[PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}.

  • Done
  • quality assurance status badge
Details
2 participants
  • Alex Vong
  • Leo Famulari
Owner
unassigned
Submitted by
Alex Vong
Severity
important
A
A
Alex Vong wrote on 7 Jul 2017 00:31
(address . guix-patches@gnu.org)
87r2xti4dz.fsf@gmail.com
Severity: important
Tags: patch security

Hello,

This patch fixes two latest CVEs of libtiff:
Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlleukgACgkQxYq4eRf1
Ea54TBAAtB/o0RgBcUfD7N1WyNz5Alp1fDUA6YEJnAGbpXgfhRt7hvADBliK7gRh
nEQTk5JNxwFUQ49h5DBP8fBLFITPqNSjz7O1SheJAQV7O0il/qti0jL/wMnNHCwi
4V4zk0tNK3n0WPZww/bOf67r0SokH/LR4cfZAmyvoXaByLkTF3Qos+SrrtozWxeF
UZ6jTK52QesklAYzwvNlmXuxDIR3UGSSj16UqV911UStXLg20+K0CL2eDK97WUd8
AkUZgRVZZXCiPSJKgpxiXqq2CZlSmEYHNdvk1t5p/REqdtn8VCPEyhXdN3aGzfgX
TXnILn+i6s6knKV4i65byho7Wkkg7BWNyOUqNsLYQrk/2/7Qi3T3AOV+cqDWJQfM
I5yB39D6zL+sC1U1obwPN+ZV+un/A90dgAYNGXpQpNsQqfD8pGcrTEn4Z2T7ZYOF
lDyhTNNyQAd14qscSlI6kzTyRk1QB4dqVuE1XHHhpoJ+xjCC4yJ18X232AU8y8Ny
FLM2scU4u1107vfWM6vfe84qhkYmYdFuZztnWsygbUovBl6UUXl7f0VolV/JdCtx
eMN0vrBszztjL8cGySdnpFpHj9mOlr6EMSzW7rJ62th65Kz8+BJE5n7AZaWcD8dO
1jxMyaGtEqGhz+SnvEzJAyrwTM6KYHorJpzprsO+Eoeuh78h4LA=
=lHMv
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 7 Jul 2017 01:40
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27603@debbugs.gnu.org)
20170706234038.GB1280@jasmine.lan
On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote:
Toggle quote (10 lines)
> * gnu/packages/patches/libtiff-CVE-2017-9936.patch,
> gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.
> * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.
> * gnu/local.mk (dist_patch_DATA): Add them.

> +Patch lifted from upstream source repository (the changes to 'ChangeLog'
> +don't apply to the libtiff 4.0.8 release tarball):
> +
> +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1

This is actually not the upstream source repository. It's a 3rd party
unofficial mirror.

To the chagrin of young packagers everywhere, libtiff is still using
CVS. Unless somebody beats me to it, I'll extract the patches from their
CVS repo later tonight.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlleynYACgkQJkb6MLrK
fwjOlhAArA43UWfSe8IWbwqa+CReOJe+oJomj/c6lih7FtQgVLsWE96oNy3XI9My
ifMBlrclWpvIzgB0klGTrjkx+mbTw9UAFHvhJsDRnYMbLR30pm4mJ/gXsZ0sSBPt
RxcDj/iI2L6dtRMebDcDoTa6P+a0uFcvev1GhgbzizysiolGi6CXJeMLhEMneLez
DPVa46eJsyaTZz42w5cvaHNMu5IuJ4I+Hn/yuh0aQKjUfzY9FPNri2P/K2hV44jR
gZSYhGc3d0mMhinhL2JyNcJUajYn6ZtmtIvD05QPfQ9j6Hrto81MGqdZwMgENEnU
2VgzUPAlOB/DqqxwFKJObTNjiWiVvkMY5IqXQBxdvJi4mH3fEN9TEQbNbMGq7Xp3
CrwQJ1895IrtJ94p15ICTXE07TOMlgEbL2f5GD0gLbD6amCnuYbeVrlfI3SwCCLM
702WdjCtnnUxEGAqcb5W9QYDF91myq++6r3zvURRzFn81ZScYJkITLRbFssHCXlZ
nVqmUetCGQuM0KYsjJkBB2rvjpqjWX9/+nmgHTlK+nOynN0qTVD93UEkxE3/YTbh
A220leFPEXwYjHFFXMj41n/gFJDJ7IRUL/qwrLjo9PKXCCDm3e+YiY1RT3Hpzkxf
CagVImk6NLuPUEesr8RzvoPKlAfUVn1+dRni7iGIkzl88Vodkm4=
=Lw3H
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 7 Jul 2017 06:07
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27603-done@debbugs.gnu.org)
20170707040726.GA2920@jasmine.lan
On Thu, Jul 06, 2017 at 07:40:38PM -0400, Leo Famulari wrote:
Toggle quote (18 lines)
> On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote:
> > * gnu/packages/patches/libtiff-CVE-2017-9936.patch,
> > gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.
> > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.
> > * gnu/local.mk (dist_patch_DATA): Add them.
>
> > +Patch lifted from upstream source repository (the changes to 'ChangeLog'
> > +don't apply to the libtiff 4.0.8 release tarball):
> > +
> > +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
>
> This is actually not the upstream source repository. It's a 3rd party
> unofficial mirror.
>
> To the chagrin of young packagers everywhere, libtiff is still using
> CVS. Unless somebody beats me to it, I'll extract the patches from their
> CVS repo later tonight.

