Bug#1006550: buster-pu: package tiff/4.1.0+git191117-2~deb10u4

2022-08-05 Thread Adam D. Barratt 
On Sat, 2022-03-19 at 16:43 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2022-02-27 at 18:01 +0100, László Böszörményi wrote:
> > A security update of tiff for issues not warrant a DSA but still
> > would
> > be good to have fixed.
> > 
> 
> Please go ahead; thanks.

Ping? We're in the process of organising the final point release for
buster, as support for it transitions over to the LTS team, so if you
would still like to fix it via pu then the upload needs to happen soon.

Regards,

Adam

Processed: Re: Bug#1006550: buster-pu: package tiff/4.1.0+git191117-2~deb10u4

2022-03-19 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #1006550 [release.debian.org] buster-pu: package 
tiff/4.1.0+git191117-2~deb10u4
Added tag(s) confirmed.

-- 
1006550: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006550
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1006550: buster-pu: package tiff/4.1.0+git191117-2~deb10u4

2022-03-19 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2022-02-27 at 18:01 +0100, László Böszörményi wrote:
> A security update of tiff for issues not warrant a DSA but still
> would
> be good to have fixed.
> 

Please go ahead; thanks.

Regards,

Adam

Bug#1006550: buster-pu: package tiff/4.1.0+git191117-2~deb10u4

2022-02-27 Thread GCS 
Package: release.debian.org
User: release.debian@packages.debian.org
Tags: buster
Severity: normal

Hi RMs,

A security update of tiff for issues not warrant a DSA but still would
be good to have fixed.
Work done by Thorsten Alteholz that I've double checked. Debdiff is attached.

Thanks for consideration,
Laszlo/GCS
diff -Nru tiff-4.1.0+git191117/debian/changelog tiff-4.1.0+git191117/debian/changelog
--- tiff-4.1.0+git191117/debian/changelog	2021-10-31 09:31:11.0 +0100
+++ tiff-4.1.0+git191117/debian/changelog	2022-02-27 17:01:41.0 +0100
@@ -1,3 +1,20 @@
+tiff (4.1.0+git191117-2~deb10u4) buster; urgency=high
+
+  [ Thorsten Alteholz  ]
+  * CVE-2022-22844
+out-of-bounds read in _TIFFmemcpy in certain situations involving a 
+custom tag and 0x0200 as the second word of the DE field.
+  * CVE-2022-0562
+Null source pointer passed as an argument to memcpy() function within 
+TIFFReadDirectory(). This could result in a Denial of Service via
+crafted TIFF files.
+  * CVE-2022-0561
+Null source pointer passed as an argument to memcpy() function within 
+TIFFFetchStripThing(). This could result in a Denial of Service via 
+crafted TIFF files.
+
+ -- Laszlo Boszormenyi (GCS)   Sun, 27 Feb 2022 17:01:41 +0100
+
 tiff (4.1.0+git191117-2~deb10u3) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch	1970-01-01 01:00:00.0 +0100
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch	2022-02-27 16:58:38.0 +0100
@@ -0,0 +1,26 @@
+From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Sun, 6 Feb 2022 13:08:38 +0100
+Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+Index: tiff-4.1.0+git191117/libtiff/tif_dirread.c
+===
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c	2022-02-22 23:44:35.619605527 +0100
 tiff-4.1.0+git191117/libtiff/tif_dirread.c	2022-02-22 23:46:28.843560813 +0100
+@@ -5682,8 +5682,9 @@
+ 			_TIFFfree(data);
+ 			return(0);
+ 		}
+-_TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+-_TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
++if( dir->tdir_count )
++_TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64));
++_TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64));
+ 		_TIFFfree(data);
+ 		data=resizeddata;
+ 	}
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch	1970-01-01 01:00:00.0 +0100
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch	2022-02-27 16:58:38.0 +0100
@@ -0,0 +1,24 @@
+From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Sat, 5 Feb 2022 20:36:41 +0100
+Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: tiff-4.1.0+git191117/libtiff/tif_dirread.c
+===
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c	2022-02-22 23:46:41.891555692 +0100
 tiff-4.1.0+git191117/libtiff/tif_dirread.c	2022-02-22 23:48:35.983511234 +0100
+@@ -4126,7 +4126,8 @@
+ goto bad;
+ }
+ 
+-memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++if (old_extrasamples > 0)
++memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+ _TIFFsetShortArray(>tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+ _TIFFfree(new_sampleinfo);
+ }
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch	1970-01-01 01:00:00.0 +0100
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch	2022-02-27 16:58:38.0 +0100
@@ -0,0 +1,45 @@
+From 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001
+From: 4ugustus 
+Date: Tue, 25 Jan 2022 16:25:28 +
+Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
+ count is required (fixes #355)
+
+---
+