Debian Bug report logs -
#860003
tiff: CVE-2017-7595
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 10 Apr 2017 06:45:02 UTC
Severity: important
Tags: security, upstream
Found in version tiff/4.0.7-5
Fixed in version tiff/4.0.7-6
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#860003; Package src:tiff.
(Mon, 10 Apr 2017 06:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Mon, 10 Apr 2017 06:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tiff
Version: 4.0.7-5
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for tiff.
CVE-2017-7595[0]:
| The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows
| remote attackers to cause a denial of service (divide-by-zero error and
| application crash) via a crafted image.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7595
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7595
[1] https://blogs.gentoo.org/ago/2017/04/01/libtiff-divide-by-zero-in-jpegsetupencode-tiff_jpeg-c/
[2] https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Fri, 14 Apr 2017 15:09:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 14 Apr 2017 15:09:13 GMT) (full text, mbox, link).
Message #10 received at 860003-close@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 4.0.7-6
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 860003@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 14 Apr 2017 07:21:47 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.7-6
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff5 - Tag Image File Format (TIFF) library
libtiff5-dev - Tag Image File Format library (TIFF), development files
libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 859998 860000 860001 860003
Changes:
tiff (4.0.7-6) unstable; urgency=high
.
* Backport security fixes:
- CVE-2017-7595, divide-by-zero in JPEGSetupEncode (closes: #860003),
- CVE-2017-7596, CVE-2017-7597, CVE-2017-7598,CVE-2017-7599 CVE-2017-7600,
CVE-2017-7601 and CVE-2017-7602, multiple UBSAN crashes,
- CVE-2017-7592, left-shift undefined behavior issue in putagreytile
(closes: #859998),
- CVE-2017-7593, unitialized-memory access from tif_rawdata
(closes: #860000),
- CVE-2017-7594, leak in OJPEGReadHeaderInfoSecTablesAcTable
(closes: #860001).
* Add required _TIFFcalloc@LIBTIFF_4.0 symbol to the libtiff5 package.
Checksums-Sha1:
f3193f4b726cd1eb0714c0d12c2368f207827f87 2157 tiff_4.0.7-6.dsc
0594cd9f5ac87d0f8f158c56414c86e75d43f882 29660 tiff_4.0.7-6.debian.tar.xz
f61ac1a07c98e72dd39e4fbbf3d4d2b41a8689dd 388982 libtiff-doc_4.0.7-6_all.deb
a6ff66c8a546162877a6765a3a7f8b5085c64023 14166 libtiff-opengl-dbgsym_4.0.7-6_amd64.deb
0f913f4672b47380b7e6caf5edfc2f55decc3ca5 96692 libtiff-opengl_4.0.7-6_amd64.deb
ea97dfe5cf032cd9279d46eea1ddce6ec8048a02 351358 libtiff-tools-dbgsym_4.0.7-6_amd64.deb
192e8101880e63023a6b16d7ce6104b7e1ff443a 277606 libtiff-tools_4.0.7-6_amd64.deb
bc52a07fc5454f5a77180dc0296a7b08e160f470 367448 libtiff5-dbgsym_4.0.7-6_amd64.deb
c11b90cf9f2de86a0dec1f31c14c76b430ac7bab 354048 libtiff5-dev_4.0.7-6_amd64.deb
40e8e0d62faf35d38c289613f54aadade0218c0b 231528 libtiff5_4.0.7-6_amd64.deb
b578d72c4d37d2f1510c6b19f265a275a7bdf154 21044 libtiffxx5-dbgsym_4.0.7-6_amd64.deb
d7af762f1771be7ba8925200747358ae8e49f8a1 91972 libtiffxx5_4.0.7-6_amd64.deb
3e11e163deccf073d2648af28d9e82795ee14c13 11080 tiff_4.0.7-6_amd64.buildinfo
Checksums-Sha256:
6a43c50ac96a44c7627522d99689cdce75474777ec1f3d6c9af7db5b5d434f72 2157 tiff_4.0.7-6.dsc
9c9048c28205bdbeb5ba36c7a194d0cd604bd137c70961607bfc8a079be5fa31 29660 tiff_4.0.7-6.debian.tar.xz
377f10c2bc226c2ef9058d365cd7558f7fbfefc1adedf3a29ea9db3305666bcb 388982 libtiff-doc_4.0.7-6_all.deb
8b2088bf081b09b357e13390d3009c2ae092e51bc87053b50678724be0b07e9b 14166 libtiff-opengl-dbgsym_4.0.7-6_amd64.deb
568f5cd87c607e15f7d67a74d5ffda2aacc1813b41858fcc88ebc210e8b14fe3 96692 libtiff-opengl_4.0.7-6_amd64.deb
8d731b3cc70d357b14534e33addbd2b3c9f9a05bf4964c1dfdb0c8b5bca5324a 351358 libtiff-tools-dbgsym_4.0.7-6_amd64.deb
37244e451bf46c0ecbbde52b0fd971238ecac05b948e069ce2603d9952bc2f28 277606 libtiff-tools_4.0.7-6_amd64.deb
c1667657a99bfb0eb7cda498440c9f5c4e570d9d13de14903dfef319305602a0 367448 libtiff5-dbgsym_4.0.7-6_amd64.deb
e2e02ddc044f0e19d9eb6ed653de989c70f573b564f20ed9eecd48e781c06f98 354048 libtiff5-dev_4.0.7-6_amd64.deb
402090d16de78bc01c88eb1f819b0d3ea8f2eead2e35c02d7ce45f44eab037ee 231528 libtiff5_4.0.7-6_amd64.deb
317ca70d144b93ed8337ac00613c2032f25a8a31b1e392b0a48348db9d65bc95 21044 libtiffxx5-dbgsym_4.0.7-6_amd64.deb
6ea2878664b32c19bde98a0385b3c253fa8a401cacad4936081da26c83498635 91972 libtiffxx5_4.0.7-6_amd64.deb
db466cfb381b40f0baefab2e9e51db6e1b368637ea4987ec878b01e3076738f6 11080 tiff_4.0.7-6_amd64.buildinfo
Files:
3be908fdf2733ece51bb8cb4d8a370dd 2157 libs optional tiff_4.0.7-6.dsc
02bcbd60fd3d2964897414df0ad28725 29660 libs optional tiff_4.0.7-6.debian.tar.xz
e0cfcb9a881251efbe8e0e28498693f4 388982 doc optional libtiff-doc_4.0.7-6_all.deb
5e714439fcd5492199a2b1bb96833dc7 14166 debug extra libtiff-opengl-dbgsym_4.0.7-6_amd64.deb
d934b75a22b62c60246aecce7a20a02e 96692 graphics optional libtiff-opengl_4.0.7-6_amd64.deb
80923aa1027a568d9b962a1d052e6226 351358 debug extra libtiff-tools-dbgsym_4.0.7-6_amd64.deb
faabea8738dcfc2bd84fa10c723ca2a3 277606 graphics optional libtiff-tools_4.0.7-6_amd64.deb
919d6b7d53eb4245fba6694a5896f856 367448 debug extra libtiff5-dbgsym_4.0.7-6_amd64.deb
a0eb5f588468d9383a5056ca1fd71982 354048 libdevel optional libtiff5-dev_4.0.7-6_amd64.deb
345bb36f927213bb9e78bf515b9bc11c 231528 libs optional libtiff5_4.0.7-6_amd64.deb
a82b9cbffcd7ceb4355c2c7baa978732 21044 debug extra libtiffxx5-dbgsym_4.0.7-6_amd64.deb
cb40a1962f76eefce6ceb7429076e044 91972 libs optional libtiffxx5_4.0.7-6_amd64.deb
16e6ebffe2f85fa2b4879a26c3a1dcef 11080 libs optional tiff_4.0.7-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAljw0SUACgkQ3OMQ54ZM
yL8CHg/7BHDHs+ccWwrjLlVkV/8vWLKAmQCOtFppo33oByigbwuV09k1HOdsHPXr
yXtnQBYIOMB96Hg6hiwJpMkG9r2MjVf3svI9H5dIBwN5bvpcgsSndI46Yh8Ibpld
onUMPasww9xzrMCj4go5GLECVG8TZ6aTtbaNsec8biAa4DxsVT6gZmTD1xSlWtv8
JuHek6HQDEV4ao/LjPuf0R19s9Qocao1mh/kIFmXmGrMD6AMDMjC8J1tOm8M4oIG
Pa8lCgE2975CSKnsrY95MRRYYb8wWbaLGb02NNzWIyMlzUdFyCwTA33DjwnoBNPW
dKWb8CGqzg3DLD0p2aEWlmPE0KlFA5oZSy8dGkEuGuZh8jgXKhOWrNAif1O4/M0z
fd4ksTN5jcH65mrO3LCa1+ph9XUFrGoNIIZGgS23uy+5OaOUm9VXHuVMWaaY7DrD
s5fr11fSfmMp4c/p/TEwa9wjJNfBQVD3ce7S92eBOwARysz2iX4sCKGpkxRFqe9l
O132e1f8TAaSkvANKajgZz2QNCqV1bD0udisCUbOFB/TXbbK1NFHykGbcM2lwLoR
8cMlPIE4Mj3e8hyr62yaWGcdwZ4M8vktnon4926idzkbH8jtLN0HUUSooTl4UrKH
8GMW+yc2bpLF/TzM1Yi4U4/ZPYXhelV6iz10u8ksx389l14Hsrc=
=p3V0
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 15 May 2017 07:25:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:26:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon