tiff: CVE-2017-13727

Debian Bug report logs - #873879
tiff: CVE-2017-13727

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: tiff: CVE-2017-13727

Date: Thu, 31 Aug 2017 22:18:54 +0200

Source: tiff
Version: 4.0.3-12.3
Severity: important
Tags: patch security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2728

Hi,

the following vulnerability was published for tiff.

CVE-2017-13727[0]:
| There is a reachable assertion abort in the function
| TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to
| tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote
| denial of service attack.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-13727
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13727
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2728
[2] https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc

Regards,
Salvatore

Message #10 received at 873879-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 873879-close@bugs.debian.org

Subject: Bug#873879: fixed in tiff 4.0.8-5

Date: Thu, 31 Aug 2017 22:24:39 +0000

Source: tiff
Source-Version: 4.0.8-5

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873879@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 31 Aug 2017 21:09:59 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.8-5
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 873879 873880
Changes:
 tiff (4.0.8-5) unstable; urgency=high
 .
   * Backport security fixes:
     - CVE-2017-13726, reachable assertion abort in TIFFWriteDirectorySec()
       (closes: #873880),
     - CVE-2017-13727, reachable assertion abort in
       TIFFWriteDirectoryTagSubifd() (closes: #873879).
Checksums-Sha1:
 f8105249644edf6387040b969cc0f2a18bab6e8b 2157 tiff_4.0.8-5.dsc
 5390d8ed653e97ba3d70a0e01060c9df66f52c48 24124 tiff_4.0.8-5.debian.tar.xz
 682c10bf1dd93c1c4ef4676443e458397221a57d 395728 libtiff-doc_4.0.8-5_all.deb
 6b699f03e82af5c329d54ad2ed7fe6494ee24498 14234 libtiff-opengl-dbgsym_4.0.8-5_amd64.deb
 5652874319204baf45dcc35742b80d27182f310d 100538 libtiff-opengl_4.0.8-5_amd64.deb
 648b9bbdf039e5b33b2a13e701e20315e2e33d2f 352250 libtiff-tools-dbgsym_4.0.8-5_amd64.deb
 4b6e4a1f210dc266d5a750775a418fbef46f6d58 282398 libtiff-tools_4.0.8-5_amd64.deb
 aa75dde2e77591ebdd8c9d02d5eaa0c2079d91a6 372088 libtiff5-dbgsym_4.0.8-5_amd64.deb
 3ea9e7d0c5b4fc939f866aef908ca0460a22f653 360812 libtiff5-dev_4.0.8-5_amd64.deb
 ab31a815fd84ade4e279dfc5550b5fae12d155ff 239084 libtiff5_4.0.8-5_amd64.deb
 0f5cacdf260dbfe0121257779204a8cdbaffce55 20984 libtiffxx5-dbgsym_4.0.8-5_amd64.deb
 e61b374fbff8642e1bd554f8c1c5071a7f0ca667 95666 libtiffxx5_4.0.8-5_amd64.deb
 e6cc5ddca6b9ab3c67cf5b5bb066c39b61f5fc48 11136 tiff_4.0.8-5_amd64.buildinfo
Checksums-Sha256:
 461a69a1c053f98981fc92f243ab616c1bb971186b452e54f98f26d19fc95769 2157 tiff_4.0.8-5.dsc
 0a72efaba5da935537dd7dc28593503c3a0161d954fcd2da6eb511c0238d1387 24124 tiff_4.0.8-5.debian.tar.xz
 11b2b97f5277189e6624f9d2e9257b9608fc8519e15d9b079e6d907d5bebcfaa 395728 libtiff-doc_4.0.8-5_all.deb
 98b773228a8c7af146009f1a4fe5d9432b6b063b50ee5cc2f4781f5b7415001f 14234 libtiff-opengl-dbgsym_4.0.8-5_amd64.deb
 37a62cb5daf9b9478ec2eff7959f370a89c62ebcc8c9cfe154e5575d26f8d51b 100538 libtiff-opengl_4.0.8-5_amd64.deb
 9009153cbbcb4bef19efad29618f245613331d4662605fac06ab392606566fac 352250 libtiff-tools-dbgsym_4.0.8-5_amd64.deb
 5e47e32f60aa3c719b6fbfdf27e9b66c8a281e5ed5617b8f4271ea3194381c6c 282398 libtiff-tools_4.0.8-5_amd64.deb
 05a5ca1fdf68a3551c1890bdc8bd48c49e5b66fb71145bd128c5fc0ecd7cdc8f 372088 libtiff5-dbgsym_4.0.8-5_amd64.deb
 f62ec4634199469512460cd6261c00625265fedd00a139ee7b9f242760c6084a 360812 libtiff5-dev_4.0.8-5_amd64.deb
 9d6afb31e9fd30c193e6e259b24fd48970a44da684bb92d1836600d84d5969b3 239084 libtiff5_4.0.8-5_amd64.deb
 5a52e062374ed2a6b21a3800464a70d394706d885917c515a80e4c5aca7102d7 20984 libtiffxx5-dbgsym_4.0.8-5_amd64.deb
 a7a7537122c7a9a57482030891214f8622609b87b4e1510b5a7eb58fe796e39e 95666 libtiffxx5_4.0.8-5_amd64.deb
 d1949d78849ccae0d09e681634c002bbbf23c8d209df56673e8f2c356242e856 11136 tiff_4.0.8-5_amd64.buildinfo
Files:
 b2bef55b62b2c4564232c44b62df80ea 2157 libs optional tiff_4.0.8-5.dsc
 441aafafb77fb89ea2b12065d4958473 24124 libs optional tiff_4.0.8-5.debian.tar.xz
 e992dc2f361caa33f982a1d4210f18f2 395728 doc optional libtiff-doc_4.0.8-5_all.deb
 06707f58714e8f02305a1448ef0b0b59 14234 debug extra libtiff-opengl-dbgsym_4.0.8-5_amd64.deb
 ebdc7d1d626b72fb4a335b2b27f0ae95 100538 graphics optional libtiff-opengl_4.0.8-5_amd64.deb
 5c1e194aa8a838ab4e19da007d25cb92 352250 debug extra libtiff-tools-dbgsym_4.0.8-5_amd64.deb
 c74ca0ccef670747345577548dc57ea0 282398 graphics optional libtiff-tools_4.0.8-5_amd64.deb
 6e35655f6663d9cd9866f04da71b8cd9 372088 debug extra libtiff5-dbgsym_4.0.8-5_amd64.deb
 abe054ae10338401bdb0292399d5dc72 360812 libdevel optional libtiff5-dev_4.0.8-5_amd64.deb
 d85fea6696454a2dbeb9fedf3e487857 239084 libs optional libtiff5_4.0.8-5_amd64.deb
 de950762ad45f32d93ef9c37a7fdc940 20984 debug extra libtiffxx5-dbgsym_4.0.8-5_amd64.deb
 af26a01ef76ab68889a29aa494abcb51 95666 libs optional libtiffxx5_4.0.8-5_amd64.deb
 5c927695bd09a4587da81f81a6661948 11136 libs optional tiff_4.0.8-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlmohuUACgkQ3OMQ54ZM
yL+/zg/9FMZjqq0Jber0gUJKN/25vRrVHK4xgVLxeYi082BTz4tT0RBlVvwaAyhA
q9lnxmTQjY/BCEyqMasha6FvvGucA4S3b4xdpldcZm6IoxEHop5LEN6wK3zplX0u
TJtYEutwkzyR2uzgkhgvMDiBYwxvW6Au1znyOvPn3YvjnVJ3h8tBWPCpofOYP+44
vIPGUWwQCYfcsYbkU2/gtAR5dQ347wrzeGbhDxeyXhU4wScT9Pf11noVNHbjFaM8
xtTTJFjkQ/VD8DWFuh4Kcf7rSsHbI3M0GohtC4rB4f+JPBTP2716aaPxgcXHgxj3
2PsRdOyuR2k9RRPzQhP0m/CcOXF7T8y61h6xq08DknlqS/E0jZNDw2gLr0jPfJGI
ISMOZGQgU6ss4NrX2moCDMsaK+EX/cem4Cqg+WnwDpGVwQEh8yAwny0qcqiIrvTp
MMpfHpiHEMoKo+mRJ3qoQFw3UiYQRntkUqT/tenPMfJmyCAtug+5Ew0CTt/19ZTj
Np9tBfzt86sDcSg/d4obHiusMkSLre8+QTPy+Y4lQ08+4twDaPzcf1InpVvpzMrh
FZX55iqZ2OIy92nnhxLr76DGMW8CiXlLL8zWxcPTWkLrJVIOU9KRYfI5rleuNBu6
JTEIrCtrV1S8zBVAUy469IZHW936vc6hiY+y9/+IGZJD2p9rGnM=
=1064
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.