Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: t...@packages.debian.org, g...@debian.org
Control: affects -1 + src:tiff
User: release.debian....@packages.debian.org
Usertags: pu
Fixes various low severity security issues in tiff, PoCs
have all been used to (where available) to validate the
fixes.
Cheers,
Moritz
diff -Nru tiff-4.5.0/debian/changelog tiff-4.5.0/debian/changelog
--- tiff-4.5.0/debian/changelog 2023-11-23 09:06:18.000000000 +0100
+++ tiff-4.5.0/debian/changelog 2025-01-03 14:39:11.000000000 +0100
@@ -1,3 +1,15 @@
+tiff (4.5.0-6+deb12u2) bookworm; urgency=medium
+
+ * CVE-2023-2908
+ * CVE-2023-3618 (Closes: #1040945)
+ * CVE-2023-25433
+ * CVE-2023-26965
+ * CVE-2023-26966
+ * CVE-2023-52356 (Closes: #1061524)
+ * CVE-2024-7006 (Closes: #1078648)
+
+ -- Moritz Mühlenhoff <j...@debian.org> Fri, 03 Jan 2025 14:39:11 +0100
+
tiff (4.5.0-6+deb12u1) bookworm-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru tiff-4.5.0/debian/patches/CVE-2023-25433.patch
tiff-4.5.0/debian/patches/CVE-2023-25433.patch
--- tiff-4.5.0/debian/patches/CVE-2023-25433.patch 1970-01-01
01:00:00.000000000 +0100
+++ tiff-4.5.0/debian/patches/CVE-2023-25433.patch 2025-01-03
14:33:26.000000000 +0100
@@ -0,0 +1,74 @@
+This is the second part of the fix for CVE-2023-25433, the first part
+was already applied in 4.5.0-5 with the patch
+tiffcrop_correctly_update_buffersize.patch
+
+From 688012dca2c39033aa2dc7bcea9796787cfd1b44 Mon Sep 17 00:00:00 2001
+From: Su_Laus <su...@freenet.de>
+Date: Sat, 4 Feb 2023 23:24:21 +0100
+Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage()
+ fix#520 -- enlarge buffsize and check integer overflow within rotateImage().
+
+--- tiff-4.5.0.orig/tools/tiffcrop.c
++++ tiff-4.5.0/tools/tiffcrop.c
+@@ -9614,7 +9614,8 @@ static int rotateImage(uint16_t rotation
+ uint32_t bytes_per_pixel, bytes_per_sample;
+ uint32_t row, rowsize, src_offset, dst_offset;
+ uint32_t i, col, width, length;
+- uint32_t colsize, buffsize, col_offset, pix_offset;
++ uint32_t colsize, col_offset, pix_offset;
++ tmsize_t buffsize;
+ unsigned char *ibuff;
+ unsigned char *src;
+ unsigned char *dst;
+@@ -9627,12 +9628,40 @@ static int rotateImage(uint16_t rotation
+ spp = image->spp;
+ bps = image->bps;
+
++ if ((spp != 0 && bps != 0 &&
++ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
++ (spp != 0 && bps != 0 &&
++ length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
++ {
++ TIFFError("rotateImage", "Integer overflow detected.");
++ return (-1);
++ }
+ rowsize = ((bps * spp * width) + 7) / 8;
+ colsize = ((bps * spp * length) + 7) / 8;
+ if ((colsize * width) > (rowsize * length))
+- buffsize = (colsize + 1) * width;
++ {
++ if (((tmsize_t)colsize + 1) != 0 &&
++ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
++ ((tmsize_t)colsize + 1)))
++ {
++ TIFFError("rotateImage",
++ "Integer overflow when calculating buffer size.");
++ return (-1);
++ }
++ buffsize = ((tmsize_t)colsize + 1) * width;
++ }
+ else
++ {
++ if (((tmsize_t)rowsize + 1) != 0 &&
++ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES)
/
++ ((tmsize_t)rowsize + 1)))
++ {
++ TIFFError("rotateImage",
++ "Integer overflow when calculating buffer size.");
++ return (-1);
++ }
+ buffsize = (rowsize + 1) * length;
++ }
+
+ bytes_per_sample = (bps + 7) / 8;
+ bytes_per_pixel = ((bps * spp) + 7) / 8;
+@@ -9661,7 +9690,8 @@ static int rotateImage(uint16_t rotation
+ (unsigned char *)limitMalloc(buffsize +
NUM_BUFF_OVERSIZE_BYTES)))
+ {
+ TIFFError("rotateImage",
+- "Unable to allocate rotation buffer of %1u bytes",
++ "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT
++ " bytes ",
+ buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ return (-1);
+ }
diff -Nru tiff-4.5.0/debian/patches/CVE-2023-26965.patch
tiff-4.5.0/debian/patches/CVE-2023-26965.patch
--- tiff-4.5.0/debian/patches/CVE-2023-26965.patch 1970-01-01
01:00:00.000000000 +0100
+++ tiff-4.5.0/debian/patches/CVE-2023-26965.patch 2025-01-03
14:27:47.000000000 +0100
@@ -0,0 +1,83 @@
+From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
+From: Su_Laus <su...@freenet.de>
+Date: Tue, 14 Feb 2023 20:43:43 +0100
+Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
+ Fix issue 527
+
+--- tiff-4.5.0.orig/tools/tiffcrop.c
++++ tiff-4.5.0/tools/tiffcrop.c
+@@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct im
+ uint32_t tw = 0, tl = 0; /* Tile width and length */
+ tmsize_t tile_rowsize = 0;
+ unsigned char *read_buff = NULL;
+- unsigned char *new_buff = NULL;
+ int readunit = 0;
+- static tmsize_t prev_readsize = 0;
+
+ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+ TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct im
+ }
+
+ read_buff = *read_ptr;
+- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
*/
+- /* outside buffer */
+- if (!read_buff)
++ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
++ * outside buffer */
++ /* Reuse of read_buff from previous image is quite unsafe, because other
++ * functions (like rotateImage() etc.) reallocate that buffer with
different
++ * size without updating the local prev_readsize value. */
++ if (read_buff)
+ {
+- if (buffsize > 0xFFFFFFFFU - 3)
+- {
+- TIFFError("loadImage", "Unable to allocate/reallocate read
buffer");
+- return (-1);
+- }
+- read_buff =
+- (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
++ _TIFFfree(read_buff);
+ }
+- else
++ if (buffsize > 0xFFFFFFFFU - 3)
+ {
+- if (prev_readsize < buffsize)
+- {
+- if (buffsize > 0xFFFFFFFFU - 3)
+- {
+- TIFFError("loadImage",
+- "Unable to allocate/reallocate read buffer");
+- return (-1);
+- }
+- new_buff =
+- _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+- if (!new_buff)
+- {
+- free(read_buff);
+- read_buff = (unsigned char *)limitMalloc(
+- buffsize + NUM_BUFF_OVERSIZE_BYTES);
+- }
+- else
+- read_buff = new_buff;
+- }
++ TIFFError("loadImage", "Required read buffer size too large");
++ return (-1);
+ }
++ read_buff =
++ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (!read_buff)
+ {
+- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
++ TIFFError("loadImage", "Unable to allocate read buffer");
+ return (-1);
+ }
+
+@@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct im
+ read_buff[buffsize + 1] = 0;
+ read_buff[buffsize + 2] = 0;
+
+- prev_readsize = buffsize;
+ *read_ptr = read_buff;
+
+ /* N.B. The read functions used copy separate plane data into a buffer as
diff -Nru tiff-4.5.0/debian/patches/CVE-2023-26966.patch
tiff-4.5.0/debian/patches/CVE-2023-26966.patch
--- tiff-4.5.0/debian/patches/CVE-2023-26966.patch 1970-01-01
01:00:00.000000000 +0100
+++ tiff-4.5.0/debian/patches/CVE-2023-26966.patch 2025-01-03
14:37:54.000000000 +0100
@@ -0,0 +1,21 @@
+From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001
+From: Su_Laus <su...@freenet.de>
+Date: Thu, 16 Feb 2023 12:03:16 +0100
+Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode().
