Re: tiff and CVE-2016-10095
Hi Raphael, On Tue, Jun 06, 2017 at 12:05:14PM +0200, Raphael Hertzog wrote: > Hi, > > On Fri, 02 Jun 2017, Guido Günther wrote: > > > but it's not worth arguing and providing that in jessie might be useful > > > for > > > building building custom tools still. > > > > But then again the fix for this should be in Wheezy already as far as I > > can tell. Raphael (since you provided the upstream patches for ths), can > > you confirm? > > I looked quickly at the upstream patch that got added. While it's based > on some of my code, the approach retained by upstream is really different > to what I did. > > The real fix of most CVE for me was to add CODEC-specific tags to the > global table so that they are known and treated correctly > (0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch). The > _TIFFCheckFieldIsValidForCodec() function that I added was used to filter > out tags during write that were invalid in the context of the > CODEC in use (this was done to fix a regression introduced by my former > fix). > > Now upstream reused my _TIFFCheckFieldIsValidForCodec() but he uses > it during "read" of pictures and not during write and he did not add the > CODEC-specific tags to the global list of known tags. > > So while I believe that we are covered in terms of already report CVE, > I also believe that it would be sane to replace our own fixes by > upstream's fix and confirm that the already fixed CVE are still > properly fixed. Thanks for having a look. So the current status is fine, we treat wheezy as affected but wait until more urgent issues pile up. Cheers, -- Guido
Re: tiff and CVE-2016-10095
Hi, On Fri, 02 Jun 2017, Guido Günther wrote: > > but it's not worth arguing and providing that in jessie might be useful for > > building building custom tools still. > > But then again the fix for this should be in Wheezy already as far as I > can tell. Raphael (since you provided the upstream patches for ths), can > you confirm? I looked quickly at the upstream patch that got added. While it's based on some of my code, the approach retained by upstream is really different to what I did. The real fix of most CVE for me was to add CODEC-specific tags to the global table so that they are known and treated correctly (0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch). The _TIFFCheckFieldIsValidForCodec() function that I added was used to filter out tags during write that were invalid in the context of the CODEC in use (this was done to fix a regression introduced by my former fix). Now upstream reused my _TIFFCheckFieldIsValidForCodec() but he uses it during "read" of pictures and not during write and he did not add the CODEC-specific tags to the global list of known tags. So while I believe that we are covered in terms of already report CVE, I also believe that it would be sane to replace our own fixes by upstream's fix and confirm that the already fixed CVE are still properly fixed. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: tiff and CVE-2016-10095
Hi Guido, On Fri, Jun 02, 2017 at 12:29:29PM +0200, Guido Günther wrote: > On Fri, Jun 02, 2017 at 11:02:06AM +0200, Moritz Muehlenhoff wrote: > > On Fri, Jun 02, 2017 at 10:25:29AM +0200, Guido Günther wrote: > > > Hi Moritz, > > > I'm trying to figure out the reasoning for @51764. This marks tiff as > > > affected by CVE-2016-10095. However from the upstream bug and the > > > changes we made in wheezy it looks like the changes we made already are > > > sufficient to fix the issue. Do you have a hint why you think this is > > > not the case? > > > > CVE-2016-10095 is the generic fix for the API. I'm not sure why that > > received > > a CVE ID, since it's not a vulnerability per se (which are in the call > > sites), > > but it's not worth arguing and providing that in jessie might be useful for > > building building custom tools still. > > But then again the fix for this should be in Wheezy already as far as I > can tell. Raphael (since you provided the upstream patches for ths), can > you confirm? The upload by Lazslo to unstable contains the following, which is upstream's changelog enty: * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), and use it in TIFFReadDirectory() so as to ignore fields whose tag is a codec-specified tag but this codec is not enabled. This avoids TIFFGetField() to behave differently depending on whether the codec is enabled or not, and thus can avoid stack based buffer overflows in a number of TIFF utilities such as tiffsplit, tiffcmp, thumbnail, etc. Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. Fixes: http://bugzilla.maptools.org/show_bug.cgi?id=2580 http://bugzilla.maptools.org/show_bug.cgi?id=2693 http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) http://bugzilla.maptools.org/show_bug.cgi?id=2441 http://bugzilla.maptools.org/show_bug.cgi?id=2433 I have not cross-checked, to what is applied to wheezy and fully correspond to Raphael's 0063-Handle-properly-CODEC-specific-tags.patch. If so then yes it would be fixed already in wheezy. Regards, Salvatore
Re: tiff and CVE-2016-10095
On Fri, Jun 02, 2017 at 11:02:06AM +0200, Moritz Muehlenhoff wrote: > On Fri, Jun 02, 2017 at 10:25:29AM +0200, Guido Günther wrote: > > Hi Moritz, > > I'm trying to figure out the reasoning for @51764. This marks tiff as > > affected by CVE-2016-10095. However from the upstream bug and the > > changes we made in wheezy it looks like the changes we made already are > > sufficient to fix the issue. Do you have a hint why you think this is > > not the case? > > CVE-2016-10095 is the generic fix for the API. I'm not sure why that received > a CVE ID, since it's not a vulnerability per se (which are in the call sites), > but it's not worth arguing and providing that in jessie might be useful for > building building custom tools still. But then again the fix for this should be in Wheezy already as far as I can tell. Raphael (since you provided the upstream patches for ths), can you confirm? Cheers, -- Guido
Re: tiff and CVE-2016-10095
On Fri, Jun 02, 2017 at 10:25:29AM +0200, Guido Günther wrote: > Hi Moritz, > I'm trying to figure out the reasoning for @51764. This marks tiff as > affected by CVE-2016-10095. However from the upstream bug and the > changes we made in wheezy it looks like the changes we made already are > sufficient to fix the issue. Do you have a hint why you think this is > not the case? CVE-2016-10095 is the generic fix for the API. I'm not sure why that received a CVE ID, since it's not a vulnerability per se (which are in the call sites), but it's not worth arguing and providing that in jessie might be useful for building building custom tools still. Cheers, Moritz