Hi, I've backported the patch for CVE-2015-8665 and CVE-2015-8683. Debdiff attached and packages uploaded to my personal repo.
deb https://people.debian.org/~santiago/debian/ santiago-squeeze-lts/
deb-src https://people.debian.org/~santiago/debian/ santiago-squeeze-lts/
The packages seems to work well, but reviews are welcome.
Santiago
diff -Nru tiff-3.9.4/debian/changelog tiff-3.9.4/debian/changelog
--- tiff-3.9.4/debian/changelog 2015-05-06 23:37:44.000000000 +0200
+++ tiff-3.9.4/debian/changelog 2016-01-20 10:23:45.000000000 +0100
@@ -1,3 +1,11 @@
+tiff (3.9.4-5+squeeze13~1) santiago-squeeze-lts; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * Fix CVE-2015-8665: Out-of-bounds read in TIFFRGBAImage interface.
+ * Fix CVE-2015-8683: Out-of-bounds read in CIE Lab image format.
+
+ -- Santiago Ruano Rincón <santiag...@riseup.net> Wed, 20 Jan 2016 06:27:59
+0100
+
tiff (3.9.4-5+squeeze12) squeeze-lts; urgency=high
* Non-maintainer upload by the Squeeze LTS team
diff -Nru tiff-3.9.4/debian/patches/CVE-2015-8665_and_CVE-2015-8683.patch
tiff-3.9.4/debian/patches/CVE-2015-8665_and_CVE-2015-8683.patch
--- tiff-3.9.4/debian/patches/CVE-2015-8665_and_CVE-2015-8683.patch
1970-01-01 01:00:00.000000000 +0100
+++ tiff-3.9.4/debian/patches/CVE-2015-8665_and_CVE-2015-8683.patch
2016-01-20 13:21:48.000000000 +0100
@@ -0,0 +1,109 @@
+From f3f0cad770593eaef0766e5be896a6a034fc6313 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sat, 26 Dec 2015 17:32:03 +0000
+Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
+ TIFFRGBAImage interface in case of unsupported values of
+ SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
+ TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
+ limingxing and CVE-2015-8683 reported by zzf of Alibaba.
+
+---
+
+Index: tiff-3.9.4/libtiff/tif_getimage.c
+===================================================================
+--- tiff-3.9.4.orig/libtiff/tif_getimage.c
++++ tiff-3.9.4/libtiff/tif_getimage.c
+@@ -245,6 +245,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
+ int colorchannels;
+ uint16 *red_orig, *green_orig, *blue_orig;
+ int n_color;
++
++ if( !TIFFRGBAImageOK(tif, emsg) )
++ return 0;
+
+ /* Initialize to normal values */
+ img->row_offset = 0;
+@@ -426,11 +429,29 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
+ "Planarconfiguration", planarconfig);
+ return (0);
+ }
++ if( img->samplesperpixel != 3 || colorchannels != 3 )
++ {
++ sprintf(emsg,
++ "Sorry, can not handle image
with %s=%d, %s=%d",
++ "Samples/pixel",
img->samplesperpixel,
++ "colorchannels", colorchannels);
++ return 0;
++ }
++
+ TIFFSetField(tif, TIFFTAG_SGILOGDATAFMT,
SGILOGDATAFMT_8BIT);
+ img->photometric = PHOTOMETRIC_RGB; /*
little white lie */
+ img->bitspersample = 8;
+ break;
+ case PHOTOMETRIC_CIELAB:
++ if( img->samplesperpixel != 3 || colorchannels != 3 ||
img->bitspersample != 8 )
++ {
++ sprintf(emsg,
++ "Sorry, can not handle image
with %s=%d, %s=%d and %s=%d",
++ "Samples/pixel",
img->samplesperpixel,
++ "colorchannels", colorchannels,
++ "Bits/sample",
img->bitspersample);
++ return 0;
++ }
+ break;
+ default:
+ sprintf(emsg, "Sorry, can not handle image with %s=%d",
+@@ -2352,25 +2373,29 @@ PickContigCase(TIFFRGBAImage* img)
+ case PHOTOMETRIC_RGB:
+ switch (img->bitspersample) {
+ case 8:
+- if (img->alpha ==
EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha ==
EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >= 4)
+ img->put.contig =
putRGBAAcontig8bittile;
+- else if (img->alpha ==
EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha ==
EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel
>= 4)
+ {
+ img->put.contig =
putRGBUAcontig8bittile;
+ }
+- else
++ else if( img->samplesperpixel >= 3 )
+ img->put.contig =
putRGBcontig8bittile;
+ break;
+ case 16:
+- if (img->alpha ==
EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha ==
EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >=4 )
+ {
+ img->put.contig =
putRGBAAcontig16bittile;
+ }
+- else if (img->alpha ==
EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha ==
EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel
>=4 )
+ {
+ img->put.contig =
putRGBUAcontig16bittile;
+ }
+- else
++ else if( img->samplesperpixel >=3 )
+ {
+ img->put.contig =
putRGBcontig16bittile;
+ }
+@@ -2378,7 +2403,7 @@ PickContigCase(TIFFRGBAImage* img)
+ }
+ break;
+ case PHOTOMETRIC_SEPARATED:
+- if (buildMap(img)) {
++ if (img->samplesperpixel >=4 && buildMap(img)) {
+ if (img->bitspersample == 8) {
+ if (!img->Map)
+ img->put.contig =
putRGBcontig8bitCMYKtile;
+@@ -2471,7 +2496,7 @@ PickContigCase(TIFFRGBAImage* img)
+ }
+ break;
+ case PHOTOMETRIC_CIELAB:
+- if (buildMap(img)) {
++ if (img->samplesperpixel == 3 && buildMap(img)) {
+ if (img->bitspersample == 8)
+ img->put.contig =
initCIELabConversion(img);
+ break;
diff -Nru tiff-3.9.4/debian/patches/series tiff-3.9.4/debian/patches/series
--- tiff-3.9.4/debian/patches/series 2015-05-02 04:25:31.000000000 +0200
+++ tiff-3.9.4/debian/patches/series 2016-01-20 09:33:42.000000000 +0100
@@ -35,3 +35,4 @@
fix-various-crasher-bugs-on-fuzzed-images.patch
tools-pal2rgb.c-tools-thumbnail.c-fix-crash-by-disab.patch
tools-tiff2bw.c-when-photometric-rgb-the-utility-onl.patch
+CVE-2015-8665_and_CVE-2015-8683.patch
signature.asc
Description: PGP signature
