch tiff3-3.9.6/debian/patches/CVE-2012-5581.patch --- tiff3-3.9.6/debian/patches/CVE-2012-5581.patch 1969-12-31 19:00:00.000000000 -0500 +++ tiff3-3.9.6/debian/patches/CVE-2012-5581.patch 2012-12-15 05:59:34.000000000 -0500 @@ -0,0 +1,324 @@ +Author: Frank Warmerdam <warmerdam@google.com> +Description: * libtiff/tif_dir.c, tif_print.c : Remove FIELD_CUSTOM handling + for PAGENUMBER, HALFTONEHINTS, and YCBCRSUBSAMPLING. Implement DOTRANGE + differently. This is to avoid using special TIFFGetField/TIFFSetField rules + for these fields in non-image directories (like EXIF). + +Back-ported patch from upstream CVS by Huzaifa S. Sidhpurwala of Red Hat +Security Response Team. + +https://bugzilla.redhat.com/show_bug.cgi?id=867235 +https://bugzilla.redhat.com/attachment.cgi?id=640578 + +Index: tiff3-3.9.6/libtiff/tif_dir.c +=================================================================== +--- tiff3-3.9.6.orig/libtiff/tif_dir.c 2010-07-08 12:17:59.000000000 -0400 ++++ tiff3-3.9.6/libtiff/tif_dir.c 2012-12-15 05:59:21.869364661 -0500 +@@ -493,94 +493,90 @@ + status = 0; + goto end; + } ++ if (fip->field_tag == TIFFTAG_DOTRANGE ++ && strcmp(fip->field_name,"DotRange") == 0) { ++ /* TODO: This is an evil exception and should not have been ++ handled this way ... likely best if we move it into ++ the directory structure with an explicit field in ++ libtiff 4.1 and assign it a FIELD_ value */ ++ uint16 v[2]; ++ v[0] = (uint16)va_arg(ap, int); ++ v[1] = (uint16)va_arg(ap, int); ++ _TIFFmemcpy(tv->value, &v, 4); ++ } ++ ++ else if (fip->field_passcount ++ || fip->field_writecount == TIFF_VARIABLE ++ || fip->field_writecount == TIFF_VARIABLE2 ++ || fip->field_writecount == TIFF_SPP ++ || tv->count > 1) { + +- if ((fip->field_passcount +- || fip->field_writecount == TIFF_VARIABLE +- || fip->field_writecount == TIFF_VARIABLE2 +- || fip->field_writecount == TIFF_SPP +- || tv->count > 1) +- && fip->field_tag != TIFFTAG_PAGENUMBER +- && fip->field_tag != TIFFTAG_HALFTONEHINTS +- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING +- && fip->field_tag != TIFFTAG_DOTRANGE) { + _TIFFmemcpy(tv->value, va_arg(ap, void *), + tv->count * tv_size); + } else { +- /* +- * XXX: The following loop required to handle +- * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS, +- * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags. +- * These tags are actually arrays and should be passed as +- * array pointers to TIFFSetField() function, but actually +- * passed as a list of separate values. This behaviour +- * must be changed in the future! +- */ +- int i; ++ assert( tv->count == 1 ); + char *val = (char *)tv->value; +- +- for (i = 0; i < tv->count; i++, val += tv_size) { +- switch (fip->field_type) { +- case TIFF_BYTE: +- case TIFF_UNDEFINED: +- { +- uint8 v = (uint8)va_arg(ap, int); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_SBYTE: +- { +- int8 v = (int8)va_arg(ap, int); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_SHORT: +- { +- uint16 v = (uint16)va_arg(ap, int); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_SSHORT: +- { +- int16 v = (int16)va_arg(ap, int); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_LONG: +- case TIFF_IFD: +- { +- uint32 v = va_arg(ap, uint32); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_SLONG: +- { +- int32 v = va_arg(ap, int32); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_RATIONAL: +- case TIFF_SRATIONAL: +- case TIFF_FLOAT: +- { +- float v = (float)va_arg(ap, double); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- case TIFF_DOUBLE: +- { +- double v = va_arg(ap, double); +- _TIFFmemcpy(val, &v, tv_size); +- } +- break; +- default: +- _TIFFmemset(val, 0, tv_size); +- status = 0; +- break; ++ switch (fip->field_type) { ++ case TIFF_BYTE: ++ case TIFF_UNDEFINED: ++ { ++ uint8 v = (uint8)va_arg(ap, int); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_SBYTE: ++ { ++ int8 v = (int8)va_arg(ap, int); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_SHORT: ++ { ++ uint16 v = (uint16)va_arg(ap, int); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_SSHORT: ++ { ++ int16 v = (int16)va_arg(ap, int); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_LONG: ++ case TIFF_IFD: ++ { ++ uint32 v = va_arg(ap, uint32); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_SLONG: ++ { ++ int32 v = va_arg(ap, int32); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_RATIONAL: ++ case TIFF_SRATIONAL: ++ case TIFF_FLOAT: ++ { ++ float v = (float)va_arg(ap, double); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ case TIFF_DOUBLE: ++ { ++ double v = va_arg(ap, double); ++ _TIFFmemcpy(val, &v, tv_size); ++ } ++ break; ++ default: ++ _TIFFmemset(val, 0, tv_size); ++ status = 0; ++ break; + } + } + } + } +- } + } + if (status) { + TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); +@@ -868,75 +864,76 @@ + *va_arg(ap, uint16*) = (uint16)tv->count; + *va_arg(ap, void **) = tv->value; + ret_val = 1; ++ } else if (fip->field_tag == TIFFTAG_DOTRANGE ++ && strcmp(fip->field_name,"DotRange") == 0) { ++ /* TODO: This is an evil exception and should not have been ++ handled this way ... likely best if we move it into ++ the directory structure with an explicit field in ++ libtiff 4.1 and assign it a FIELD_ value */ ++ *va_arg(ap, uint16*) = ((uint16 *)tv->value)[0]; ++ *va_arg(ap, uint16*) = ((uint16 *)tv->value)[1]; ++ ret_val = 1; + } else { +- if ((fip->field_type == TIFF_ASCII ++ if (fip->field_type == TIFF_ASCII + || fip->field_readcount == TIFF_VARIABLE + || fip->field_readcount == TIFF_VARIABLE2 + || fip->field_readcount == TIFF_SPP +- || tv->count > 1) +- && fip->field_tag != TIFFTAG_PAGENUMBER +- && fip->field_tag != TIFFTAG_HALFTONEHINTS +- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING +- && fip->field_tag != TIFFTAG_DOTRANGE) { ++ || tv->count > 1) { + *va_arg(ap, void **) = tv->value; + ret_val = 1; + } else { +- int j; + char *val = (char *)tv->value; +- +- for (j = 0; j < tv->count; +- j++, val += _TIFFDataSize(tv->info->field_type)) { +- switch (fip->field_type) { +- case TIFF_BYTE: +- case TIFF_UNDEFINED: +- *va_arg(ap, uint8*) = +- *(uint8 *)val; +- ret_val = 1; +- break; +- case TIFF_SBYTE: +- *va_arg(ap, int8*) = +- *(int8 *)val; +- ret_val = 1; +- break; +- case TIFF_SHORT: +- *va_arg(ap, uint16*) = +- *(uint16 *)val; +- ret_val = 1; +- break; +- case TIFF_SSHORT: +- *va_arg(ap, int16*) = +- *(int16 *)val; +- ret_val = 1; +- break; +- case TIFF_LONG: +- case TIFF_IFD: +- *va_arg(ap, uint32*) = +- *(uint32 *)val; +- ret_val = 1; +- break; +- case TIFF_SLONG: +- *va_arg(ap, int32*) = +- *(int32 *)val; +- ret_val = 1; +- break; +- case TIFF_RATIONAL: +- case TIFF_SRATIONAL: +- case TIFF_FLOAT: +- *va_arg(ap, float*) = +- *(float *)val; +- ret_val = 1; +- break; +- case TIFF_DOUBLE: +- *va_arg(ap, double*) = +- *(double *)val; +- ret_val = 1; +- break; +- default: +- ret_val = 0; +- break; +- } +- } +- } ++ assert( tv->count == 1 ); ++ switch (fip->field_type) { ++ case TIFF_BYTE: ++ case TIFF_UNDEFINED: ++ *va_arg(ap, uint8*) = ++ *(uint8 *)val; ++ ret_val = 1; ++ break; ++ case TIFF_SBYTE: ++ *va_arg(ap, int8*) = ++ *(int8 *)val; ++ ret_val = 1; ++ break; ++ case TIFF_SHORT: ++ *va_arg(ap, uint16*) = ++ *(uint16 *)val; ++ ret_val = 1; ++ break; ++ case TIFF_SSHORT: ++ *va_arg(ap, int16*) = ++ *(int16 *)val; ++ ret_val = 1; ++ break; ++ case TIFF_LONG: ++ case TIFF_IFD: ++ *va_arg(ap, uint32*) = ++ *(uint32 *)val; ++ ret_val = 1; ++ break; ++ case TIFF_SLONG: ++ *va_arg(ap, int32*) = ++ *(int32 *)val; ++ ret_val = 1; ++ break; ++ case TIFF_RATIONAL: ++ case TIFF_SRATIONAL: ++ case TIFF_FLOAT: ++ *va_arg(ap, float*) = ++ *(float *)val; ++ ret_val = 1; ++ break; ++ case TIFF_DOUBLE: ++ *va_arg(ap, double*) = ++ *(double *)val; ++ ret_val = 1; ++ break; ++ default: ++ ret_val = 0; ++ break; ++ } ++ } + } + break; + } diff -Nru tiff3-3.9.6/debian/patches/series tiff3-3.9.6/debian/patches/series --- tiff3-3.9.6/debian/patches/series 2012-10-05 17:06:25.000000000 -0400 +++ tiff3-3.9.6/debian/patches/series 2012-12-15 05:59:34.000000000 -0500 @@ -4,3 +4,4 @@ CVE-2012-2088.patch CVE-2012-3401.patch CVE-2012-4447.patch +CVE-2012-5581.patch
--- End Message ---
--- Begin Message ---
- To: Jay Berkenbilt <qjb@debian.org>, 695988-done@bugs.debian.org
- Subject: Re: Bug#695988: unblock: tiff3/3.9.6-10
- From: Julien Cristau <jcristau@debian.org>
- Date: Sat, 15 Dec 2012 19:44:21 +0100
- Message-id: <20121215184421.GA26230@radis.cristau.org>
- In-reply-to: <[🔎] 20121215063414.0460232258.qww314159@soup>
- References: <[🔎] 20121215063414.0460232258.qww314159@soup>
On Sat, Dec 15, 2012 at 06:34:14 -0500, Jay Berkenbilt wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > > Please unblock package tiff3 > Done. Cheers, JulienAttachment: signature.asc
Description: Digital signature
--- End Message ---