tiff: CVE-2018-17101: Out-of-bounds Write in the tiff2bw and pal2rgb tools

Debian Bug report logs - #909037
tiff: CVE-2018-17101: Out-of-bounds Write in the tiff2bw and pal2rgb tools

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: tiff: CVE-2018-17101: Out-of-bounds Write in the tiff2bw and pal2rgb tools

Date: Mon, 17 Sep 2018 20:50:52 +0200

Source: tiff
Version: 4.0.8-2
Severity: important
Tags: patch security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2807
Control: found -1 4.0.9-6

Hi,

The following vulnerability was published for tiff.

CVE-2018-17101[0]:
| An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds
| writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can
| cause a denial of service (application crash) or possibly have
| unspecified other impact via a crafted image file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-17101
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17101
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2807

Regards,
Salvatore

Message #12 received at 909037-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 909037-close@bugs.debian.org

Subject: Bug#909037: fixed in tiff 4.0.9+git181026-1

Date: Sun, 28 Oct 2018 15:19:51 +0000

Source: tiff
Source-Version: 4.0.9+git181026-1

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 909037@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 28 Oct 2018 11:04:14 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source amd64 all
Version: 4.0.9+git181026-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 libtiff-dev - Tag Image File Format library (TIFF), development files, current
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 909037 909038 911635
Changes:
 tiff (4.0.9+git181026-1) unstable; urgency=high
 .
   * Git snapshot, fixing the following security issues:
     - CVE-2018-17100, int32 overflow in multiply_ms() which can cause a DoS
       or possibly have unspecified other impact via a crafted image file
       (closes: #909038),
     - CVE-2018-17101, two out-of-bounds writes in cpTags() which can cause a
       DoS or possibly have unspecified other impact via a crafted image file
       (closes: #909037),
     - CVE-2018-18557, out-of-bounds write in JBIGDecode() (closes: #911635).
   * Remove previously backported security patches.
   * Build with Zstandard, a fast lossless compression algorithm.
   * Build with WebP, the modern VP8 compression format.
   * Update libtiff5 symbols.
Checksums-Sha1:
 380331dc7c95e5f551c0f17eecc72b8f77f38893 2280 tiff_4.0.9+git181026-1.dsc
 67067989a96fc57c54b385ca377913300c5009fc 1520264 tiff_4.0.9+git181026.orig.tar.xz
 adafb1972bd365a209cd23850db7faf67ce856a0 17408 tiff_4.0.9+git181026-1.debian.tar.xz
 6343e5029fe66f38d725b282e071bf9ed87be6ad 96628 libtiff-dev_4.0.9+git181026-1_amd64.deb
 a95fdb60d2ebbb30b23e956d987bcd21475d161a 403488 libtiff-doc_4.0.9+git181026-1_all.deb
 ea3f97fa6434616f40f1ccb7cd4ede2e363525fb 14900 libtiff-opengl-dbgsym_4.0.9+git181026-1_amd64.deb
 cd7cf5ee3894e019294e2fcf79f57ed0e16c62a4 105148 libtiff-opengl_4.0.9+git181026-1_amd64.deb
 9ad2c69f89cf45cb5621e9b39315f6f1b2d6f9d3 421444 libtiff-tools-dbgsym_4.0.9+git181026-1_amd64.deb
 ad3afdd2c760f3ac35ce8b79b3d958413f8345d3 287912 libtiff-tools_4.0.9+git181026-1_amd64.deb
