Bug#778923: unblock: tiff/4.0.3-12.1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package tiff
It fixes most of the open security vulnerabilities (some are
still fixed upstream, but we should fix up what we have so far).
unblock tiff/4.0.3-12.1
diff -Nru tiff-4.0.3/debian/changelog tiff-4.0.3/debian/changelog
--- tiff-4.0.3/debian/changelog 2014-12-30 17:32:33.000000000 +0100
+++ tiff-4.0.3/debian/changelog 2015-02-21 13:07:45.000000000 +0100
@@ -1,3 +1,11 @@
+tiff (4.0.3-12.1) unstable; urgency=medium
+
+ * NMU as discussed with Ondrej, the future adopter of tiff
+ * Fix multiple security issues, exact details will be recorded in the
+ Debian security tracker
+
+ -- Moritz Muehlenhoff <jmm@debian.org> Sat, 21 Feb 2015 13:06:08 +0100
+
tiff (4.0.3-12) unstable; urgency=high
* Fix integer overflow in bmp2tiff. CVE-2014-9330. (Closes: #773987)
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8127-1.patch tiff-4.0.3/debian/patches/CVE-2014-8127-1.patch
--- tiff-4.0.3/debian/patches/CVE-2014-8127-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.0.3/debian/patches/CVE-2014-8127-1.patch 2015-02-21 13:05:27.000000000 +0100
@@ -0,0 +1,28 @@
+From 0782c759084daaf9e4de7ee6be7543081823455e Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 21 Dec 2014 20:58:29 +0000
+Subject: [PATCH] * tools/tiff2bw.c: when Photometric=RGB, the utility only
+ works if SamplesPerPixel = 3. Enforce that
+ http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)
+
+---
+ ChangeLog | 6 ++++++
+ tools/tiff2bw.c | 5 +++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
+index 22467cd..94b8e31 100644
+--- a/tools/tiff2bw.c
++++ b/tools/tiff2bw.c
+@@ -171,6 +171,11 @@ main(int argc, char* argv[])
+ argv[optind], samplesperpixel);
+ return (-1);
+ }
++ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
++ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
++ argv[optind], samplesperpixel);
++ return (-1);
++ }
+ TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
+ if (bitspersample != 8) {
+ fprintf(stderr,
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8127-2.patch tiff-4.0.3/debian/patches/CVE-2014-8127-2.patch
--- tiff-4.0.3/debian/patches/CVE-2014-8127-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.0.3/debian/patches/CVE-2014-8127-2.patch 2015-02-21 13:05:27.000000000 +0100
@@ -0,0 +1,40 @@
+From 3996fa0f84f4a8b7e65fe4b8f0681711022034ea Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 21 Dec 2014 20:04:31 +0000
+Subject: [PATCH] * tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling
+ TIFFTAG_INKNAMES copying. The right fix would be to properly copy it, but not
+ worth the burden for those esoteric utilities.
+ http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
+
+---
+ ChangeLog | 7 +++++++
+ tools/pal2rgb.c | 2 +-
+ tools/thumbnail.c | 2 +-
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index bfe7899..3fc3de3 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -372,7 +372,7 @@ static struct cpTag {
+ { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
+ { TIFFTAG_INKSET, 1, TIFF_SHORT },
+- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
++ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */
+ { TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
+ { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
+ { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index c50bbff..73f9c34 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+@@ -257,7 +257,7 @@ static struct cpTag {
+ { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
+ { TIFFTAG_INKSET, 1, TIFF_SHORT },
+- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
++ /*{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */
+ { TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
+ { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
+ { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8127-3.patch tiff-4.0.3/debian/patches/CVE-2014-8127-3.patch
--- tiff-4.0.3/debian/patches/CVE-2014-8127-3.patch 1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.0.3/debian/patches/CVE-2014-8127-3.patch 2015-02-21 13:05:27.000000000 +0100
@@ -0,0 +1,43 @@
+From 1f7359b00663804d96c3a102bcb6ead9812c1509 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Tue, 23 Dec 2014 10:15:35 +0000
+Subject: [PATCH] * libtiff/tif_read.c: fix several invalid comparisons of a
+ uint64 value with <= 0 by casting it to int64 first. This solves crashing bug
+ on corrupted images generated by afl.