+
+--- tiff-4.5.0.orig/libtiff/tif_luv.c
++++ tiff-4.5.0/libtiff/tif_luv.c
+@@ -953,6 +953,13 @@ static
+ {
+ register int vi, ui;
+
++ /* check for NaN */
++ if (u != u || v != v)
++ {
++ u = U_NEU;
++ v = V_NEU;
++ }
++
+ if (v < UV_VSTART)
+ return oog_encode(u, v);
+ vi = tiff_itrunc((v - UV_VSTART) * (1. / UV_SQSIZ), em);
diff -Nru tiff-4.5.0/debian/patches/CVE-2023-2908.patch
tiff-4.5.0/debian/patches/CVE-2023-2908.patch
--- tiff-4.5.0/debian/patches/CVE-2023-2908.patch 1970-01-01
01:00:00.000000000 +0100
+++ tiff-4.5.0/debian/patches/CVE-2023-2908.patch 2025-01-03
14:35:31.000000000 +0100
@@ -0,0 +1,22 @@
+From 8c0859a80444c90b8dfb862a9f16de74e16f0a9e Mon Sep 17 00:00:00 2001
+From: xiaoxiaoafeifei <lliangliang2...@163.com>
+Date: Fri, 21 Apr 2023 13:01:34 +0000
+Subject: [PATCH] countInkNamesString(): fix `UndefinedBehaviorSanitizer`:
+ applying zero offset to null pointer
+
+--- tiff-4.5.0.orig/libtiff/tif_dir.c
++++ tiff-4.5.0/libtiff/tif_dir.c
+@@ -192,11 +192,11 @@ static int setExtraSamples(TIFF *tif, va
+ static uint16_t countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
+ {
+ uint16_t i = 0;
+- const char *ep = s + slen;
+- const char *cp = s;
+
+ if (slen > 0)
+ {
++ const char *ep = s + slen;
++ const char *cp = s;
+ do
+ {
+ for (; cp < ep && *cp != '\0'; cp++)
diff -Nru tiff-4.5.0/debian/patches/CVE-2023-3618.patch
tiff-4.5.0/debian/patches/CVE-2023-3618.patch
--- tiff-4.5.0/debian/patches/CVE-2023-3618.patch 1970-01-01
01:00:00.000000000 +0100
+++ tiff-4.5.0/debian/patches/CVE-2023-3618.patch 2025-01-03
14:34:28.000000000 +0100
@@ -0,0 +1,34 @@
+From b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 Mon Sep 17 00:00:00 2001
+From: Su_Laus <su...@freenet.de>
+Date: Fri, 5 May 2023 19:43:46 +0200
+Subject: [PATCH] Consider error return of writeSelections(). Fixes #553
+
+--- tiff-4.5.0.orig/tools/tiffcrop.c
++++ tiff-4.5.0/tools/tiffcrop.c
+@@ -2822,9 +2822,14 @@ int main(int argc, char *argv[])
+ { /* Whole image or sections not based on output page size */
+ if (crop.selections > 0)
+ {
+- writeSelections(in, &out, &crop, &image, &dump, seg_buffs,
+- mp, argv[argc - 1], &next_page,
+- total_pages);
++ if (writeSelections(in, &out, &crop, &image, &dump,
++ seg_buffs, mp, argv[argc - 1],
++ &next_page, total_pages))
++ {
++ TIFFError("main",
++ "Unable to write new image selections");
++ exit(EXIT_FAILURE);
++ }
+ }
+ else /* One file all images and sections */
+ {
+@@ -8785,7 +8790,7 @@ static int createCroppedImage(struct ima
+ /* Memory is freed before crop_buff_ptr is overwritten */
+ if (*crop_buff_ptr != NULL)
+ {
+- _TIFFfree(*crop_buff_ptr);
++ _TIFFfree(*crop_buff_ptr);
+ }
+
+ /* process full image, no crop buffer needed */
diff -Nru tiff-4.5.0/debian/patches/CVE-2023-52356.patch
tiff-4.5.0/debian/patches/CVE-2023-52356.patch
--- tiff-4.5.0/debian/patches/CVE-2023-52356.patch 1970-01-01
01:00:00.000000000 +0100
+++ tiff-4.5.0/debian/patches/CVE-2023-52356.patch 2025-01-03
14:36:34.000000000 +0100
@@ -0,0 +1,37 @@
+From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.roua...@spatialys.com>
+Date: Tue, 31 Oct 2023 15:58:41 +0100
+Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
