Bug#1006551: bullseye-pu: package tiff/4.2.0-1+deb11u1

2023-07-19 Thread Aron Xu 
Hi SRMs,

I think this can be closed since tiff already has the deb11u4 version
in bullseye through a previous security update.

Regards,
Aron

Processed: Re: Bug#1006551: bullseye-pu: package tiff/4.2.0-1+deb11u1

2022-03-19 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #1006551 [release.debian.org] bullseye-pu: package tiff/4.2.0-1+deb11u1
Added tag(s) confirmed.

-- 
1006551: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006551
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1006551: bullseye-pu: package tiff/4.2.0-1+deb11u1

2022-03-19 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2022-02-27 at 18:01 +0100, László Böszörményi wrote:
> A security update of tiff for issues not warrant a DSA but still
> would
> be good to have fixed.
> Work done by Thorsten Alteholz that I've double checked. Debdiff is
> attached.
> 

Please go ahead.

Regards,

Adam

Bug#1006551: bullseye-pu: package tiff/4.2.0-1+deb11u1

2022-02-27 Thread GCS 
Package: release.debian.org
User: release.debian@packages.debian.org
Tags: bullseye
Severity: normal

Hi RMs,

A security update of tiff for issues not warrant a DSA but still would
be good to have fixed.
Work done by Thorsten Alteholz that I've double checked. Debdiff is attached.

Thanks for consideration,
Laszlo/GCS
diff -Nru tiff-4.2.0/debian/changelog tiff-4.2.0/debian/changelog
--- tiff-4.2.0/debian/changelog	2020-12-21 15:06:46.0 +0100
+++ tiff-4.2.0/debian/changelog	2022-02-27 17:02:02.0 +0100
@@ -1,3 +1,20 @@
+tiff (4.2.0-1+deb11u1) bullseye; urgency=high
+
+  [ Thorsten Alteholz  ]
+  * CVE-2022-22844
+out-of-bounds read in _TIFFmemcpy in certain situations involving a
+custom tag and 0x0200 as the second word of the DE field.
+  * CVE-2022-0562
+Null source pointer passed as an argument to memcpy() function within
+TIFFReadDirectory(). This could result in a Denial of Service via
+crafted TIFF files.
+  * CVE-2022-0561
+Null source pointer passed as an argument to memcpy() function within
+TIFFFetchStripThing(). This could result in a Denial of Service via
+crafted TIFF files.
+
+ -- Laszlo Boszormenyi (GCS)   Sun, 27 Feb 2022 17:02:02 +0100
+
 tiff (4.2.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru tiff-4.2.0/debian/patches/CVE-2022-0561.patch tiff-4.2.0/debian/patches/CVE-2022-0561.patch
--- tiff-4.2.0/debian/patches/CVE-2022-0561.patch	1970-01-01 01:00:00.0 +0100
+++ tiff-4.2.0/debian/patches/CVE-2022-0561.patch	2022-02-27 16:57:51.0 +0100
@@ -0,0 +1,26 @@
+From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Sun, 6 Feb 2022 13:08:38 +0100
+Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+Index: tiff-4.2.0/libtiff/tif_dirread.c
+===
+--- tiff-4.2.0.orig/libtiff/tif_dirread.c	2022-02-22 23:56:43.727328819 +0100
 tiff-4.2.0/libtiff/tif_dirread.c	2022-02-22 23:56:43.727328819 +0100
+@@ -5765,8 +5765,9 @@
+ 			_TIFFfree(data);
+ 			return(0);
+ 		}
+-_TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+-_TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
++if( dir->tdir_count )
++_TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64));
++_TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64));
+ 		_TIFFfree(data);
+ 		data=resizeddata;
+ 	}
diff -Nru tiff-4.2.0/debian/patches/CVE-2022-0562.patch tiff-4.2.0/debian/patches/CVE-2022-0562.patch
--- tiff-4.2.0/debian/patches/CVE-2022-0562.patch	1970-01-01 01:00:00.0 +0100
+++ tiff-4.2.0/debian/patches/CVE-2022-0562.patch	2022-02-27 16:57:51.0 +0100
@@ -0,0 +1,24 @@
+From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Sat, 5 Feb 2022 20:36:41 +0100
+Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: tiff-4.2.0/libtiff/tif_dirread.c
+===
+--- tiff-4.2.0.orig/libtiff/tif_dirread.c	2022-02-22 23:56:49.919326843 +0100
 tiff-4.2.0/libtiff/tif_dirread.c	2022-02-22 23:56:49.915326845 +0100
+@@ -4173,7 +4173,8 @@
+ goto bad;
+ }
+ 
+-memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++if (old_extrasamples > 0)
++memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+ _TIFFsetShortArray(>tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+ _TIFFfree(new_sampleinfo);
+ }
diff -Nru tiff-4.2.0/debian/patches/CVE-2022-22844.patch tiff-4.2.0/debian/patches/CVE-2022-22844.patch
--- tiff-4.2.0/debian/patches/CVE-2022-22844.patch	1970-01-01 01:00:00.0 +0100
+++ tiff-4.2.0/debian/patches/CVE-2022-22844.patch	2022-02-27 16:57:51.0 +0100
@@ -0,0 +1,45 @@
+From 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001
+From: 4ugustus 
+Date: Tue, 25 Jan 2022 16:25:28 +
+Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
+ count is required (fixes #355)
+
+---
+ tools/tiffset.c | 16 +---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+Index: tiff-4.2.0/tools/tiffset.c
+===
+--- tiff-4.2.0.orig/tools/tiffset.c	2022-02-22 23:56:54.187325478 +0100