Attached is a patch to create tiff-3.9.4-5+squeeze2 from tiff-3.9.4-5+squeeze1. I have tested by building in unstable. While I'm certain that the patch applies, I was not able to reproduce the problem using the test case posted in upstream's bugzilla. In any case, I don't believe that's essential as the updated version clearly includes the accepted fix and otherwise works.
As indicated earlier, the patch is already included in 3.9.5, and the broken code did not exist prior to the OJPEG rewrite in 3.9.4, so only stable is affected. I close the bug in the changelog here so hopefully that will update the BTS's record of versions. I have already indicated that it is found in 3.9.4-5 and fixed in 3.9.5-1. --Jay
diff -urN ../tiff-3.9.4-5+squeeze1/debian/changelog ./debian/changelog --- ../tiff-3.9.4-5+squeeze1/debian/changelog 2011-04-02 12:15:50.000000000 -0400 +++ ./debian/changelog 2011-05-07 10:21:28.280277273 -0400 @@ -1,3 +1,9 @@ +tiff (3.9.4-5+squeeze2) stable-security; urgency=high + + * CVE-2009-5022: Buffer overflow in OJPEG support. (Closes: #624287) + + -- Jay Berkenbilt <[email protected]> Sat, 07 May 2011 10:21:28 -0400 + tiff (3.9.4-5+squeeze1) stable-security; urgency=high * CVE-2011-0192: Buffer overflow in Fax4Decode diff -urN ../tiff-3.9.4-5+squeeze1/debian/patches/CVE-2009-5022.patch ./debian/patches/CVE-2009-5022.patch --- ../tiff-3.9.4-5+squeeze1/debian/patches/CVE-2009-5022.patch 1969-12-31 19:00:00.000000000 -0500 +++ ./debian/patches/CVE-2009-5022.patch 2011-05-07 10:17:10.000000000 -0400 @@ -0,0 +1,24 @@ +Index: tiff-3.9.4-5+squeeze1/libtiff/tif_ojpeg.c +=================================================================== +--- tiff-3.9.4-5+squeeze1.orig/libtiff/tif_ojpeg.c 2011-05-07 10:17:04.560277368 -0400 ++++ tiff-3.9.4-5+squeeze1/libtiff/tif_ojpeg.c 2011-05-07 10:17:06.460777099 -0400 +@@ -1537,7 +1537,6 @@ + OJPEGReadSkip(sp,4); + else + { +- /* TODO: probably best to also add check on allowed upper bound, especially x, may cause buffer overflow otherwise i think */ + /* Y: Number of lines */ + if (OJPEGReadWord(sp,&p)==0) + return(0); +@@ -1555,6 +1554,11 @@ + TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data indicates unexpected width"); + return(0); + } ++ if ((uint32)p>sp->strile_width) ++ { ++ TIFFErrorExt(tif->tif_clientdata,module,"JPEG compressed data image width exceeds expected image width"); ++ return(0); ++ } + sp->sof_x=p; + } + /* Nf: Number of image components in frame */ diff -urN ../tiff-3.9.4-5+squeeze1/debian/patches/series ./debian/patches/series --- ../tiff-3.9.4-5+squeeze1/debian/patches/series 2011-04-02 12:15:50.000000000 -0400 +++ ./debian/patches/series 2011-05-07 10:17:02.000000000 -0400 @@ -6,3 +6,4 @@ fix-ycbcr-oob-read.patch CVE-2011-0192.patch CVE-2011-1167.patch +CVE-2009-5022.patch
