diff -Nru tiff-4.1.0+git191117/debian/changelog tiff-4.1.0+git191117/debian/changelog --- tiff-4.1.0+git191117/debian/changelog 2022-12-01 10:00:12.000000000 +0000 +++ tiff-4.1.0+git191117/debian/changelog 2023-03-03 16:20:24.000000000 +0000 @@ -1,3 +1,25 @@ +tiff (4.1.0+git191117-2ubuntu0.20.04.8) focal-security; urgency=medium + + * SECURITY UPDATE: out-of-bounds reads + - debian/patches/CVE-2023-0795.patch: Amend rotateImage() not to toggle the + input image width and length parameters when only cropped image sections + are rotated in tiffcrop.c. + - CVE-2023-0795 + - CVE-2023-0796 + - CVE-2023-0797 + - CVE-2023-0798 + - CVE-2023-0799 + * SECURITY UPDATE: out-of-bounds writes + - debian/patches/CVE-2023-0800.patch: added check for assumption on + composite images in tiffcrop.c. + - CVE-2023-0800 + - CVE-2023-0801 + - CVE-2023-0802 + - CVE-2023-0803 + - CVE-2023-0804 + + -- Fabian Toepfer Fri, 03 Mar 2023 17:20:24 +0100 + tiff (4.1.0+git191117-2ubuntu0.20.04.7) focal-security; urgency=medium * SECURITY UPDATE: unsigned integer overflow diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2023-0795.patch tiff-4.1.0+git191117/debian/patches/CVE-2023-0795.patch --- tiff-4.1.0+git191117/debian/patches/CVE-2023-0795.patch 1970-01-01 00:00:00.000000000 +0000 +++ tiff-4.1.0+git191117/debian/patches/CVE-2023-0795.patch 2023-03-03 12:41:26.000000000 +0000 @@ -0,0 +1,152 @@ +From: Markus Koschany +Date: Tue, 21 Feb 2023 14:26:43 +0100 +Subject: CVE-2023-0795 + +This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798, +CVE-2023-0799. + +Bug-Debian: https://bugs.debian.org/1031632 +Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 +--- + tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++++--------------------- + 1 file changed, 30 insertions(+), 21 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index b9ce356..9ce1157 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -277,7 +277,6 @@ struct region { + uint32 width; /* width in pixels */ + uint32 length; /* length in pixels */ + uint32 buffsize; /* size of buffer needed to hold the cropped region */ +- unsigned char *buffptr; /* address of start of the region */ + }; + + /* Cropping parameters from command line and image data +@@ -532,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32, + static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, + uint32, uint32, uint8 *, uint8 *); + static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *, +- unsigned char **); ++ unsigned char **, int); + static int mirrorImage(uint16, uint16, uint16, uint32, uint32, + unsigned char *); + static int invertImage(uint16, uint16, uint16, uint32, uint32, +@@ -5113,7 +5112,6 @@ initCropMasks (struct crop_mask *cps) + cps->regionlist[i].width = 0; + cps->regionlist[i].length = 0; + cps->regionlist[i].buffsize = 0; +- cps->regionlist[i].buffptr = NULL; + cps->zonelist[i].position = 0; + cps->zonelist[i].total = 0; + } +@@ -6359,8 +6357,13 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b + image->adjustments & ROTATE_ANY); + return (-1); + } +- +- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr)) ++ ++ /* Dummy variable in order not to switch two times the ++ * image->width,->length within rotateImage(), ++ * but switch xres, yres there. */ ++ uint32_t width = image->width; ++ uint32_t length = image->length; ++ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE)) + { + TIFFError ("correct_orientation", "Unable to rotate image"); + return (-1); +@@ -6428,7 +6431,6 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + /* These should not be needed for composite images */ + crop->regionlist[i].width = crop_width; + crop->regionlist[i].length = crop_length; +- crop->regionlist[i].buffptr = crop_buff; + + src_rowsize = ((img_width * bps * spp) + 7) / 8; + dst_rowsize = (((crop_width * bps * count) + 7) / 8); +@@ -6665,7 +6667,6 @@ extractSeparateRegion(struct image_data *image, struct crop_mask *crop, + + crop->regionlist[region].width = crop_width; + crop->regionlist[region].length = crop_length; +- crop->regionlist[region].buffptr = crop_buff; + + src = read_buff; + dst = crop_buff; +@@ -7543,7 +7544,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, &crop_buff)) ++ &crop->combined_length, &crop_buff, FALSE)) + { + TIFFError("processCropSelections", + "Failed to rotate composite regions by %d degrees", crop->rotation); +@@ -7649,7 +7650,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, +- &crop->regionlist[i].length, &crop_buff)) ++ &crop->regionlist[i].length, &crop_buff, FALSE)) + { + TIFFError("processCropSelections", + "Failed to rotate crop region by %d degrees", crop->rotation); +@@ -7781,7 +7782,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, crop_buff_ptr)) ++ &crop->combined_length, crop_buff_ptr, TRUE)) + { + TIFFError("createCroppedImage", + "Failed to rotate image or cropped selection by %d degrees", crop->rotation); +@@ -8444,7 +8445,7 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width, + /* Rotate an image by a multiple of 90 degrees clockwise */ + static int + rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, +- uint32 *img_length, unsigned char **ibuff_ptr) ++ uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params) + { + int shift_width; + uint32 bytes_per_pixel, bytes_per_sample; +@@ -8635,11 +8636,15 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, + + *img_width = length; + *img_length = width; +- image->width = length; +- image->length = width; +- res_temp = image->xres; +- image->xres = image->yres; +- image->yres = res_temp; ++ /* Only toggle image parameters if whole input image is rotated. */ ++ if (rot_image_params) ++ { ++ image->width = length; ++ image->length = width; ++ res_temp = image->xres; ++ image->xres = image->yres; ++ image->yres = res_temp; ++ } + break; + + case 270: if ((bps % 8) == 0) /* byte aligned data */ +@@ -8712,11 +8717,15 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, + + *img_width = length; + *img_length = width; +- image->width = length; +- image->length = width; +- res_temp = image->xres; +- image->xres = image->yres; +- image->yres = res_temp; ++ /* Only toggle image parameters if whole input image is rotated. */ ++ if (rot_image_params) ++ { ++ image->width = length; ++ image->length = width; ++ res_temp = image->xres; ++ image->xres = image->yres; ++ image->yres = res_temp; ++ } + break; + default: + break; diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2023-0800.patch tiff-4.1.0+git191117/debian/patches/CVE-2023-0800.patch --- tiff-4.1.0+git191117/debian/patches/CVE-2023-0800.patch 1970-01-01 00:00:00.000000000 +0000 +++ tiff-4.1.0+git191117/debian/patches/CVE-2023-0800.patch 2023-03-03 12:41:41.000000000 +0000 @@ -0,0 +1,130 @@ +From: Markus Koschany +Date: Tue, 21 Feb 2023 14:39:52 +0100 +Subject: CVE-2023-0800 + +This is also the fix for CVE-2023-0801, CVE-2023-0802, CVE-2023-0803, +CVE-2023-0804. + +Bug-Debian: https://bugs.debian.org/1031632 +Origin: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 +--- + tools/tiffcrop.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 69 insertions(+), 4 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 9ce1157..ebcabcf 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5251,18 +5251,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + + crop->regionlist[i].buffsize = buffsize; + crop->bufftotal += buffsize; ++ ++ /* For composite images with more than one region, the ++ * combined_length or combined_width always needs to be equal, ++ * respectively. ++ * Otherwise, even the first section/region copy ++ * action might cause buffer overrun. */ + if (crop->img_mode == COMPOSITE_IMAGES) + { + switch (crop->edge_ref) + { + case EDGE_LEFT: + case EDGE_RIGHT: ++ if (i > 0 && zlength != crop->combined_length) ++ { ++ TIFFError( ++ "computeInputPixelOffsets", ++ "Only equal length regions can be combined for " ++ "-E left or right"); ++ return (-1); ++ } + crop->combined_length = zlength; + crop->combined_width += zwidth; + break; + case EDGE_BOTTOM: + case EDGE_TOP: /* width from left, length from top */ + default: ++ if (i > 0 && zwidth != crop->combined_width) ++ { ++ TIFFError("computeInputPixelOffsets", ++ "Only equal width regions can be " ++ "combined for -E " ++ "top or bottom"); ++ return (-1); ++ } + crop->combined_width = zwidth; + crop->combined_length += zlength; + break; +@@ -6417,6 +6439,47 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + crop->combined_width = 0; + crop->combined_length = 0; + ++ /* If there is more than one region, check beforehand whether all the width ++ * and length values of the regions are the same, respectively. */ ++ switch (crop->edge_ref) ++ { ++ default: ++ case EDGE_TOP: ++ case EDGE_BOTTOM: ++ for (i = 1; i < crop->selections; i++) ++ { ++ uint32_t crop_width0 = ++ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1; ++ uint32_t crop_width1 = ++ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ if (crop_width0 != crop_width1) ++ { ++ TIFFError("extractCompositeRegions", ++ "Only equal width regions can be combined for -E " ++ "top or bottom"); ++ return (1); ++ } ++ } ++ break; ++ case EDGE_LEFT: ++ case EDGE_RIGHT: ++ for (i = 1; i < crop->selections; i++) ++ { ++ uint32_t crop_length0 = ++ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1; ++ uint32_t crop_length1 = ++ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ if (crop_length0 != crop_length1) ++ { ++ TIFFError("extractCompositeRegions", ++ "Only equal length regions can be combined for " ++ "-E left or right"); ++ return (1); ++ } ++ } ++ } ++ ++ + for (i = 0; i < crop->selections; i++) + { + /* rows, columns, width, length are expressed in pixels */ +@@ -6440,8 +6503,9 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + default: + case EDGE_TOP: + case EDGE_BOTTOM: +- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width)) +- { ++ if ((crop->selections > i + 1) && ++ (crop_width != crop->regionlist[i + 1].width)) ++ { + TIFFError ("extractCompositeRegions", + "Only equal width regions can be combined for -E top or bottom"); + return (1); +@@ -6521,8 +6585,9 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + break; + case EDGE_LEFT: /* splice the pieces of each row together, side by side */ + case EDGE_RIGHT: +- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length)) +- { ++ if ((crop->selections > i + 1) && ++ (crop_length != crop->regionlist[i + 1].length)) ++ { + TIFFError ("extractCompositeRegions", + "Only equal length regions can be combined for -E left or right"); + return (1); diff -Nru tiff-4.1.0+git191117/debian/patches/series tiff-4.1.0+git191117/debian/patches/series --- tiff-4.1.0+git191117/debian/patches/series 2022-12-01 10:00:02.000000000 +0000 +++ tiff-4.1.0+git191117/debian/patches/series 2023-03-03 12:41:41.000000000 +0000 @@ -21,3 +21,5 @@ CVE-2022-34526.patch CVE-2022-3599.patch CVE-2022-3970.patch +CVE-2023-0795.patch +CVE-2023-0800.patch