Bug#369819: libtiff-tools: Buffer overflow in tiffsplit [CVE-2006-2656]

Thu, 01 Jun 2006 19:14:04 -0700 

I've fixed this libtiff-tools problem.  The problem is fixed in
3.8.2-3 (which I am about to upload) and in 3.7.2-5.  Attached is a
patch that brings 3.7.2-4 to 3.7.2-5.  I haven't built or tested it
under srage, but I have verified that the 3.7.2-5 package as created
by this patch in debian/patches applies cleanly.  (Nested patches.
Hooray.)  Please let me know if there's anything else I need to do.

-- 
Jay Berkenbilt <[EMAIL PROTECTED]>


diff -urN tiff-3.7.2.orig/debian/changelog tiff-3.7.2/debian/changelog
--- tiff-3.7.2.orig/debian/changelog	2006-06-01 21:33:48.587122666 -0400
+++ tiff-3.7.2/debian/changelog	2006-06-01 21:32:30.206036908 -0400
@@ -1,3 +1,14 @@
+tiff (3.7.2-5) stable-security; urgency=high
+
+  * SECURITY UPDATE: Arbitrary command execution with crafted long file
+    names.  Thanks to Martin Pitt for forwarding this.
+    Add debian/patches/tiffsplit-fname-overflow.patch:
+    - tools/tiffsplit.c: Use snprintf instead of strcpy for copying the
+      user-specified file name into a statically sized buffer.
+    CVE-2006-2656
+
+ -- Jay Berkenbilt <[EMAIL PROTECTED]>  Thu,  1 Jun 2006 21:24:21 -0400
+
 tiff (3.7.2-4) stable-security; urgency=high
 
   * Backported upstream patches to fix out-of-bounds read
diff -urN tiff-3.7.2.orig/debian/patches/tiffsplit-fname-overflow.patch tiff-3.7.2/debian/patches/tiffsplit-fname-overflow.patch
--- tiff-3.7.2.orig/debian/patches/tiffsplit-fname-overflow.patch	1969-12-31 19:00:00.000000000 -0500
+++ tiff-3.7.2/debian/patches/tiffsplit-fname-overflow.patch	2006-06-01 21:31:34.679060386 -0400
@@ -0,0 +1,19 @@
+--- tiff-3.7.2/tools/tiffsplit.c.orig	2004-06-05 04:11:26.000000000 -0400
++++ tiff-3.7.2/tools/tiffsplit.c	2006-06-01 21:31:17.464237849 -0400
+@@ -54,14 +54,13 @@
+ 		return (-3);
+ 	}
+ 	if (argc > 2)
+-		strcpy(fname, argv[2]);
++		snprintf(fname, sizeof(fname), "%s", argv[2]);
+ 	in = TIFFOpen(argv[1], "r");
+ 	if (in != NULL) {
+ 		do {
+ 			char path[1024+1];
+ 			newfilename();
+-			strcpy(path, fname);
+-			strcat(path, ".tif");
++			snprintf(path, sizeof(path), "%s.tif", fname);
+ 			out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
+ 			if (out == NULL)
+ 				return (-2);

Reply via email to