I applied the fix for this CVE. Patch attached.
However, then I found out I can't reproduce the bug under Debian/Jessie, with or without the security update. Version 4.0.3-12.3+deb8u7 in Jessie+security: (jessie-i386-default)root@silverfish:/home/brian/tree/debian/lts/packages/tiff/tiff-4.0.3# tiff2bw /tmp/poc /dev/null TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered. TIFFScanlineSize: Integer arithmetic overflow. TIFFReadDirectory: Cannot handle zero scanline size. (jessie-i386-default)root@silverfish:/home/brian/tree/debian/lts/packages/tiff/tiff-4.0.3# echo $? 255 4.0.3-12.3+deb8u8 with patch applied: (jessie-amd64-default)root@silverfish:/tmp/brian/tmpz5ka6n27/build/amd64# tiff2bw /tmp/poc /dev/null TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered. LZWDecode: Not enough data at scanline 0 (short 6442004472 bytes). TIFFWriteDirectoryTagData: IO error writing tag data. (jessie-amd64-default)root@silverfish:/tmp/brian/tmpz5ka6n27/build/amd64# echo $? 0 Diff attached. So I suspect this security issue may have already been fixed. However it looks like this patch might also fixed some out-of-memory conditions also. So maybe worth applying regardless. Kind of troubling that it returns a 0 exit code after the patch. -- Brian May <[email protected]> https://linuxpenguins.xyz/brian/
diff -Nru tiff-4.0.3/debian/changelog tiff-4.0.3/debian/changelog --- tiff-4.0.3/debian/changelog 2018-10-28 22:03:02.000000000 +1100 +++ tiff-4.0.3/debian/changelog 2018-11-07 17:11:57.000000000 +1100 @@ -1,3 +1,12 @@ +tiff (4.0.3-12.3+deb8u8) jessie-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2018-18661 + Fix NULL pointer dereference in the function LZWDecode in the file + tif_lzw.c. + + -- Brian May <[email protected]> Wed, 07 Nov 2018 17:11:57 +1100 + tiff (4.0.3-12.3+deb8u7) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. diff -Nru tiff-4.0.3/debian/patches/CVE-2018-18661.patch tiff-4.0.3/debian/patches/CVE-2018-18661.patch --- tiff-4.0.3/debian/patches/CVE-2018-18661.patch 1970-01-01 10:00:00.000000000 +1000 +++ tiff-4.0.3/debian/patches/CVE-2018-18661.patch 2018-11-07 17:11:57.000000000 +1100 @@ -0,0 +1,72 @@ +--- a/tools/tiff2bw.c ++++ b/tools/tiff2bw.c +@@ -40,6 +40,7 @@ + #endif + + #include "tiffio.h" ++#include "tiffiop.h" + + #define streq(a,b) (strcmp((a),(b)) == 0) + #define strneq(a,b,n) (strncmp(a,b,n) == 0) +@@ -214,6 +215,11 @@ + TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing); + TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw"); + outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); ++ if( !outbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ return (-1); ++ } + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, + TIFFDefaultStripSize(out, rowsperstrip)); + +@@ -237,6 +243,11 @@ + #undef CVT + } + inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); ++ if( !inbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ return (-1); ++ } + for (row = 0; row < h; row++) { + if (TIFFReadScanline(in, inbuf, row, 0) < 0) + break; +@@ -247,6 +258,11 @@ + break; + case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG): + inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in)); ++ if( !inbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ return (-1); ++ } + for (row = 0; row < h; row++) { + if (TIFFReadScanline(in, inbuf, row, 0) < 0) + break; +@@ -256,8 +272,16 @@ + } + break; + case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE): ++ { ++ tmsize_t inbufsize; + rowsize = TIFFScanlineSize(in); +- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize); ++ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize); ++ inbuf = (unsigned char *)_TIFFmalloc(inbufsize); ++ if( !inbuf ) ++ { ++ fprintf(stderr, "Out of memory\n"); ++ return (-1); ++ } + for (row = 0; row < h; row++) { + for (s = 0; s < 3; s++) + if (TIFFReadScanline(in, +@@ -269,6 +293,7 @@ + break; + } + break; ++ } + } + #undef pack + TIFFClose(out); diff -Nru tiff-4.0.3/debian/patches/series tiff-4.0.3/debian/patches/series --- tiff-4.0.3/debian/patches/series 2018-10-28 22:03:02.000000000 +1100 +++ tiff-4.0.3/debian/patches/series 2018-11-07 17:11:10.000000000 +1100 @@ -80,3 +80,4 @@ CVE-2018-17100-17101.patch CVE-2018-18557.patch +CVE-2018-18661.patch