+
+---
+ ChangeLog | 6 ++++++
+ libtiff/tif_read.c | 6 +++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index 2ba822a..dfc5b07 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
+ return ((tmsize_t)(-1));
+ }
+ bytecount = td->td_stripbytecount[strip];
+- if (bytecount <= 0) {
++ if ((int64)bytecount <= 0) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%I64u: Invalid strip byte count, strip %lu",
+@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+ if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ {
+ uint64 bytecount = td->td_stripbytecount[strip];
+- if (bytecount <= 0) {
++ if ((int64)bytecount <= 0) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Invalid strip byte count %I64u, strip %lu",
+@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
+ if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ {
+ uint64 bytecount = td->td_stripbytecount[tile];
+- if (bytecount <= 0) {
++ if ((int64)bytecount <= 0) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%I64u: Invalid tile byte count, tile %lu",
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8127-4.patch tiff-4.0.3/debian/patches/CVE-2014-8127-4.patch
--- tiff-4.0.3/debian/patches/CVE-2014-8127-4.patch 1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.0.3/debian/patches/CVE-2014-8127-4.patch 2015-02-21 13:05:27.000000000 +0100
@@ -0,0 +1,293 @@
+From 662f74445b2fea2eeb759c6524661118aef567ca Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 21 Dec 2014 15:15:31 +0000
+Subject: [PATCH] Fix various crasher bugs on fuzzed images. *
+ libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
+ TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
+ the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read
+ ColorMap or TransferFunction if BitsPerSample has not yet been read,
+ otherwise reading it later will cause user code to crash if BitsPerSample > 1
+ * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
+ SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample
+ != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
+ instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int
+ overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to
+ invalid tile count (should likely be checked by libtiff too). Detect invalid
+ settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB *
+ tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight *
+ tools/tiffdump.c: fix crash due to overflow of entry count.
+
+---
+ ChangeLog | 19 +++++++++++++++++++
+ libtiff/tif_dir.c | 21 +++++++++++++++++++--
+ libtiff/tif_dirread.c | 17 +++++++++++++++++
+ libtiff/tif_getimage.c | 15 +++++++++++++++
+ libtiff/tif_next.c | 2 ++
+ tools/bmp2tiff.c | 15 +++++++++++++++
+ tools/tiff2pdf.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ tools/tiffcrop.c | 7 ++++---
+ tools/tiffdump.c | 9 ++++++---
+ 9 files changed, 138 insertions(+), 8 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 98cf66d..ab43a28 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ TIFFDirectory* td = &tif->tif_dir;
+ int status = 1;
+ uint32 v32, i, v;
++ double dblval;
+ char* s;
+ const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
+ uint32 standard_tag = tag;
+@@ -284,10 +285,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel);
+ break;
+ case TIFFTAG_XRESOLUTION:
+- td->td_xresolution = (float) va_arg(ap, double);
++ dblval = va_arg(ap, double);
++ if( dblval < 0 )
++ goto badvaluedouble;
++ td->td_xresolution = (float) dblval;
+ break;
+ case TIFFTAG_YRESOLUTION:
+- td->td_yresolution = (float) va_arg(ap, double);
++ dblval = va_arg(ap, double);
++ if( dblval < 0 )
++ goto badvaluedouble;
++ td->td_yresolution = (float) dblval;
+ break;
+ case TIFFTAG_PLANARCONFIG:
+ v = (uint16) va_arg(ap, uint16_vap);
+@@ -694,6 +701,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ va_end(ap);
+ }
+ return (0);
++badvaluedouble:
++ {
++ const TIFFField* fip=TIFFFieldWithTag(tif,tag);
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "%s: Bad value %f for \"%s\" tag",
++ tif->tif_name, dblval,
++ fip ? fip->field_name : "Unknown");
++ va_end(ap);
++ }
++ return (0);
+ }
+
+ /*
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 391c823..f66c9a7 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -3430,6 +3430,8 @@ TIFFReadDirectory(TIFF* tif)
+ const TIFFField* fip;
+ uint32 fii=FAILED_FII;
+ toff_t nextdiroff;
++ int bitspersample_read = FALSE;
++
+ tif->tif_diroff=tif->tif_nextdiroff;
+ if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
+ return 0; /* last offset or bad offset (IFD looping) */
+@@ -3706,6 +3708,8 @@ TIFFReadDirectory(TIFF* tif)
+ }
+ if (!TIFFSetField(tif,dp->tdir_tag,value))
+ goto bad;
++ if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE )
++ bitspersample_read = TRUE;
+ }
+ break;
+ case TIFFTAG_SMINSAMPLEVALUE:
+@@ -3763,6 +3767,19 @@ TIFFReadDirectory(TIFF* tif)
+ uint32 countrequired;
+ uint32 incrementpersample;
+ uint16* value=NULL;
++ /* It would be dangerous to instanciate those tag values */
++ /* since if td_bitspersample has not yet been read (due to */
++ /* unordered tags), it could be read afterwards with a */
++ /* values greater than the default one (1), which may cause */
++ /* crashes in user code */
++ if( !bitspersample_read )
++ {
++ fip = TIFFFieldWithTag(tif,dp->tdir_tag);
++ TIFFWarningExt(tif->tif_clientdata,module,
++ "Ignoring %s since BitsPerSample tag not found",
++ fip ? fip->field_name : "unknown tagname");
++ continue;
++ }
+ countpersample=(1L<<tif->tif_dir.td_bitspersample);
+ if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample))
+ {
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 074d32a..396ad08 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -182,8 +182,23 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
+ "Planarconfiguration", td->td_planarconfig);
+ return (0);
+ }
++ if( td->td_samplesperpixel != 3 )
++ {
++ sprintf(emsg,
++ "Sorry, can not handle image with %s=%d",
++ "Samples/pixel", td->td_samplesperpixel);
++ return 0;
++ }
+ break;
+ case PHOTOMETRIC_CIELAB:
++ if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
++ {
++ sprintf(emsg,
++ "Sorry, can not handle image with %s=%d and %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "Bits/sample", td->td_bitspersample);
++ return 0;
++ }
+ break;
+ default:
+ sprintf(emsg, "Sorry, can not handle image with %s=%d",
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index 55e2537..a53c716 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ default: {
+ uint32 npixels = 0, grey;
+ uint32 imagewidth = tif->tif_dir.td_imagewidth;
++ if( isTiled(tif) )
++ imagewidth = tif->tif_dir.td_tilewidth;
+
+ /*
+ * The scanline is composed of a sequence of constant
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index dfda963..f202b41 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1167,6 +1167,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
+ && (xuint16 == PLANARCONFIG_SEPARATE ) ){
+ TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
++ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
++ {
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Invalid tile count, %s",
++ TIFFFileName(input));
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->tiff_tiles[i].tiles_tilecount/= xuint16;
+ }
+ if( t2p->tiff_tiles[i].tiles_tilecount > 0){
+@@ -1552,6 +1561,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ #endif
+ break;
+ case PHOTOMETRIC_CIELAB:
++ if( t2p->tiff_samplesperpixel != 3){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Unsupported samplesperpixel = %d for CIELAB",
++ t2p->tiff_samplesperpixel);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
++ if( t2p->tiff_bitspersample != 8){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Invalid bitspersample = %d for CIELAB",
++ t2p->tiff_bitspersample);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->pdf_labrange[0]= -127;
+ t2p->pdf_labrange[1]= 127;
+ t2p->pdf_labrange[2]= -127;
+@@ -1567,6 +1592,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ t2p->pdf_colorspace=T2P_CS_LAB;
