Debian Bug report logs -
#1031632
tiff: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 19 Feb 2023 15:39:02 UTC
Severity: grave
Tags: security, upstream
Found in version tiff/4.5.0-4
Fixed in version tiff/4.5.0-5
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#1031632; Package src:tiff.
(Sun, 19 Feb 2023 15:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sun, 19 Feb 2023 15:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tiff
Version: 4.5.0-4
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi Laszlo,
The following vulnerabilities were published for tiff. Strictly
speaking it might be disputed to fill this as RC level, though would
be good to have those as well addressed before the bookworm release.
CVE-2023-0795[0]:
| LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in
| tools/tiffcrop.c:3488, allowing attackers to cause a denial-of-service
| via a crafted tiff file. For users that compile libtiff from sources,
| the fix is available with commit afaabc3e.
CVE-2023-0796[1]:
| LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in
| tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service
| via a crafted tiff file. For users that compile libtiff from sources,
| the fix is available with commit afaabc3e.
CVE-2023-0797[2]:
| LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in
| libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and
| tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service
| via a crafted tiff file. For users that compile libtiff from sources,
| the fix is available with commit afaabc3e.
CVE-2023-0798[3]:
| LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in
| tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service
| via a crafted tiff file. For users that compile libtiff from sources,
| the fix is available with commit afaabc3e.
CVE-2023-0799[4]:
| LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in
| tools/tiffcrop.c:3701, allowing attackers to cause a denial-of-service
| via a crafted tiff file. For users that compile libtiff from sources,
| the fix is available with commit afaabc3e.
CVE-2023-0800[5]:
| LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in
| tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service
| via a crafted tiff file. For users that compile libtiff from sources,
| the fix is available with commit 33aee127.
CVE-2023-0801[6]:
| LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in
| libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and
| tools/tiffcrop.c:6778, allowing attackers to cause a denial-of-service
| via a crafted tiff file. For users that compile libtiff from sources,
| the fix is available with commit 33aee127.
CVE-2023-0802[7]:
| LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in
| tools/tiffcrop.c:3724, allowing attackers to cause a denial-of-service
| via a crafted tiff file. For users that compile libtiff from sources,
| the fix is available with commit 33aee127.
CVE-2023-0803[8]:
| LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in
| tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service
| via a crafted tiff file. For users that compile libtiff from sources,
| the fix is available with commit 33aee127.
CVE-2023-0804[9]:
| LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in
| tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service
| via a crafted tiff file. For users that compile libtiff from sources,
| the fix is available with commit 33aee127.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-0795
https://www.cve.org/CVERecord?id=CVE-2023-0795
[1] https://security-tracker.debian.org/tracker/CVE-2023-0796
https://www.cve.org/CVERecord?id=CVE-2023-0796
[2] https://security-tracker.debian.org/tracker/CVE-2023-0797
https://www.cve.org/CVERecord?id=CVE-2023-0797
[3] https://security-tracker.debian.org/tracker/CVE-2023-0798
https://www.cve.org/CVERecord?id=CVE-2023-0798
[4] https://security-tracker.debian.org/tracker/CVE-2023-0799
https://www.cve.org/CVERecord?id=CVE-2023-0799
[5] https://security-tracker.debian.org/tracker/CVE-2023-0800
https://www.cve.org/CVERecord?id=CVE-2023-0800
[6] https://security-tracker.debian.org/tracker/CVE-2023-0801
https://www.cve.org/CVERecord?id=CVE-2023-0801
[7] https://security-tracker.debian.org/tracker/CVE-2023-0802
https://www.cve.org/CVERecord?id=CVE-2023-0802
[8] https://security-tracker.debian.org/tracker/CVE-2023-0803
https://www.cve.org/CVERecord?id=CVE-2023-0803
[9] https://security-tracker.debian.org/tracker/CVE-2023-0804
https://www.cve.org/CVERecord?id=CVE-2023-0804
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 19 Feb 2023 19:57:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 19 Feb 2023 19:57:17 GMT) (full text, mbox, link).
Message #10 received at 1031632-done@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 4.5.0-5
----- Forwarded message from Debian FTP Masters <ftpmaster@ftp-master.debian.org> -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 19 Feb 2023 08:46:38 +0100
Source: tiff
Architecture: source
Version: 4.5.0-5
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changes:
tiff (4.5.0-5) unstable; urgency=high
.
* Backport fix for tiffcrop correctly update buffersize after
rotateImage() .
* Backport fix for TIFFClose() avoid NULL pointer dereferencing.
* Backport security fix for CVE-2023-0800, CVE-2023-0801, CVE-2023-0802,
CVE-2023-0803 and CVE-2023-0804, an out-of-bounds write in tiffcrop
allows attackers to cause a denial-of-service via a crafted tiff file.
* Backport security fix for CVE-2023-0795, CVE-2023-0796, CVE-2023-0797,
CVE-2023-0798 and CVE-2023-0799, an out-of-bounds read in tiffcrop allows
attackers to cause a denial-of-service via a crafted tiff file.
Checksums-Sha1:
b3b1716db9aa82f059c572ea11e54e6295bdc7b0 2255 tiff_4.5.0-5.dsc
fac9b0cb1427ae690291dae6a77abdd595077ef6 26516 tiff_4.5.0-5.debian.tar.xz
Checksums-Sha256:
cec33019d88624f8ad8a771c8a4cac4b0d07f18e69171c997dab87e7c69c1914 2255 tiff_4.5.0-5.dsc
3fc31dfe0aef671343b84ce23e7baf64789e306838fb176819c18d0754b3811f 26516 tiff_4.5.0-5.debian.tar.xz
Files:
24b0187bac2b137cbf18c2a43cb338aa 2255 libs optional tiff_4.5.0-5.dsc
483a8232d27d40b821f14d2b636ebcad 26516 libs optional tiff_4.5.0-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmPx/+cACgkQ3OMQ54ZM
yL+DPA//bn3vZkvsO3yvF3m8boBSFQXFypfXV4QGw+54f1cFUchSQR2J1ebb8LSG
kWIpDTgltZ9Ba32f0JdkWcXfHPgh4fNIg0spYM6S8Gd4dsZ6SE4kJS0/UfrJfRS1
6WbIYFjtj9lZdtPNcQPYYUm3wn2H81LxpLgx+rlAk5txJWeZ0VAaPjrJNi6/sPIZ
W4EADbyLcYawUrgS/mTAJUtfNX6yXgQSyZhaMGrTmyLdIPe0ehR+wQVSaLAnqmAD
r1MIaBeTta8sm0osf0PY+xs7ZJoi3duS3GCDvw8goOqDIBplyIl3G1Qs+UncTUPB
b55MGMLcDBHsH3F3iBNe0xns8EEalwIouIVelfI2SeKO3z6+bOl2+PKdvS7G8ITn
eDhYd7ikcRS5gzQYzhscSYcII0Oqdtmfk53tSaE8xJknwLw+UnkunhidumMVBztK
moPlcSe316U/ce9w9tfLO2Em2FMQUxxhDd1NpzMci7vpBJu0jhqx1WDiupVCdE86
j4iJcitZ0abt9Rr8pUUNtm/LSFZ9Iv7ssnav2YwubRYu9UicUaWvEoMPd6H8of+6
+h/EOXGkkA4jB03zxpyDZSysBQvWzmisk+rj3M5sBNvLmoqINL3DT8FZwOM1V43t
sApK97FjGvaibooNyOyCOLPXCZo7VuEJGTkILTxWph4Es7awXn8=
=pCRD
-----END PGP SIGNATURE-----
----- End forwarded message -----
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#1031632; Package src:tiff.
(Sun, 19 Feb 2023 20:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to László Böszörményi (GCS) <gcs@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sun, 19 Feb 2023 20:12:05 GMT) (full text, mbox, link).
Message #15 received at 1031632@bugs.debian.org (full text, mbox, reply):
Hi Salvatore,
On Sun, Feb 19, 2023 at 4:39 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
> The following vulnerabilities were published for tiff. Strictly
> speaking it might be disputed to fill this as RC level, though would
> be good to have those as well addressed before the bookworm release.
Aren't these the issues I've fixed earlier today [1] with two
additional security related fixes?
You even handled these with commit
919f8c7bc3305adea4835ca0a7b24a48e592ec25 via our security tracker.
Unfortunately I still don't get any emails from it. :( However I'm
sure I'm subscribed to the tracker-commits.
Regards,
Laszlo/GCS
[1] https://tracker.debian.org/news/1422194/accepted-tiff-450-5-source-into-unstable/
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#1031632; Package src:tiff.
(Mon, 20 Feb 2023 11:18:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Mon, 20 Feb 2023 11:18:07 GMT) (full text, mbox, link).
Message #20 received at 1031632@bugs.debian.org (full text, mbox, reply):
Hi László,
On Sun, Feb 19, 2023 at 09:08:03PM +0100, László Böszörményi (GCS) wrote:
> Hi Salvatore,
>
> On Sun, Feb 19, 2023 at 4:39 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > The following vulnerabilities were published for tiff. Strictly
> > speaking it might be disputed to fill this as RC level, though would
> > be good to have those as well addressed before the bookworm release.
> Aren't these the issues I've fixed earlier today [1] with two
> additional security related fixes?
> You even handled these with commit
Yes, they are the same. Having the explicit RC severity bug makes tiff
apear on the release team view. Admittely it was probably not needed
here, and tiff will just migrate during the soft freeze still into
bookworm in time before the hard freeze.
> 919f8c7bc3305adea4835ca0a7b24a48e592ec25 via our security tracker.
Yes.
> Unfortunately I still don't get any emails from it. :( However I'm
> sure I'm subscribed to the tracker-commits.
Yeah, you get from time to time subscribtion disabled due to bounces.
I will forward you offline once sample.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Feb 20 13:07:30 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon