Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package tiff This is a narrowly targeted fix from upstream for CVE-2014-9330. It changes only bmp2tiff, one of the tools that is part of libtiff-tools. Although the bug was not created as RC, other similar bugs that only affect tools in libtiff-tools have been classified as RC, and this fixes a security issue with an assigned CVE number, so I think it would be best if it goes through. debdiff attached. unblock tiff/4.0.3-12 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru tiff-4.0.3/debian/changelog tiff-4.0.3/debian/changelog --- tiff-4.0.3/debian/changelog 2014-12-23 15:52:13.000000000 -0500 +++ tiff-4.0.3/debian/changelog 2014-12-30 11:32:33.000000000 -0500 @@ -1,3 +1,9 @@ +tiff (4.0.3-12) unstable; urgency=high + + * Fix integer overflow in bmp2tiff. CVE-2014-9330. (Closes: #773987) + + -- Jay Berkenbilt <q...@debian.org> Tue, 30 Dec 2014 11:32:04 -0500 + tiff (4.0.3-11) unstable; urgency=medium * Don't crash on JPEG => non-JPEG conversion (Closes: #741451) diff -Nru tiff-4.0.3/debian/patches/CVE-2014-9330.patch tiff-4.0.3/debian/patches/CVE-2014-9330.patch --- tiff-4.0.3/debian/patches/CVE-2014-9330.patch 1969-12-31 19:00:00.000000000 -0500 +++ tiff-4.0.3/debian/patches/CVE-2014-9330.patch 2014-12-30 11:32:33.000000000 -0500 @@ -0,0 +1,45 @@ +Description: CVE-2014-9330 + Integer overflow in bmp2tiff +Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2494 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494 +Bug-Debian: http://bugs.debian.org/773987 + +Index: tiff/tools/bmp2tiff.c +=================================================================== +--- tiff.orig/tools/bmp2tiff.c ++++ tiff/tools/bmp2tiff.c +@@ -1,4 +1,4 @@ +-/* $Id: bmp2tiff.c,v 1.23 2010-03-10 18:56:49 bfriesen Exp $ ++/* $Id: bmp2tiff.c,v 1.24 2014-12-21 15:15:32 erouault Exp $ + * + * Project: libtiff tools + * Purpose: Convert Windows BMP files in TIFF. +@@ -403,6 +403,13 @@ main(int argc, char* argv[]) + + width = info_hdr.iWidth; + length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; ++ if( width <= 0 || length <= 0 ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } + + switch (info_hdr.iBitCount) + { +@@ -593,6 +600,14 @@ main(int argc, char* argv[]) + + compr_size = file_hdr.iSize - file_hdr.iOffBits; + uncompr_size = width * length; ++ /* Detect int overflow */ ++ if( uncompr_size / width != length ) ++ { ++ TIFFError(infilename, ++ "Invalid dimensions of BMP file" ); ++ close(fd); ++ return -1; ++ } + comprbuf = (unsigned char *) _TIFFmalloc( compr_size ); + if (!comprbuf) { + TIFFError(infilename, diff -Nru tiff-4.0.3/debian/patches/series tiff-4.0.3/debian/patches/series --- tiff-4.0.3/debian/patches/series 2014-12-23 15:52:13.000000000 -0500 +++ tiff-4.0.3/debian/patches/series 2014-12-30 11:32:33.000000000 -0500 @@ -7,3 +7,4 @@ CVE-2013-4244.patch CVE-2013-4243.patch jpeg-colorspace.patch +CVE-2014-9330.patch