+ col/row (fixes #622)
+
+--- tiff-4.5.0.orig/libtiff/tif_getimage.c
++++ tiff-4.5.0/libtiff/tif_getimage.c
+@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint
+ if (TIFFRGBAImageOK(tif, emsg) &&
+ TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
+ {
++ if (row >= img.height)
++ {
++ TIFFErrorExtR(tif, TIFFFileName(tif),
++ "Invalid row passed to TIFFReadRGBAStrip().");
++ TIFFRGBAImageEnd(&img);
++ return (0);
++ }
+
+ img.row_offset = row;
+ img.col_offset = 0;
+@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint3
+ return (0);
+ }
+
++ if (col >= img.width || row >= img.height)
++ {
++ TIFFErrorExtR(tif, TIFFFileName(tif),
++ "Invalid row/col passed to TIFFReadRGBATile().");
++ TIFFRGBAImageEnd(&img);
++ return (0);
++ }
++
+ /*
+ * The TIFFRGBAImageGet() function doesn't allow us to get off the
+ * edge of the image, even to fill an otherwise valid tile. So we
diff -Nru tiff-4.5.0/debian/patches/CVE-2024-7006.patch
tiff-4.5.0/debian/patches/CVE-2024-7006.patch
--- tiff-4.5.0/debian/patches/CVE-2024-7006.patch 1970-01-01
01:00:00.000000000 +0100
+++ tiff-4.5.0/debian/patches/CVE-2024-7006.patch 2025-01-03
14:38:56.000000000 +0100
@@ -0,0 +1,48 @@
+From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001
+From: Su_Laus <su...@freenet.de>
+Date: Fri, 1 Dec 2023 20:12:25 +0100
+Subject: [PATCH] Check return value of _TIFFCreateAnonField().
+
+--- tiff-4.5.0.orig/libtiff/tif_dirinfo.c
++++ tiff-4.5.0/libtiff/tif_dirinfo.c
+@@ -1080,7 +1080,7 @@ const TIFFField *_TIFFFindOrRegisterFiel
+ if (fld == NULL)
+ {
+ fld = _TIFFCreateAnonField(tif, tag, dt);
+- if (!_TIFFMergeFields(tif, fld, 1))
++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+ return NULL;
+ }
+
+--- tiff-4.5.0.orig/libtiff/tif_dirread.c
++++ tiff-4.5.0/libtiff/tif_dirread.c
+@@ -4211,11 +4211,9 @@ int TIFFReadDirectory(TIFF *tif)
+ dp->tdir_tag, dp->tdir_tag);
+ /* the following knowingly leaks the
+ anonymous field structure */
+- if (!_TIFFMergeFields(
+- tif,
+- _TIFFCreateAnonField(tif, dp->tdir_tag,
+- (TIFFDataType)dp->tdir_type),
+- 1))
++ const TIFFField *fld = _TIFFCreateAnonField(
++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+ {
+ TIFFWarningExtR(
+ tif, module,
+@@ -5044,11 +5042,9 @@ int TIFFReadCustomDirectory(TIFF *tif, t
+ "Unknown field with tag %" PRIu16 " (0x%" PRIx16
+ ") encountered",
+ dp->tdir_tag, dp->tdir_tag);
+- if (!_TIFFMergeFields(
+- tif,
+- _TIFFCreateAnonField(tif, dp->tdir_tag,
+- (TIFFDataType)dp->tdir_type),
+- 1))
++ const TIFFField *fld = _TIFFCreateAnonField(
++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+ {
+ TIFFWarningExtR(tif, module,
+ "Registering anonymous field with tag %"
PRIu16
diff -Nru tiff-4.5.0/debian/patches/series tiff-4.5.0/debian/patches/series
--- tiff-4.5.0/debian/patches/series 2023-11-23 09:06:07.000000000 +0100
+++ tiff-4.5.0/debian/patches/series 2025-01-03 14:38:43.000000000 +0100
@@ -11,3 +11,10 @@
CVE-2023-3576.patch
CVE-2023-40745.patch
CVE-2023-41175.patch
+CVE-2023-26965.patch
+CVE-2023-25433.patch
+CVE-2023-3618.patch
+CVE-2023-2908.patch
+CVE-2023-52356.patch
+CVE-2023-26966.patch
+CVE-2024-7006.patch
