Bug#692345: tiff with CVE-2012-4564 fix ready for stable-security

Jay Berkenbilt Sat, 17 Nov 2012 11:09:16 -0800

I have an upload of tiff 3.9.4-5+squeeze7 build against squeeze ready to
upload to stable-security.  This includes a fix for CVE-2012-4564.  I've
attached the debdiff.  Please let me know if I should proceed with the
upload.  Thanks.


-- 
Jay Berkenbilt <q...@debian.org>

diff -Nru tiff-3.9.4/debian/changelog tiff-3.9.4/debian/changelog
--- tiff-3.9.4/debian/changelog	2012-10-05 17:35:50.000000000 -0400
+++ tiff-3.9.4/debian/changelog	2012-11-17 12:44:54.000000000 -0500
@@ -1,3 +1,10 @@
+tiff (3.9.4-5+squeeze7) stable-security; urgency=high
+
+  * Add fix for CVE-2012-4564, a heap-buffer overflow.  Thanks Adrian La
+    Duca for doing all the work to prepare this upload.  (Closes: #692345)
+
+ -- Jay Berkenbilt <q...@debian.org>  Sat, 17 Nov 2012 12:44:54 -0500
+
 tiff (3.9.4-5+squeeze6) stable-security; urgency=high
 
   * Add fix for CVE-2012-4447, a buffer overrun.  (Closes: #688944)
diff -Nru tiff-3.9.4/debian/patches/CVE-2012-4564.patch tiff-3.9.4/debian/patches/CVE-2012-4564.patch
--- tiff-3.9.4/debian/patches/CVE-2012-4564.patch	1969-12-31 19:00:00.000000000 -0500
+++ tiff-3.9.4/debian/patches/CVE-2012-4564.patch	2012-11-17 13:54:20.000000000 -0500
@@ -0,0 +1,31 @@
+Index: tiff-3.9.4/tools/ppm2tiff.c
+===================================================================
+--- tiff-3.9.4.orig/tools/ppm2tiff.c	2012-11-16 12:43:39.000000000 -0500
++++ tiff-3.9.4/tools/ppm2tiff.c	2012-11-16 12:43:54.000000000 -0500
+@@ -85,6 +85,7 @@
+ 	int c;
+ 	extern int optind;
+ 	extern char* optarg;
++	tsize_t scanline_size;
+ 
+ 	if (argc < 2) {
+ 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -233,8 +234,16 @@
+ 	}
+ 	if (TIFFScanlineSize(out) > linebytes)
+ 		buf = (unsigned char *)_TIFFmalloc(linebytes);
+-	else
+-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++	else {
++		scanline_size = TIFFScanlineSize(out);
++		if (scanline_size != 0)
++			buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++		else {
++			fprintf(stderr, "%s: scanline size overflow\n",infile);
++			(void) TIFFClose(out);
++			exit(-2);
++			}
++		}
+ 	if (resolution > 0) {
+ 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff -Nru tiff-3.9.4/debian/patches/series tiff-3.9.4/debian/patches/series
--- tiff-3.9.4/debian/patches/series	2012-10-05 17:35:50.000000000 -0400
+++ tiff-3.9.4/debian/patches/series	2012-11-17 12:44:06.000000000 -0500
@@ -17,3 +17,4 @@
 CVE-2012-2113.patch
 CVE-2012-3401.patch
 CVE-2012-4447.patch
+CVE-2012-4564.patch

Bug#692345: tiff with CVE-2012-4564 fix ready for stable-security

Reply via email to