Moritz Muehlenhoff <j...@inutil.org> wrote:
> On Fri, Mar 28, 2014 at 06:38:07PM -0400, Michael Gilbert wrote:
>> package: src:tiff
>> version: 3.9.4-5
>> severity: important
>>
>> This issue is currently unfixed in the tiff packages:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243
>
> This wasn't fixed in DSA 2744 since no patch was available back then.
>
> Since then Red Hat has used the attached patch in security update
> for RHEL.
>
> Cheers,
> Moritz
I've finally had a chance to deal with this. The patch applies cleanly
with offsets to the versions in squeeze, wheezy, and sid, so I've
prepared packages for all three distributions. I'm attaching the debdiff
files here. Please let me know if I should proceed to upload.
For sid, this will be fixed in 4.0.3-9. I realize there is no DSA.
--
Jay Berkenbilt <q...@debian.org>
diff -Nru tiff-3.9.4/debian/changelog tiff-3.9.4/debian/changelog
--- tiff-3.9.4/debian/changelog 2013-08-24 11:23:06.000000000 -0400
+++ tiff-3.9.4/debian/changelog 2014-06-21 18:13:22.000000000 -0400
@@ -1,3 +1,10 @@
+tiff (3.9.4-5+squeeze11) oldstable-security; urgency=high
+
+ * Fix for CVE-2013-4243 (validation for gif2tiff) from Red Hat. (Closes:
+ #742917)
+
+ -- Jay Berkenbilt <q...@debian.org> Sat, 21 Jun 2014 17:55:02 -0400
+
tiff (3.9.4-5+squeeze10) oldstable-security; urgency=high
* Incorporated fixes to security issues CVE-2013-4231, CVE-2013-4232.
diff -Nru tiff-3.9.4/debian/patches/CVE-2013-4243.patch tiff-3.9.4/debian/patches/CVE-2013-4243.patch
--- tiff-3.9.4/debian/patches/CVE-2013-4243.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-3.9.4/debian/patches/CVE-2013-4243.patch 2014-06-21 18:13:22.000000000 -0400
@@ -0,0 +1,37 @@
+Index: tiff/tools/gif2tiff.c
+===================================================================
+--- tiff.orig/tools/gif2tiff.c 2014-06-21 17:53:57.819546749 -0400
++++ tiff/tools/gif2tiff.c 2014-06-21 17:53:57.815546727 -0400
+@@ -276,6 +276,10 @@
+ fprintf(stderr, "no colormap present for image\n");
+ return (0);
+ }
++ if (width == 0 || height == 0) {
++ fprintf(stderr, "Invalid value of width or height\n");
++ return(0);
++ }
+ if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
+ fprintf(stderr, "not enough memory for image\n");
+ return (0);
+@@ -400,6 +404,10 @@
+ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
+ return 0;
+ }
++ if (*fill >= raster + width*height) {
++ fprintf(stderr, "raster full before eoi code\n");
++ return 0;
++ }
+ *(*fill)++ = suffix[code];
+ firstchar = oldcode = code;
+ return 1;
+@@ -430,6 +438,10 @@
+ }
+ oldcode = incode;
+ do {
++ if (*fill >= raster + width*height) {
++ fprintf(stderr, "raster full before eoi code\n");
++ return 0;
++ }
+ *(*fill)++ = *--stackp;
+ } while (stackp > stack);
+ return 1;
diff -Nru tiff-3.9.4/debian/patches/series tiff-3.9.4/debian/patches/series
--- tiff-3.9.4/debian/patches/series 2013-08-24 11:22:20.000000000 -0400
+++ tiff-3.9.4/debian/patches/series 2014-06-21 18:13:22.000000000 -0400
@@ -24,3 +24,4 @@
CVE-2013-4231.patch
CVE-2013-4232.patch
CVE-2013-4244.patch
+CVE-2013-4243.patch
diff -Nru tiff-4.0.2/debian/changelog tiff-4.0.2/debian/changelog
--- tiff-4.0.2/debian/changelog 2013-08-24 11:25:11.000000000 -0400
+++ tiff-4.0.2/debian/changelog 2014-06-21 18:15:31.000000000 -0400
@@ -1,3 +1,10 @@
+tiff (4.0.2-6+deb7u3) stable-security; urgency=high
+
+ * Fix for CVE-2013-4243 (validation for gif2tiff) from Red Hat. (Closes:
+ #742917)
+
+ -- Jay Berkenbilt <q...@debian.org> Sat, 21 Jun 2014 18:12:58 -0400
+
tiff (4.0.2-6+deb7u2) stable-security; urgency=high
* Incorporated fixes to security issues CVE-2013-4231, CVE-2013-4232.
diff -Nru tiff-4.0.2/debian/patches/CVE-2013-4243.patch tiff-4.0.2/debian/patches/CVE-2013-4243.patch
--- tiff-4.0.2/debian/patches/CVE-2013-4243.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/CVE-2013-4243.patch 2014-06-21 18:15:31.000000000 -0400
@@ -0,0 +1,37 @@
+Index: tiff/tools/gif2tiff.c
+===================================================================
+--- tiff.orig/tools/gif2tiff.c
++++ tiff/tools/gif2tiff.c
+@@ -280,6 +280,10 @@ readgifimage(char* mode)
+ fprintf(stderr, "no colormap present for image\n");
+ return (0);
+ }
++ if (width == 0 || height == 0) {
++ fprintf(stderr, "Invalid value of width or height\n");
++ return(0);
++ }
+ if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
+ fprintf(stderr, "not enough memory for image\n");
+ return (0);
+@@ -404,6 +408,10 @@ process(register int code, unsigned char
+ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
+ return 0;
+ }
++ if (*fill >= raster + width*height) {
++ fprintf(stderr, "raster full before eoi code\n");
++ return 0;
++ }
+ *(*fill)++ = suffix[code];
+ firstchar = oldcode = code;
+ return 1;
+@@ -434,6 +442,10 @@ process(register int code, unsigned char
+ }
+ oldcode = incode;
+ do {
++ if (*fill >= raster + width*height) {
++ fprintf(stderr, "raster full before eoi code\n");
++ return 0;
++ }
+ *(*fill)++ = *--stackp;
+ } while (stackp > stack);
+ return 1;
diff -Nru tiff-4.0.2/debian/patches/series tiff-4.0.2/debian/patches/series
--- tiff-4.0.2/debian/patches/series 2013-08-24 11:24:44.000000000 -0400
+++ tiff-4.0.2/debian/patches/series 2014-06-21 18:15:31.000000000 -0400
@@ -7,3 +7,4 @@
CVE-2013-4231.patch
CVE-2013-4232.patch
CVE-2013-4244.patch
+CVE-2013-4243.patch
