Hi,
I have an updated package ready to fix this.
The patch for it is attached.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/tk8.3-8.3.5-9_8.3.5-9.1.patch
I wait a few days before uploading this as NMU feel free to update
yourself with CVE-2007-5378.diff.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
diff -u tk8.3-8.3.5/debian/changelog tk8.3-8.3.5/debian/changelog
--- tk8.3-8.3.5/debian/changelog
+++ tk8.3-8.3.5/debian/changelog
@@ -1,3 +1,11 @@
+tk8.3 (8.3.5-9.1) unstable; urgency=high
+
+ * Non-maintainer upload by testing security team.
+ * Included CVE-2007-5378.diff to fix overflow triggered
+ by crafted gif file (CVE-2007-5378) (Closes: #446465).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Sat, 13 Oct 2007 11:40:22 +0200
+
tk8.3 (8.3.5-9) unstable; urgency=high
* Applied patch by Nico Golde which fixes security vulnerability
diff -u tk8.3-8.3.5/debian/patches/series tk8.3-8.3.5/debian/patches/series
--- tk8.3-8.3.5/debian/patches/series
+++ tk8.3-8.3.5/debian/patches/series
@@ -1,4 +1,5 @@
gif.diff
+CVE-2007-5378.diff
fonts.diff
scalable-fonts.diff
canvpoly.diff
only in patch2:
unchanged:
--- tk8.3-8.3.5.orig/debian/patches/CVE-2007-5378.diff
+++ tk8.3-8.3.5/debian/patches/CVE-2007-5378.diff
@@ -0,0 +1,72 @@
+--- tk8.3-8.3.5~/generic/tkImgGIF.c 2007-10-13 11:54:19.000000000 +0200
++++ tk8.3-8.3.5/generic/tkImgGIF.c 2007-10-13 11:59:30.000000000 +0200
+@@ -240,7 +240,7 @@
+ int srcX, srcY; /* Coordinates of top-left pixel to be used
+ * in image being read. */
+ {
+- int fileWidth, fileHeight;
++ int fileWidth, fileHeight, imageWidth, imageHeight;
+ int nBytes, index = 0, argc = 0, i;
+ Tcl_Obj **objv;
+ Tk_PhotoImageBlock block;
+@@ -372,8 +372,8 @@
+ goto error;
+ }
+
+- fileWidth = LM_to_uint(buf[4],buf[5]);
+- fileHeight = LM_to_uint(buf[6],buf[7]);
++ imageWidth = LM_to_uint(buf[4],buf[5]);
++ imageHeight = LM_to_uint(buf[6],buf[7]);
+
+ bitPixel = 1<<((buf[8]&0x07)+1);
+
+@@ -409,8 +409,8 @@
+ * marginally improve the speed of the less frequent case, I chose
+ * to maintain high performance for the common case.
+ */
+- if (ReadImage(interp, (char *) trashBuffer, chan, fileWidth,
+- fileHeight, colorMap, 0, 0, 0, 0, 0, -1) != TCL_OK) {
++ if (ReadImage(interp, (char *) trashBuffer, chan, imageWidth,
++ imageHeight, colorMap, 0, 0, 0, 0, 0, -1) != TCL_OK) {
+ goto error;
+ }
+ continue;
+@@ -436,8 +436,8 @@
+ srcX = 0;
+ }
+
+- if (width > fileWidth) {
+- width = fileWidth;
++ if (width > imageWidth) {
++ width = imageWidth;
+ }
+
+ index = LM_to_uint(buf[2],buf[3]);
+@@ -446,8 +446,8 @@
+ destY -= srcY; height += srcY;
+ srcY = 0;
+ }
+- if (height > fileHeight) {
+- height = fileHeight;
++ if (height > imageHeight) {
++ height = imageHeight;
+ }
+
+ if ((width <= 0) || (height <= 0)) {
+@@ -459,12 +459,12 @@
+ block.height = height;
+ block.pixelSize = (transparent>=0) ? 4 : 3;
+ block.offset[3] = (transparent>=0) ? 3 : 0;
+- block.pitch = block.pixelSize * width;
+- nBytes = block.pitch * height;
++ block.pitch = block.pixelSize * imageWidth;
++ nBytes = block.pitch * imageHeight;
+ block.pixelPtr = (unsigned char *) ckalloc((unsigned) nBytes);
+
+- if (ReadImage(interp, (char *) block.pixelPtr, chan, width,
+- height, colorMap, fileWidth, fileHeight, srcX, srcY,
++ if (ReadImage(interp, (char *) block.pixelPtr, chan, imageWidth,
++ imageHeight, colorMap, fileWidth, fileHeight, srcX, srcY,
+ BitSet(buf[8], INTERLACE), transparent) != TCL_OK) {
+ goto error;
+ }