+ break;
+ case PHOTOMETRIC_ITULAB:
++ if( t2p->tiff_samplesperpixel != 3){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Unsupported samplesperpixel = %d for ITULAB",
++ t2p->tiff_samplesperpixel);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
++ if( t2p->tiff_bitspersample != 8){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Invalid bitspersample = %d for ITULAB",
++ t2p->tiff_bitspersample);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->pdf_labrange[0]=-85;
+ t2p->pdf_labrange[1]=85;
+ t2p->pdf_labrange[2]=-75;
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f5530bb..4088463 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+ tsize_t tilesize = TIFFTileSize(out);
+ unsigned char *tilebuf = NULL;
+
+- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
+- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
+- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
++ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
++ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
++ return 1;
+
+ tile_buffsize = tilesize;
+ if (tilesize < (tsize_t)(tl * tile_rowsize))
+diff --git a/tools/tiffdump.c b/tools/tiffdump.c
+index cf5d62f..8247765 100644
+--- a/tools/tiffdump.c
++++ b/tools/tiffdump.c
+@@ -374,6 +374,8 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
+ void* datamem;
+ uint64 dataoffset;
+ int datatruncated;
++ int datasizeoverflow;
++
+ tag = *(uint16*)dp;
+ if (swabflag)
+ TIFFSwabShort(&tag);
+@@ -412,13 +414,14 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
+ else
+ typewidth = datawidth[type];
+ datasize = count*typewidth;
++ datasizeoverflow = (typewidth > 0 && datasize / typewidth != count);
+ datafits = 1;
+ datamem = dp;
+ dataoffset = 0;
+ datatruncated = 0;
+ if (!bigtiff)
+ {
+- if (datasize>4)
++ if (datasizeoverflow || datasize>4)
+ {
+ uint32 dataoffset32;
+ datafits = 0;
+@@ -432,7 +435,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
+ }
+ else
+ {
+- if (datasize>8)
++ if (datasizeoverflow || datasize>8)
+ {
+ datafits = 0;
+ datamem = NULL;
+@@ -442,7 +445,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
+ }
+ dp += sizeof(uint64);
+ }
+- if (datasize>0x10000)
++ if (datasizeoverflow || datasize>0x10000)
+ {
+ datatruncated = 1;
+ count = 0x10000/typewidth;
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8128-1.patch tiff-4.0.3/debian/patches/CVE-2014-8128-1.patch
--- tiff-4.0.3/debian/patches/CVE-2014-8128-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.0.3/debian/patches/CVE-2014-8128-1.patch 2015-02-21 13:05:27.000000000 +0100
@@ -0,0 +1,30 @@
+From 3206e0c752a62da1ae606867113ed3bf9bf73306 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 21 Dec 2014 19:53:59 +0000
+Subject: [PATCH] * tools/thumbnail.c: fix out-of-buffer write
+ http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)
+
+---
+ ChangeLog | 5 +++++
+ tools/thumbnail.c | 8 +++++++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index fab63f6..c50bbff 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+@@ -568,7 +568,13 @@ setImage1(const uint8* br, uint32 rw, uint32 rh)
+ err -= limit;
+ sy++;
+ if (err >= limit)
+- rows[nrows++] = br + bpr*sy;
++ {
++ /* We should perhaps error loudly, but I can't make sense of that */
++ /* code... */
++ if( nrows == 256 )
++ break;
++ rows[nrows++] = br + bpr*sy;
++ }
+ }
+ setrow(row, nrows, rows);
+ row += tnw;
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8128-2.patch tiff-4.0.3/debian/patches/CVE-2014-8128-2.patch
--- tiff-4.0.3/debian/patches/CVE-2014-8128-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.0.3/debian/patches/CVE-2014-8128-2.patch 2015-02-21 13:05:27.000000000 +0100
@@ -0,0 +1,81 @@
+From 8b6e80fca434525497e5a31c3309a3bab5b3c1c8 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 21 Dec 2014 18:52:42 +0000
+Subject: [PATCH] * tools/thumbnail.c, tools/tiffcmp.c: only read/write
+ TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is
+ COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4
