- 2008.08.30 02:08 "Re: [Tiff] Some security fixes from RHEL", by Tom Lane
-
2008.08.31 15:17 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
-
2008.08.31 15:38 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.08.31 21:09 "Re: [Tiff] Some security fixes from RHEL", by Rogier Wolff
- 2008.08.31 21:21 "Re: [Tiff] Some security fixes from RHEL", by Olaf_Drümmer
-
2008.08.31 21:51 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
- 2008.08.31 22:08 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.08.31 21:52 "Re: [Tiff] Some security fixes from RHEL", by Toby Thain
- 2008.09.01 15:40 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.08.31 21:59 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.08.31 22:17 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.01 03:12 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
-
2008.09.01 15:52 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
-
2008.09.01 21:33 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
-
2008.09.03 16:38 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
-
2008.09.03 17:07 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.03 17:20 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.09.03 18:02 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.03 19:32 "Re: [Tiff] Some security fixes from RHEL", by Ron
- 2008.09.03 21:39 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
-
2008.09.03 17:20 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.09.03 17:16 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
- 2008.09.04 07:45 "Re: [Tiff] Some security fixes from RHEL", by Andrey Kiselev
-
2008.09.03 17:07 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.03 16:38 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.09.01 22:30 "Re: [Tiff] Some security fixes from RHEL", by Dmitry V. Levin
-
2008.09.01 21:33 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
-
2008.09.01 15:52 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
-
2008.09.01 05:11 "Re: [Tiff] Some security fixes from RHEL", by Tom Lane
- 2008.09.01 15:30 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
- 2008.09.01 15:33 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
- 2008.09.01 16:23 "Re: [Tiff] Some security fixes from RHEL", by Ron
- 2008.09.01 22:04 "Re: [Tiff] Some security fixes from RHEL", by Dmitry V. Levin
-
2008.08.31 21:09 "Re: [Tiff] Some security fixes from RHEL", by Rogier Wolff
-
2008.08.31 15:38 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.03 08:03 "Re: [Tiff] Some security fixes from RHEL", by Andrey Kiselev
- 2008.09.04 20:48 "Re: [Tiff] beta2 release - lfind() problem on Win64", by Edward Lam
- 2008.09.03 21:01 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.09.03 21:59 "Re: [Tiff] Some security fixes from RHEL", by Even Rouault
2008.08.29 22:53 "[Tiff] Some security fixes from RHEL", by Even Rouault
I've just read http://lwn.net/Articles/296197 and I downloaded the source rpm.
I've attached here 2 vendor security patches from Redhat for their RHELs that aren't yet applied to CVS head (I haven't check for 3.9 branch): - libtiff-3.8.2-CVE-2006-2193.patch
- libtiff-3.8.2-lzw-bugs.patch: Fixes for CVE-2008-2327. Partly reported and proposed patch in http://bugzilla.maptools.org/show_bug.cgi?id=1929. But Redhat's patch has a few extra lines. See https://bugzilla.redhat.com/show_bug.cgi?id=458674
I'm just curious about how vendors usually interact with libtiff upstream team? It would have been nice if they had dropped a word on it on libtiff bugzilla...
Fixes for CVE-2008-2327
diff -Naur tiff-3.8.2.orig/libtiff/tif_lzw.c tiff-3.8.2/libtiff/tif_lzw.c
--- tiff-3.8.2.orig/libtiff/tif_lzw.c 2006-03-21 11:42:50.000000000 -0500
+++ tiff-3.8.2/libtiff/tif_lzw.c 2008-08-22 16:26:01.000000000 -0400
@@ -237,6 +237,11 @@
sp->dec_codetab[code].length = 1;
sp->dec_codetab[code].next = NULL;
} while (code--);
+ /*
+ * Zero-out the unused entries
+ */
+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
}
return (1);
}
@@ -408,12 +413,19 @@
break;
if (code == CODE_CLEAR) {
free_entp = sp->dec_codetab + CODE_FIRST;
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask-1;
NextCode(tif, sp, bp, code, GetNextCode);
if (code == CODE_EOI)
break;
+ if (code == CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecode: Corrupted LZW table at scanline %d",
+ tif->tif_row);
+ return (0);
+ }
*op++ = (char)code, occ--;
oldcodep = sp->dec_codetab + code;
continue;
@@ -604,12 +616,19 @@
break;
if (code == CODE_CLEAR) {
free_entp = sp->dec_codetab + CODE_FIRST;
+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask;
NextCode(tif, sp, bp, code, GetNextCodeCompat);
if (code == CODE_EOI)
break;
+ if (code == CODE_CLEAR) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "LZWDecodeCompat: Corrupted LZW table at scanline %d",
+ tif->tif_row);
+ return (0);
+ }
*op++ = code, occ--;
oldcodep = sp->dec_codetab + code;
continue;
--- tiff-3.8.2/tools/tiff2pdf.c.CVE-2006-2193 2006-03-21 17:42:51.000000000 +0100
+++ tiff-3.8.2/tools/tiff2pdf.c 2006-09-05 10:47:51.000000000 +0200
@@ -3668,7 +3668,7 @@
written += TIFFWriteFile(output, (tdata_t) "(", 1);
for (i=0;i<len;i++){
if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
- sprintf(buffer, "\\%.3o", pdfstr[i]);
+ snprintf(buffer, sizeof(buffer), "\\%.3o", (unsigned char) pdfstr[i]);
written += TIFFWriteFile(output, (tdata_t)
buffer, 4);
} else {
switch (pdfstr[i]){