Bug#692345: tiff: CVE-2012-4564 debdiff patch

Adrian La Duca Fri, 16 Nov 2012 10:51:16 -0800

Attaching debdiff patches for both squeeze and wheezy/experimentalpackages.

diff -Nru tiff-3.9.4/debian/changelog tiff-3.9.4/debian/changelog
--- tiff-3.9.4/debian/changelog 2012-10-05 17:35:50.000000000 -0400
+++ tiff-3.9.4/debian/changelog 2012-11-16 12:42:26.000000000 -0500
@@ -1,3 +1,10 @@
+tiff (3.9.4-5+squeeze7) stable-security; urgency=high
+
+  * Non-maintainer upload.
+  * Add fix for CVE-2012-4564, a heap-buffer overflow. (Closes: #692345)
+
+ -- Adrian La Duca <alad...@summatus.net>  Fri, 16 Nov 2012 12:40:50 -0500
+
 tiff (3.9.4-5+squeeze6) stable-security; urgency=high
 
   * Add fix for CVE-2012-4447, a buffer overrun.  (Closes: #688944)
diff -Nru tiff-3.9.4/debian/patches/CVE-2012-4564.patch 
tiff-3.9.4/debian/patches/CVE-2012-4564.patch
--- tiff-3.9.4/debian/patches/CVE-2012-4564.patch       1969-12-31 
19:00:00.000000000 -0500
+++ tiff-3.9.4/debian/patches/CVE-2012-4564.patch       2012-11-16 
12:44:00.000000000 -0500
@@ -0,0 +1,31 @@
+Index: tiff-3.9.4/tools/ppm2tiff.c
+===================================================================
+--- tiff-3.9.4.orig/tools/ppm2tiff.c   2012-11-16 12:43:39.000000000 -0500
++++ tiff-3.9.4/tools/ppm2tiff.c        2012-11-16 12:43:54.000000000 -0500
+@@ -85,6 +85,7 @@
+       int c;
+       extern int optind;
+       extern char* optarg;
++      tmsize_t scanline_size;
+ 
+       if (argc < 2) {
+           fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -233,8 +234,16 @@
+       }
+       if (TIFFScanlineSize(out) > linebytes)
+               buf = (unsigned char *)_TIFFmalloc(linebytes);
+-      else
+-              buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++      else {
++              scanline_size = TIFFScanlineSize(out);
++              if (scanline_size != 0)
++                      buf = (unsigned char 
*)_TIFFmalloc(TIFFScanlineSize(out));
++              else {
++                      fprintf(stderr, "%s: scanline size overflow\n",infile);
++                      (void) TIFFClose(out);
++                      exit(-2);
++                      }
++              }
+       if (resolution > 0) {
+               TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+               TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff -Nru tiff-3.9.4/debian/patches/series tiff-3.9.4/debian/patches/series
--- tiff-3.9.4/debian/patches/series    2012-10-05 17:35:50.000000000 -0400
+++ tiff-3.9.4/debian/patches/series    2012-11-16 12:43:27.000000000 -0500
@@ -17,3 +17,4 @@
 CVE-2012-2113.patch
 CVE-2012-3401.patch
 CVE-2012-4447.patch
+CVE-2012-4564.patch

diff -Nru tiff-4.0.2/debian/changelog tiff-4.0.2/debian/changelog
--- tiff-4.0.2/debian/changelog 2012-10-05 17:39:16.000000000 -0400
+++ tiff-4.0.2/debian/changelog 2012-11-16 13:00:08.000000000 -0500
@@ -1,3 +1,10 @@
+tiff (4.0.2-5) UNRELEASED; urgency=high
+
+  * Non-maintainer upload.
+  * Add fix for CVE-2012-4564, a heap-buffer overflow. (Closes: #692345)
+
+ -- Adrian La Duca <alad...@summatus.net>  Fri, 16 Nov 2012 12:59:37 -0500
+
 tiff (4.0.2-4) unstable; urgency=high
 
   * Previous change was uploaded with the wrong CVE number.  I updated the
diff -Nru tiff-4.0.2/debian/patches/CVE-2012-4564.patch 
tiff-4.0.2/debian/patches/CVE-2012-4564.patch
--- tiff-4.0.2/debian/patches/CVE-2012-4564.patch       1969-12-31 
19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/CVE-2012-4564.patch       2012-11-16 
13:00:50.000000000 -0500
@@ -0,0 +1,31 @@
+Index: tiff-4.0.2/tools/ppm2tiff.c
+===================================================================
+--- tiff-4.0.2.orig/tools/ppm2tiff.c   2010-04-10 15:22:34.000000000 -0400
++++ tiff-4.0.2/tools/ppm2tiff.c        2012-11-16 13:00:44.654825029 -0500
+@@ -89,6 +89,7 @@
+       int c;
+       extern int optind;
+       extern char* optarg;
++      tmsize_t scanline_size;
+ 
+       if (argc < 2) {
+           fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -237,8 +238,16 @@
+       }
+       if (TIFFScanlineSize(out) > linebytes)
+               buf = (unsigned char *)_TIFFmalloc(linebytes);
+-      else
+-              buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++      else {
++              scanline_size = TIFFScanlineSize(out);
++              if (scanline_size != 0)
++                      buf = (unsigned char 
*)_TIFFmalloc(TIFFScanlineSize(out));
++              else {
++                      fprintf(stderr, "%s: scanline size overflow\n",infile);
++                      (void) TIFFClose(out);
++                      exit(-2);
++                      }
++              }
+       if (resolution > 0) {
+               TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+               TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff -Nru tiff-4.0.2/debian/patches/series tiff-4.0.2/debian/patches/series
--- tiff-4.0.2/debian/patches/series    2012-10-05 17:07:54.000000000 -0400
+++ tiff-4.0.2/debian/patches/series    2012-11-16 13:00:25.000000000 -0500
@@ -1,3 +1,4 @@
 opengl.patch
 CVE-2012-3401.patch
 CVE-2012-4447.patch
+CVE-2012-4564.patch

Bug#692345: tiff: CVE-2012-4564 debdiff patch

Reply via email to