+ http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)
+
+---
+ ChangeLog | 7 +++++++
+ tools/thumbnail.c | 21 ++++++++++++++++++++-
+ tools/tiffcmp.c | 17 +++++++++++++++--
+ 3 files changed, 42 insertions(+), 3 deletions(-)
+
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index a98a881..fab63f6 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+@@ -274,7 +274,26 @@ cpTags(TIFF* in, TIFF* out)
+ {
+ struct cpTag *p;
+ for (p = tags; p < &tags[NTAGS]; p++)
+- cpTag(in, out, p->tag, p->count, p->type);
++ {
++ /* Horrible: but TIFFGetField() expects 2 arguments to be passed */
++ /* if we request a tag that is defined in a codec, but that codec */
++ /* isn't used */
++ if( p->tag == TIFFTAG_GROUP3OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX3 )
++ continue;
++ }
++ if( p->tag == TIFFTAG_GROUP4OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX4 )
++ continue;
++ }
++ cpTag(in, out, p->tag, p->count, p->type);
++ }
+ }
+ #undef NTAGS
+
+diff --git a/tools/tiffcmp.c b/tools/tiffcmp.c
+index 508a461..d6392af 100644
+--- a/tools/tiffcmp.c
++++ b/tools/tiffcmp.c
+@@ -260,6 +260,7 @@ tiffcmp(TIFF* tif1, TIFF* tif2)
+ static int
+ cmptags(TIFF* tif1, TIFF* tif2)
+ {
++ uint16 compression1, compression2;
+ CmpLongField(TIFFTAG_SUBFILETYPE, "SubFileType");
+ CmpLongField(TIFFTAG_IMAGEWIDTH, "ImageWidth");
+ CmpLongField(TIFFTAG_IMAGELENGTH, "ImageLength");
+@@ -276,8 +277,20 @@ cmptags(TIFF* tif1, TIFF* tif2)
+ CmpShortField(TIFFTAG_SAMPLEFORMAT, "SampleFormat");
+ CmpFloatField(TIFFTAG_XRESOLUTION, "XResolution");
+ CmpFloatField(TIFFTAG_YRESOLUTION, "YResolution");
+- CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options");
+- CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options");
++ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
++ compression1 == COMPRESSION_CCITTFAX3 &&
++ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
++ compression2 == COMPRESSION_CCITTFAX3 )
++ {
++ CmpLongField(TIFFTAG_GROUP3OPTIONS, "Group3Options");
++ }
++ if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
++ compression1 == COMPRESSION_CCITTFAX4 &&
++ TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
++ compression2 == COMPRESSION_CCITTFAX4 )
++ {
++ CmpLongField(TIFFTAG_GROUP4OPTIONS, "Group4Options");
++ }
+ CmpShortField(TIFFTAG_RESOLUTIONUNIT, "ResolutionUnit");
+ CmpShortField(TIFFTAG_PLANARCONFIG, "PlanarConfiguration");
+ CmpLongField(TIFFTAG_ROWSPERSTRIP, "RowsPerStrip");
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8128-3.patch tiff-4.0.3/debian/patches/CVE-2014-8128-3.patch
--- tiff-4.0.3/debian/patches/CVE-2014-8128-3.patch 1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.0.3/debian/patches/CVE-2014-8128-3.patch 2015-02-21 13:08:16.000000000 +0100
@@ -0,0 +1,32 @@
+From 266bc48054b018a2f1d74562aa48eb2f509436d5 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 21 Dec 2014 17:36:36 +0000
+Subject: [PATCH] * tools/tiff2pdf.c: check return code of TIFFGetField() when
+ reading TIFFTAG_SAMPLESPERPIXEL
+
+---
+ ChangeLog | 5 +++++
+ tools/tiff2pdf.c | 10 +++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+Index: tiff-4.0.3/tools/tiff2pdf.c
+===================================================================
+--- tiff-4.0.3.orig/tools/tiff2pdf.c
++++ tiff-4.0.3/tools/tiff2pdf.c
+@@ -1164,7 +1164,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF*
+ t2p->tiff_pages[i].page_tilecount;
+ if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
+ && (xuint16 == PLANARCONFIG_SEPARATE ) ){
+- TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
++ if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) )
++ {
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Missing SamplesPerPixel, %s",
++ TIFFFileName(input));
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
+ {
+ TIFFError(
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-8129.patch tiff-4.0.3/debian/patches/CVE-2014-8129.patch
--- tiff-4.0.3/debian/patches/CVE-2014-8129.patch 1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.0.3/debian/patches/CVE-2014-8129.patch 2015-02-21 13:05:27.000000000 +0100
@@ -0,0 +1,43 @@
+From cd82b5267ad4c10eb91e4ee8a716a81362cf851c Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 21 Dec 2014 18:07:48 +0000
+Subject: [PATCH] * libtiff/tif_next.c: check that BitsPerSample = 2. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)
+
+---
+ ChangeLog | 5 +++++
+ libtiff/tif_next.c | 17 +++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index a53c716..d834196 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -141,10 +141,27 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ return (0);
+ }
+
++static int
++NeXTPreDecode(TIFF* tif, uint16 s)
++{
++ static const char module[] = "NeXTPreDecode";
++ TIFFDirectory *td = &tif->tif_dir;
++ (void)s;
++
++ if( td->td_bitspersample != 2 )
++ {
++ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d",
++ td->td_bitspersample);
++ return (0);
++ }
++ return (1);
++}
++
+ int
+ TIFFInitNeXT(TIFF* tif, int scheme)
+ {
+ (void) scheme;
++ tif->tif_predecode = NeXTPreDecode;
+ tif->tif_decoderow = NeXTDecode;
+ tif->tif_decodestrip = NeXTDecode;
+ tif->tif_decodetile = NeXTDecode;
diff -Nru tiff-4.0.3/debian/patches/CVE-2014-9655.patch tiff-4.0.3/debian/patches/CVE-2014-9655.patch
--- tiff-4.0.3/debian/patches/CVE-2014-9655.patch 1970-01-01 01:00:00.000000000 +0100
+++ tiff-4.0.3/debian/patches/CVE-2014-9655.patch 2015-02-21 13:05:27.000000000 +0100
@@ -0,0 +1,86 @@
+From 40a5955cbf0df62b1f9e9bd7d9657b0070725d19 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 29 Dec 2014 12:09:11 +0000
+Subject: [PATCH] * libtiff/tif_next.c: add new tests to check that we don't
+ read outside of the compressed input stream buffer.
+
+* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
+---
+ ChangeLog | 9 +++++++++
+ libtiff/tif_getimage.c | 12 +++++++-----
+ libtiff/tif_next.c | 4 +++-
+ 3 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a4f46d9..3ad8ee7 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -1871,7 +1871,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+
+ (void) y;
+ fromskew = (fromskew * 10) / 4;
+- if ((h & 3) == 0 && (w & 1) == 0) {
++ if ((w & 3) == 0 && (h & 1) == 0) {
+ for (; h >= 2; h -= 2) {
+ x = w>>2;
+ do {
+@@ -1948,7 +1948,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
+ /* XXX adjust fromskew */
+ do {
+ x = w>>2;
+- do {
++ while(x>0) {
+ int32 Cb = pp[4];
+ int32 Cr = pp[5];
+
+@@ -1959,7 +1959,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
+
+ cp += 4;
+ pp += 6;
+- } while (--x);
++ x--;
++ }
+
+ if( (w&3) != 0 )
+ {
+@@ -2050,7 +2051,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+ fromskew = (fromskew * 4) / 2;
+ do {
+ x = w>>1;
+- do {
++ while(x>0) {
+ int32 Cb = pp[2];
+ int32 Cr = pp[3];
+
+@@ -2059,7 +2060,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+
+ cp += 2;
+ pp += 4;
+- } while (--x);
++ x --;
++ }
+
+ if( (w&1) != 0 )
+ {
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index d834196..dd669cc 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
+ return (0);
+ }
+- for (row = buf; occ > 0; occ -= scanline, row += scanline) {
++ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
+ n = *bp++, cc--;
+ switch (n) {
+ case LITERALROW:
+@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ * The scanline has a literal span that begins at some
+ * offset.
+ */
++ if( cc < 4 )
++ goto bad;
+ off = (bp[0] * 256) + bp[1];
+ n = (bp[2] * 256) + bp[3];
+ if (cc < 4+n || off+n > scanline)
diff -Nru tiff-4.0.3/debian/patches/series tiff-4.0.3/debian/patches/series
--- tiff-4.0.3/debian/patches/series 2014-12-30 17:32:33.000000000 +0100
+++ tiff-4.0.3/debian/patches/series 2015-02-21 13:11:07.000000000 +0100
@@ -8,3 +8,12 @@
CVE-2013-4243.patch
jpeg-colorspace.patch
CVE-2014-9330.patch
+CVE-2014-8127-1.patch
+CVE-2014-8127-2.patch
+CVE-2014-8127-3.patch
+CVE-2014-8127-4.patch
+CVE-2014-8128-1.patch
+CVE-2014-8128-2.patch
+CVE-2014-8128-3.patch
+CVE-2014-8129.patch
+CVE-2014-9655.patch
Reply to: