Misapplied patches in 4.0.6-2ubuntu0.1 break reading and writing JPEG compressed files

Even Rouault on the libtiff mailing list has looked into this as well -- he says the cause is a misapplied patch.

Unfortunately i can't link to his mail as the libtiff mailing list archive index has stopped being updated, but I copy-paste his mail below:

-----------
Even Rouault <email address hidden>
to tiff, me

On samedi 4 mars 2017 18:51:20 CET <email address hidden> wrote:
> tar xf tiff_4.0.6-2ubuntu0.1.debian.tar.xz
> tar xf tiff_4.0.6.orig.tar.gz
> cd tiff-4.0.6
> for i in ../debian/patches/*.patch; do patch -p1 < $i; done

Actually to reproduce, you need to apply the patches in a precise order with

for i in `cat ../debian/patches/series`; do \
 patch -p1 <../debian/patches/$i; done

I've then compared the patched libtiff/tif_dirread.c with the official one from CVS, and I understand now what happens in Debian/Ubuntu.

It appears that the following snippet

                  if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )

                        {

                            TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);

                            data[dp->tdir_count-1] = '\0';

                        }

that in official libtiff is applied in the TIFF_SETGET_C16_ASCII cases (line 5017 in HEAD) and in the TIFF_SETGET_C32_ASCII cases (line 5194 in CVS HEAD) has been wrongly applied in Debian in the TIFF_SETGET_C16_UINT8 case (line 5008) and TIFF_SETGET_C32_UINT8 case (line 5180)...

This explains the warning about the JPEGTables...

Unfortunately "make check" in the Debian patched libtiff still passes, so they have some excuse. Not so surprised since the test suite is rather small.

Even
--
Spatialys - Geospatial professional services
http://www.spatialys.com

The libtiff mailing list index has now updated, so here's the thread discussing this issue:

http://www.asmail.be/msg0055405792.html

Looks like this is broken on 16.04 as well as 16.10, I'm getting reports there too:

https://github.com/jcupitt/libvips/issues/621

Status changed to 'Confirmed' because the bug affects multiple users.

I'm attaching a new patch CVE-2016-9297_and_CVE-2016-9448_correct.patch that should be used in replacement of (so, *not* on top of) CVE-2016-9297.patch and CVE-2016-9448.patch

The attachment "Patch that should replace CVE-2016-9297.patch and CVE-2016-9448.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Thanks for reporting this issue and for the updated patch. I'll prepare a security regression updates and will publish them this week, likely tomorrow.

Thanks!

Thanks a lot John for catching this bug and helping make Ubuntu better.

In the future, in order to fix regressions in a timely manner, please see this guide:
https://wiki.ubuntu.com/StableReleaseUpdates#regressions

Please report bugs according to this guide to make it easier for developers to triage them:
https://help.ubuntu.com/community/ReportingBugs#How_to_report_bugs

This bug was fixed in the package tiff - 4.0.6-1ubuntu0.2

---------------
tiff (4.0.6-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY REGRESSION: JPEG tiff read and write issue due to misapplied
    patches (LP: #1670036)
    - debian/patches/CVE-2016-9297_and_CVE-2016-9448_correct.patch: replace
      two previous patches with one that applies fix to correct location.
    - Thanks to John Cupitt and Even Rouault

 -- Marc Deslauriers <email address hidden> Mon, 29 May 2017 07:33:56 -0400

This bug was fixed in the package tiff - 4.0.6-2ubuntu0.2

---------------
tiff (4.0.6-2ubuntu0.2) yakkety-security; urgency=medium

  * SECURITY REGRESSION: JPEG tiff read and write issue due to misapplied
    patches (LP: #1670036)
    - debian/patches/CVE-2016-9297_and_CVE-2016-9448_correct.patch: replace
      two previous patches with one that applies fix to correct location.
    - Thanks to John Cupitt and Even Rouault

 -- Marc Deslauriers <email address hidden> Mon, 29 May 2017 07:29:06 -0400

This bug was fixed in the package tiff - 4.0.3-7ubuntu0.7

---------------
tiff (4.0.3-7ubuntu0.7) trusty-security; urgency=medium

  * SECURITY REGRESSION: JPEG tiff read and write issue due to misapplied
    patches (LP: #1670036)
    - debian/patches/CVE-2016-9297_and_CVE-2016-9448_correct.patch: replace
      two previous patches with one that applies fix to correct location.
    - Thanks to John Cupitt and Even Rouault

 -- Marc Deslauriers <email address hidden> Mon, 29 May 2017 07:35:17 -0400