Bug#774235: unblock: tiff/4.0.3-12
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package tiff
This is a narrowly targeted fix from upstream for CVE-2014-9330. It
changes only bmp2tiff, one of the tools that is part of libtiff-tools.
Although the bug was not created as RC, other similar bugs that only
affect tools in libtiff-tools have been classified as RC, and this fixes
a security issue with an assigned CVE number, so I think it would be
best if it goes through.
debdiff attached.
unblock tiff/4.0.3-12
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.14-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru tiff-4.0.3/debian/changelog tiff-4.0.3/debian/changelog
--- tiff-4.0.3/debian/changelog 2014-12-23 15:52:13.000000000 -0500
+++ tiff-4.0.3/debian/changelog 2014-12-30 11:32:33.000000000 -0500
@@ -1,3 +1,9 @@
+tiff (4.0.3-12) unstable; urgency=high
+
+ * Fix integer overflow in bmp2tiff. CVE-2014-9330. (Closes: #773987)
+
+ -- Jay Berkenbilt <qjb@debian.org> Tue, 30 Dec 2014 11:32:04 -0500
+
tiff (4.0.3-11) unstable; urgency=medium
* Don't crash on JPEG => non-JPEG conversion (Closes: #741451)
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-9330.patch tiff-4.0.3/debian/patches/CVE-2014-9330.patch
--- tiff-4.0.3/debian/patches/CVE-2014-9330.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.3/debian/patches/CVE-2014-9330.patch 2014-12-30 11:32:33.000000000 -0500
@@ -0,0 +1,45 @@
+Description: CVE-2014-9330
+ Integer overflow in bmp2tiff
+Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2494
+Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494
+Bug-Debian: http://bugs.debian.org/773987
+
+Index: tiff/tools/bmp2tiff.c
+===================================================================
+--- tiff.orig/tools/bmp2tiff.c
++++ tiff/tools/bmp2tiff.c
+@@ -1,4 +1,4 @@
+-/* $Id: bmp2tiff.c,v 1.23 2010-03-10 18:56:49 bfriesen Exp $
++/* $Id: bmp2tiff.c,v 1.24 2014-12-21 15:15:32 erouault Exp $
+ *
+ * Project: libtiff tools
+ * Purpose: Convert Windows BMP files in TIFF.
+@@ -403,6 +403,13 @@ main(int argc, char* argv[])
+
+ width = info_hdr.iWidth;
+ length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
++ if( width <= 0 || length <= 0 )
++ {
++ TIFFError(infilename,
++ "Invalid dimensions of BMP file" );
++ close(fd);
++ return -1;
++ }
+
+ switch (info_hdr.iBitCount)
+ {
+@@ -593,6 +600,14 @@ main(int argc, char* argv[])
+
+ compr_size = file_hdr.iSize - file_hdr.iOffBits;
+ uncompr_size = width * length;
++ /* Detect int overflow */
++ if( uncompr_size / width != length )
++ {
++ TIFFError(infilename,
++ "Invalid dimensions of BMP file" );
++ close(fd);
++ return -1;
++ }
+ comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
+ if (!comprbuf) {
+ TIFFError(infilename,
diff -Nru tiff-4.0.3/debian/patches/series tiff-4.0.3/debian/patches/series
--- tiff-4.0.3/debian/patches/series 2014-12-23 15:52:13.000000000 -0500
+++ tiff-4.0.3/debian/patches/series 2014-12-30 11:32:33.000000000 -0500
@@ -7,3 +7,4 @@
CVE-2013-4244.patch
CVE-2013-4243.patch
jpeg-colorspace.patch
+CVE-2014-9330.patch
Reply to: