Bug#692345: tiff: CVE-2012-4564

Marc Deslauriers Thu, 15 Nov 2012 06:21:22 -0800

Package: tiff
Version: 4.0.2-4
Followup-For: Bug #692345
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu raring ubuntu-patch




*** /tmp/tmpm0_BMg/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: denial of service and possible code execution via
    crafted PPM image
    - debian/patches/CVE-2012-4564.patch: check scanline_size in
      tools/ppm2tiff.c.
    - CVE-2012-4564


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers quantal-updates
  APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 
'quantal'), (100, 'quantal-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5.0-18-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru tiff-4.0.2/debian/changelog tiff-4.0.2/debian/changelog
diff -Nru tiff-4.0.2/debian/patches/CVE-2012-4564.patch tiff-4.0.2/debian/patches/CVE-2012-4564.patch
--- tiff-4.0.2/debian/patches/CVE-2012-4564.patch	1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/CVE-2012-4564.patch	2012-11-15 08:56:13.000000000 -0500
@@ -0,0 +1,34 @@
+Description: fix denial of service and possible code execution via crafted PPM image
+Origin: upstream, ppm2tiff.c,v 1.17
+
+Index: tiff-4.0.2/tools/ppm2tiff.c
+===================================================================
+--- tiff-4.0.2.orig/tools/ppm2tiff.c	2010-04-10 15:22:34.000000000 -0400
++++ tiff-4.0.2/tools/ppm2tiff.c	2012-11-14 09:50:52.283703218 -0500
+@@ -89,6 +89,7 @@
+ 	int c;
+ 	extern int optind;
+ 	extern char* optarg;
++	tmsize_t scanline_size;
+ 
+ 	if (argc < 2) {
+ 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -237,8 +238,16 @@
+ 	}
+ 	if (TIFFScanlineSize(out) > linebytes)
+ 		buf = (unsigned char *)_TIFFmalloc(linebytes);
+-	else
+-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++	else {
++		scanline_size = TIFFScanlineSize(out);
++		if (scanline_size != 0)
++			buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++		else {
++			fprintf(stderr, "%s: scanline size overflow\n",infile);
++			(void) TIFFClose(out);
++			exit(-2);
++			}
++		}
+ 	if (resolution > 0) {
+ 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff -Nru tiff-4.0.2/debian/patches/series tiff-4.0.2/debian/patches/series
--- tiff-4.0.2/debian/patches/series	2012-10-05 17:07:54.000000000 -0400
+++ tiff-4.0.2/debian/patches/series	2012-11-15 08:56:13.000000000 -0500
@@ -1,3 +1,4 @@
 opengl.patch
 CVE-2012-3401.patch
 CVE-2012-4447.patch
+CVE-2012-4564.patch

Bug#692345: tiff: CVE-2012-4564

Reply via email to