Debian Bug report logs -
#624287
CVE-2009-5022
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Wed, 27 Apr 2011 07:15:02 UTC
Severity: grave
Tags: security
Found in version 3.9.4-5
Fixed in versions 3.9.5-1, tiff/3.9.4-5+squeeze2
Done: Jay Berkenbilt <qjb@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#624287; Package tiff.
(Wed, 27 Apr 2011 07:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Jay Berkenbilt <qjb@debian.org>.
(Wed, 27 Apr 2011 07:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tiff
Severity: grave
Tags: security
http://bugzilla.maptools.org/show_bug.cgi?id=1999 has been assigned
CVE-2009-5022.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#624287; Package tiff.
(Sat, 07 May 2011 14:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list.
(Sat, 07 May 2011 14:15:05 GMT) (full text, mbox, link).
Message #10 received at 624287@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff <muehlenhoff@univention.de> wrote:
> http://bugzilla.maptools.org/show_bug.cgi?id=1999 has been assigned
> CVE-2009-5022.
This bug was already fixed in 3.9.5, so it only affects stable and
oldstable. I'll update the found/fixed versions and prepare packages
for stable and oldstable.
--
Jay Berkenbilt <qjb@debian.org>
Bug Marked as found in versions 3.8.2-11.3.
Request was from Jay Berkenbilt <qjb@debian.org>
to control@bugs.debian.org.
(Sat, 07 May 2011 14:15:19 GMT) (full text, mbox, link).
Bug Marked as found in versions 3.9.4-5.
Request was from Jay Berkenbilt <qjb@debian.org>
to control@bugs.debian.org.
(Sat, 07 May 2011 14:15:20 GMT) (full text, mbox, link).
Reply sent
to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility.
(Sat, 07 May 2011 14:15:27 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Sat, 07 May 2011 14:15:27 GMT) (full text, mbox, link).
Message #19 received at 624287-done@bugs.debian.org (full text, mbox, reply):
Version: 3.9.5-1
found 624287 3.8.2-11.3
found 624287 3.9.4-5
thanks
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#624287; Package tiff.
(Sat, 07 May 2011 14:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list.
(Sat, 07 May 2011 14:18:03 GMT) (full text, mbox, link).
Message #24 received at 624287@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff <muehlenhoff@univention.de> wrote:
> http://bugzilla.maptools.org/show_bug.cgi?id=1999 has been assigned
> CVE-2009-5022.
Actually, it doesn't apply to oldstable either. That code didn't exist
before 3.9. So I'll prepare packages for stable-security only.
Bug No longer marked as found in versions 3.8.2-11.3.
Request was from Jay Berkenbilt <qjb@debian.org>
to control@bugs.debian.org.
(Sat, 07 May 2011 14:18:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#624287; Package tiff.
(Sat, 07 May 2011 14:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list.
(Sat, 07 May 2011 14:36:05 GMT) (full text, mbox, link).
Message #31 received at 624287@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Attached is a patch to create tiff-3.9.4-5+squeeze2 from
tiff-3.9.4-5+squeeze1. I have tested by building in unstable. While
I'm certain that the patch applies, I was not able to reproduce the
problem using the test case posted in upstream's bugzilla. In any case,
I don't believe that's essential as the updated version clearly includes
the accepted fix and otherwise works.
As indicated earlier, the patch is already included in 3.9.5, and the
broken code did not exist prior to the OJPEG rewrite in 3.9.4, so only
stable is affected. I close the bug in the changelog here so hopefully
that will update the BTS's record of versions. I have already indicated
that it is found in 3.9.4-5 and fixed in 3.9.5-1.
--Jay
[tiff-3.9.4-5+squeeze1-to-3.9.4-5+squeeze2.patch (text/x-diff, attachment)]
Reply sent
to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility.
(Fri, 10 Jun 2011 19:57:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Fri, 10 Jun 2011 19:57:09 GMT) (full text, mbox, link).
Message #36 received at 624287-close@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 3.9.4-5+squeeze2
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive:
libtiff-doc_3.9.4-5+squeeze2_all.deb
to main/t/tiff/libtiff-doc_3.9.4-5+squeeze2_all.deb
libtiff-opengl_3.9.4-5+squeeze2_amd64.deb
to main/t/tiff/libtiff-opengl_3.9.4-5+squeeze2_amd64.deb
libtiff-tools_3.9.4-5+squeeze2_amd64.deb
to main/t/tiff/libtiff-tools_3.9.4-5+squeeze2_amd64.deb
libtiff4-dev_3.9.4-5+squeeze2_amd64.deb
to main/t/tiff/libtiff4-dev_3.9.4-5+squeeze2_amd64.deb
libtiff4_3.9.4-5+squeeze2_amd64.deb
to main/t/tiff/libtiff4_3.9.4-5+squeeze2_amd64.deb
libtiffxx0c2_3.9.4-5+squeeze2_amd64.deb
to main/t/tiff/libtiffxx0c2_3.9.4-5+squeeze2_amd64.deb
tiff_3.9.4-5+squeeze2.debian.tar.gz
to main/t/tiff/tiff_3.9.4-5+squeeze2.debian.tar.gz
tiff_3.9.4-5+squeeze2.dsc
to main/t/tiff/tiff_3.9.4-5+squeeze2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 624287@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 07 May 2011 10:21:28 -0400
Source: tiff
Binary: libtiff4 libtiffxx0c2 libtiff4-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 3.9.4-5+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description:
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff4 - Tag Image File Format (TIFF) library
libtiff4-dev - Tag Image File Format library (TIFF), development files
libtiffxx0c2 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 624287
Changes:
tiff (3.9.4-5+squeeze2) stable-security; urgency=high
.
* CVE-2009-5022: Buffer overflow in OJPEG support. (Closes: #624287)
Checksums-Sha1:
935c11d676b52e17d654921856faa67e3101c52b 1872 tiff_3.9.4-5+squeeze2.dsc
4d26f4cc9c29a7a56dd6f88b714d917a0f4d13c7 17080 tiff_3.9.4-5+squeeze2.debian.tar.gz
c9248ec8d119ab1600975bb119052be59607d5f8 385958 libtiff-doc_3.9.4-5+squeeze2_all.deb
9b9f26919dfd2acd0fed15f62278d115a392931f 194570 libtiff4_3.9.4-5+squeeze2_amd64.deb
8433d2c1c6cfaaa8677063765f7ec08c798f74ee 58884 libtiffxx0c2_3.9.4-5+squeeze2_amd64.deb
8ddfbf0b65c238959b673f12d1e3af1fdc40f674 321658 libtiff4-dev_3.9.4-5+squeeze2_amd64.deb
c6f7cb9007e6f3d3d597a26b51a9ec46487c2099 301964 libtiff-tools_3.9.4-5+squeeze2_amd64.deb
874590efb82bae26cd765c0c63fb56b79e5aab57 64314 libtiff-opengl_3.9.4-5+squeeze2_amd64.deb
Checksums-Sha256:
2829451d3ebea2a603d29e7041ca723168d8f7e7b0a5606af4d2913c00dbc9b2 1872 tiff_3.9.4-5+squeeze2.dsc
869256c4ad2ad5dff1eb6292c29b64cd09d904747938b46bf4e65384c7309a86 17080 tiff_3.9.4-5+squeeze2.debian.tar.gz
c0322dd0834335dc4d68619fb5ffec716e4b9adbc5982f091873712162a72a8f 385958 libtiff-doc_3.9.4-5+squeeze2_all.deb
d295e88a3a9ff1618544fa402117d095490b0b0d6147d9e0eb57ed4bcc2e86d7 194570 libtiff4_3.9.4-5+squeeze2_amd64.deb
d497f5c0d18691952f43b89eda698476913d9a788388028c4edec4e1ea02b227 58884 libtiffxx0c2_3.9.4-5+squeeze2_amd64.deb
f1565dddb48e08a0fea9f03aac00776ae469767821d589335878d8b9bee92262 321658 libtiff4-dev_3.9.4-5+squeeze2_amd64.deb
3bc536f0080ddcb5674046ebbb9a2962c67474eec460464a71cb5c4f125775a9 301964 libtiff-tools_3.9.4-5+squeeze2_amd64.deb
f1668b370c9b30dbc95d02236fa4cb5240df72729f6bf7147cc405a1df77580b 64314 libtiff-opengl_3.9.4-5+squeeze2_amd64.deb
Files:
f70685599c06cb7839a1e30c0796fa78 1872 libs optional tiff_3.9.4-5+squeeze2.dsc
75d8fb29751e615905b7f93317c5fcce 17080 libs optional tiff_3.9.4-5+squeeze2.debian.tar.gz
ef328af6ca00c350d3c5c4d44052ae89 385958 doc optional libtiff-doc_3.9.4-5+squeeze2_all.deb
aa7cd2951d8e2e2c41127e8833d828ea 194570 libs optional libtiff4_3.9.4-5+squeeze2_amd64.deb
27395ed6ffd2e8e40357adce94cc4873 58884 libs optional libtiffxx0c2_3.9.4-5+squeeze2_amd64.deb
32fc216ef4c05367b2cf6dd81c4f41dc 321658 libdevel optional libtiff4-dev_3.9.4-5+squeeze2_amd64.deb
f80a4347443f5a7cae0ac2e7e411fa5d 301964 graphics optional libtiff-tools_3.9.4-5+squeeze2_amd64.deb
63ed19dc507c34921bc1e8a591b394f1 64314 graphics optional libtiff-opengl_3.9.4-5+squeeze2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJN4m6+AAoJEIp10QmYASx+ProP/0I3dwsxUD7HdW4ijWPh4blP
RVADi4zePKcWPvkXOku9SpgSJm63ynrSYJZM5nvRftHwwGCQA2Q+CoimPG0hK3rf
FYGJEn1j92IEfe8PrheOnxh4uQkwxW5VfR4R5WKLohxeR81zXQ5Wo7oJMTY7o0bN
perIxafmjBWneyDzaGcFD8X+QPNTPrOLDFDC3py+EBj8kmvEL9PFuJNOf5mSzp4e
rxg/dQhU23o8RmW1wUNekERQ87ZQ2j66VZx4KBOKvkiLLQSTbhAufXHi75VmIkJO
wU/j3OPUZ+LuZifCtUShsxEWAIIUpw69rlyI7L6bwBo/fU5lp5E+hepg/1z6VMdI
hg7IYenoGrqRXFOey6ow5LN0zwkPQymONkfXxjy6HSd5o/GxqaDCkSjCP7noXU9r
FTByizTtYPT0zhVTVNDnT28dxcapAfMhfQL4P7m3lo036pjiCmVqjiZa1YED9cZR
dc1U2aiA2g95KGldZYe+8lXzZ5W7YcYU+xLgxiXT3KbS7gvKhoSgK6uBG8qKj+51
tqZQuPnghwFJzpTeKyv2GcNZRvlwxpSXEhZIvxcCQLhIoDaj6ES8OaGYx7k62rBj
XBmJqJOoGYRULXweBmBaOtETo3cUDvFOIHvGkDrfLRzZAwqQtjYkyCbLWLFKxxpp
sj0TcicA81dT3Gr7CmWM
=uph4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 26 Oct 2011 07:42:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:00:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon