tags 373854 +pending thanks Christoph Biedl <[EMAIL PROTECTED]> wrote:
> What goes wrong: > > tiffsplit composes the name of the created file using the submitted > "prefix" with the serial appened (this is in fname) and the extension > ".tif". The resulting name is written to "path". > > Prior to DSA 1091-1 the vulnerable code was > | strcpy(path, fname); > | strcat(path, ".tif"); > > This was changed to > | snprintf(fname, sizeof(fname), "%s.tif", fname); > but should obviously be > | snprintf(path, sizeof(path), "%s.tif", fname); > and was discussed so in #369819. I believe this analysis is obviously correct. This same error was not made in the sid version of this upload, so the sid version is actually okay. I believe regressions introduced in stable-security are generally also fixed in stable-security, so I've attached a patch to change 3.7.2-5 to 3.7.2-6 that fixes this problem. I've marked the bug "pending" assuming that the security team will accept the proposed fix. Thanks for your analysis and fix! -- Jay Berkenbilt <[EMAIL PROTECTED]>
--- debian/changelog.qdist 2006-06-19 18:45:05.813893781 -0400 +++ debian/changelog 2006-06-19 18:49:59.708719707 -0400 @@ -1,3 +1,10 @@ +tiff (3.7.2-6) stable-security; urgency=high + + * Fix regression introduced by CVE-2006-2656.patch. Thanks Christoph + Biedl. (Closes: #373854) + + -- Jay Berkenbilt <[EMAIL PROTECTED]> Mon, 19 Jun 2006 18:49:39 -0400 + tiff (3.7.2-5) stable-security; urgency=high * Non-maintainer upload by the Security Team --- debian/patches/CVE-2006-2656.patch.qdist 2006-06-19 18:45:05.808894413 -0400 +++ debian/patches/CVE-2006-2656.patch 2006-06-19 18:47:22.846560837 -0400 @@ -18,7 +18,7 @@ newfilename(); - strcpy(path, fname); - strcat(path, ".tif"); -+ snprintf(fname, sizeof(fname), "%s.tif", fname); ++ snprintf(path, sizeof(path), "%s.tif", fname); out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); if (out == NULL) return (-2);