I pushed this as dab536fe1ae5a8775a2b50fa50556445b6ac7818. Thanks for
getting it started Alex!
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllfCP4ACgkQJkb6MLrK
fwgGQA/+KXR7lmE1tacok/GH1AF4nsDWi4nOiW0N9/LI2zqVWFjNqXbxBb0lABBk
bhysFayI9H2+TYoZJrupR1blvBdJ9cbIccP7cIdW1FV3N1A/5pcymr3TAzFwODT+
c7vcNn5xx05CqeNlot2CiuffQNAuqfz3WdUGMtkdVQfH6ipSs6b3EyhHgkm2gsau
WfgAkNVFCLfO5BuFtfGoHdfedUOTZl21O81NnsujrqgVg2VaXJ412r1oVjWcNRuC
IkRTYoETQko6RLwYe/8vcxFc+FUoNVgB+0x9ui1ky3gp//m/GOx54VRFNnNvQe71
tmuBuaF87qmutqOtICYHiyaOuB9nMXctMIfZUYADIvgQqTjt0Xyvp3WOh7INV4sX
uUCVnP1cDD1RWFbVcItKoJ3GmITCk9QwV4Eb/vuWb1tpta8ZOSejORA4/2I8HIQt
csgpkwzBuLM5I58hSgzlyWh1coVkxx76h8TbKSDFq4tdlToa9GfwwQX8xJqrKX0H
A+2/tum0ZhSXtfJWV+hEBXH7nWId5tQzncbZTOJm7jQ+CUn7jc58A1zb7ia4aX/L
OW3QiW4uD7Fgpe+H2KvJlNOurRXUu9fmoZcNEv0fQ3wYktxsYsO276ya+lJXsjRf
qKI+plDznfB1wcfJuOMpGxbSUU/qoZK3z9AQwga4+NFp+joZgGw=
=LknR
-----END PGP SIGNATURE-----


Closed
A
A
Alex Vong wrote on 7 Jul 2017 15:20
(name . Leo Famulari)(address . leo@famulari.name)(address . 27603-done@debbugs.gnu.org)
87tw2o1j08.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (15 lines)
> On Thu, Jul 06, 2017 at 07:40:38PM -0400, Leo Famulari wrote:
>> On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote:
>> > * gnu/packages/patches/libtiff-CVE-2017-9936.patch,
>> > gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.
>> > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.
>> > * gnu/local.mk (dist_patch_DATA): Add them.
>>
>> > +Patch lifted from upstream source repository (the changes to 'ChangeLog'
>> > +don't apply to the libtiff 4.0.8 release tarball):
>> > +
>> > +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
>>
>> This is actually not the upstream source repository. It's a 3rd party
>> unofficial mirror.
>>
Ahhh, I blindly used the links from debian security tracker. Should have
been more careful. I wonder why they use links from an unofficial mirror.

Toggle quote (4 lines)
>> To the chagrin of young packagers everywhere, libtiff is still using
>> CVS. Unless somebody beats me to it, I'll extract the patches from their
>> CVS repo later tonight.
>
:)

Toggle quote (3 lines)
> I pushed this as dab536fe1ae5a8775a2b50fa50556445b6ac7818. Thanks for
> getting it started Alex!

You're welcomed!
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllfiocACgkQxYq4eRf1
Ea6FVQ/+MaC8CGsOamoopdatK5CmR+Ao0MWRhaLDTRKE6tOURup9yFpyba/1q72x
hfqjVln43TNHWcBWJ9PvsAN5KTzO96CM+QOT9Ca/Stm/ilItTEhhtoUt/lROJL0J
k8rerQFcb2mVl6gIGhHHAOge+1pI7tuFCivBbj9meRBW1Q58vW7csw7tWVP0TAFi
ZBJy+3DPt7P7B3rNjqsa9scjBJi1Crg/LGWgj+LYUYlnNnJfIS9+MqkKfg77QvdF
jF0LRvellzfAhCU2Nqwc8rOayOqRxuUumrgkmUlUo1uQ3zvMX3KYtY9c84GYBKs0
JymyEt3ZetZf2T+SHyh94WaQ7+VOg+txzPSqoEUxI2m8nuH9Q3+R9EIPkfPl3Su5
SSmpmEZK3fOVJwVvRnF2LxJtkxoPRqE8lGoNNfXX/OprQWINTteBgzG/DQ1iZ0Ay
bKj4uW84asRSG7Dyy4VL8OsKgtK4EH+splPsXBd39d0+liNjo9jXXCcDS7FTzymR
5SlFZ6+1P10LKEINlyopv0MRZ7CdKJpETGkgfR7XP7OU2QlCOwFJ9EzC24UTCCEX
UwfHRFJkQ0KRh4vj78lE8+LvfB+iJyeo3OKnZuUEsv8tdlQjtoze4jqUPEOJRir+
IkX7FjR/r5gRTrBqepssyTaBWMG8zec2Pn+5aGyuxrewfrrj6B4=
=4gBe
-----END PGP SIGNATURE-----

Closed
L
L
Leo Famulari wrote on 7 Jul 2017 18:30
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27603-done@debbugs.gnu.org)
20170707163047.GA18417@jasmine.lan
On Fri, Jul 07, 2017 at 09:20:07PM +0800, Alex Vong wrote:
Toggle quote (3 lines)
> Ahhh, I blindly used the links from debian security tracker. Should have
> been more careful. I wonder why they use links from an unofficial mirror.

I noticed they were doing that, and I don't understand why. It *is*
convenient to have a relatively stable changeset ID in the form of Git
commit hashes.

I asked about it on oss-security and the repo was confirmed to be
unofficial:


It has been acknowledged by the libtiff maintainer:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllftzcACgkQJkb6MLrK
fwgqvBAAmF6uwoJehGaknNi/1vhAk9TuEsI0Agqpz7wBSwU9s7ncNVyUQ7ay0pvX
FP782st5Wszh/SH+DZ9u9xTf+/wxU06dh8FeJ0/uxuvoZZzTeafXmV2SIgS/hVV2
DIB4mMhqdog6+XBC0Yz1ncCBJjUe7M4Y+wooqYNi0G0awqe3LXR2mRSOmi/ZjWqs
jXRLIrM1lQUm9XLK05+zKNaHfnEYC/aQDuXm7mEo5N/aiDq/TjLoMSzx4dD5h8m2
xo5M/1jAZxj89YDwzCcUQ0I2kTtVW5q+q2/7rRxau7XFY5LpZnYbJ3NM2gcGfMNm
CuXAYKlx4VrSXsd04NABuxeyailrFat26O5vCx7Xy4nTQrluwjateSzMEM9+B/rc
CLmop1y+7/laQSxcO/xjLZSR9/Bni6aNXwKp3eHMmvoTEELXThWqU7iZJXedWxMQ
2aDp0el0WeWfRNwv2hv7UcBVxyEgHvuYh+629NVtC465lpPngavTmiTbmH9WGry+
RR3IyZJ6XhJPm1ZqiVavGHFxZTIrgIPuCUvTJS1VHbQ0pqTH7mwAPXaVGDEfK97g
FMRp/nWzg8Sl36yoGvzEqAZr4mFxSybvp8Ar7uiau1pyDHgsSS1CgFwaTLJLy9F2
dIDyTBE9XdTbtqUsk//I3446zCw0LVUbwO2X/rwr8GE1gDp62z4=
=HCH/
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 27603@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 27603
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch