Subject: Re: Tiff package
To: Takahiro Kambe <taca@back-street.net>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-pkg
Date: 01/26/2005 08:20:16
On Wed, 26 Jan 2005, Takahiro Kambe wrote:

> In message <Pine.LNX.4.43.0501171039300.27246-100000@pilchuck.reedmedia.net>
> 	on Mon, 17 Jan 2005 10:49:42 -0800 (PST),
> 	"Jeremy C. Reed" <reed@reedmedia.net> wrote:
> > The tiff in pkgsrc-2004Q4 was updated. I applied patches to the 3.6.1
> > version and it was pulled up to pkgsrc-2004Q4 (in ticket 174).
> With pkgsrc-2004Q4 branch, tiff package still seems to marked as
> vulnerabile.
>
> ===> Checking for vulnerabilities in tiff-3.6.1nb6
> *** WARNING - remote-code-execution vulnerability in tiff-3.6.1nb6 - see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1308 for more information ***
> or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential
> *** Error code 255

tiff<3.6.1nb6           buffer-overrun
http://www.idefense.com/application/poi/display?id=173&type=vulnerabilities&flashstatus=false

tiff<3.7.1              remote-code-execution
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1308

I didn't know this second one was there in pkg-vulnerabilities.

I carbon-copied wiz on this email.

revision 1.617
date: 2005/01/11 10:10:19;  author: wiz;  state: Exp;  lines: +2 -1
Add another (fixed) tiff vulnerability.

revision 1.579
date: 2004/12/22 04:10:53;  author: reed;  state: Exp;  lines: +2 -1
libtiff STRIPOFFSETS Integer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=173&type=vulnerabilities&flas
hstatus=false

The webpage
(http://www.idefense.com/application/poi/display?id=174&type=vulnerabilities)
says the patch is

 - if (elem_size && bytes / elem_size == nmemb)
 + if (nmemb && elem_size && bytes / elem_size == nmemb)

This is in  patch-ag in stable pkgsrc.

But now I see the other file is missed.

And the cvsweb is missing pkgsrc/graphics/tiff/patches/Attic/patch-ao

Please see pullup 174. It should have pulled up the patch for
tif_dirread.c. I think it is:

cvs rdiff -r1.1 -r1.2 pkgsrc/graphics/tiff/patches/patch-ao

I carbon copied snj to see if he can double check this pullup (and fix if
needed).

Once it is done, we will also have to bump the pkgrevision for stable
pkgsrc and then also increase it in pkg-vulnerabilities.

 Jeremy C. Reed

 	  	 	 BSD News, BSD tutorials, BSD links
	  	 	 http://www.bsdnewsletter.com/