 4a9728366327b24524ebaa79e9878e39be851752 479808 libtiff5-dbgsym_4.0.9+git181026-1_amd64.deb
 65f7f41f1773757ffd06d149e09cbbee444b03e9 371556 libtiff5-dev_4.0.9+git181026-1_amd64.deb
 22f9b362bdf660d464aef06659b603824f79d9d6 249928 libtiff5_4.0.9+git181026-1_amd64.deb
 545435e33051a6f00e3e0b048f8c9ad2de1ecf56 23368 libtiffxx5-dbgsym_4.0.9+git181026-1_amd64.deb
 d5e15ced9dfb90e91688bee65f5dafdb0c72356f 100376 libtiffxx5_4.0.9+git181026-1_amd64.deb
 9b618ef33c7996acc5e5fe2bab6654aa02d65896 12790 tiff_4.0.9+git181026-1_amd64.buildinfo
Checksums-Sha256:
 c62af309cc73df28ace1fcf7d7fa1c4f09f96150d093562347aa711e7d76b08e 2280 tiff_4.0.9+git181026-1.dsc
 a08f8f156d67d0b9504ff01a1456af975a72f51577d52e39b57847201c6bb6ae 1520264 tiff_4.0.9+git181026.orig.tar.xz
 fd02f97164b6768c1e775ce965a69937bd56e4210bdcca8f4d78e4a88d4583cc 17408 tiff_4.0.9+git181026-1.debian.tar.xz
 cd51b100e378cbf40e7c839a1467c87625b21c4c1aae0a7b590ef50f7f46450c 96628 libtiff-dev_4.0.9+git181026-1_amd64.deb
 1b82f2896ec19b855d11f93854adc942cd0b21a8db3c52251578a19b010ca315 403488 libtiff-doc_4.0.9+git181026-1_all.deb
 fa7567f7d73efd38a0bd9692feb857cf399ac2208ac2a9ebb9fcf1f06d386aaf 14900 libtiff-opengl-dbgsym_4.0.9+git181026-1_amd64.deb
 ca01044ea608343370253287d3991b82ce2d55cf4812e3b872d19adf17010d6a 105148 libtiff-opengl_4.0.9+git181026-1_amd64.deb
 eba2054eec6c861b0b5a1135aabe41102ad99e3827ec75bcdbde148e6a04e14a 421444 libtiff-tools-dbgsym_4.0.9+git181026-1_amd64.deb
 463461d86d9f6c4d0fd1e0f412810c3c156dd81162a26f0fdb15677226f7b900 287912 libtiff-tools_4.0.9+git181026-1_amd64.deb
 866cbe2a509d8b794888d227eb2334c787e8ce36a16c5a69382094dd8581d5c1 479808 libtiff5-dbgsym_4.0.9+git181026-1_amd64.deb
 8d6bdc5e138a35200234679e54cdd5d81be0f085aedded90e17b1749971e383c 371556 libtiff5-dev_4.0.9+git181026-1_amd64.deb
 c6dd341b1b157f4aafcec920b69df5e0e4eb269ac5a71f483f0c7843ebf415fb 249928 libtiff5_4.0.9+git181026-1_amd64.deb
 bd048a8742fb8621af94583f20afe7a58aeca16e24fe952ba58a3b0c6b707741 23368 libtiffxx5-dbgsym_4.0.9+git181026-1_amd64.deb
 2f92a6b450f112eca95a8281f7746d8eeda60707f131b37200c023195ade9ae9 100376 libtiffxx5_4.0.9+git181026-1_amd64.deb
 a989ec34304df87e1d0a1f7d2a4becdd107ea368ff9b67ff038238958e333fac 12790 tiff_4.0.9+git181026-1_amd64.buildinfo
Files:
 ab107454751718ff0a1972dbd0e33710 2280 libs optional tiff_4.0.9+git181026-1.dsc
 76cea43835c4e40e3360fb0377277dbc 1520264 libs optional tiff_4.0.9+git181026.orig.tar.xz
 6e092ac0ab0f56caa9711c4c44210ee4 17408 libs optional tiff_4.0.9+git181026-1.debian.tar.xz
 63ad5e1c6f038cb80422a7232e98d00b 96628 oldlibs optional libtiff-dev_4.0.9+git181026-1_amd64.deb
 80ebec254ee919d86316903a926c8531 403488 doc optional libtiff-doc_4.0.9+git181026-1_all.deb
 dab79ea23e848f162f53e65403973210 14900 debug optional libtiff-opengl-dbgsym_4.0.9+git181026-1_amd64.deb
 99f4acc22c951d0f551df966fb2e1eaa 105148 graphics optional libtiff-opengl_4.0.9+git181026-1_amd64.deb
 e34fd464f894d8931c764ebc9bd0d21c 421444 debug optional libtiff-tools-dbgsym_4.0.9+git181026-1_amd64.deb
 554eb78abd2e25497bbc35aa40a9d324 287912 graphics optional libtiff-tools_4.0.9+git181026-1_amd64.deb
 4335c3347cef24963f450be106ab05fc 479808 debug optional libtiff5-dbgsym_4.0.9+git181026-1_amd64.deb
 45c6cd16354e9bbe852d1c70450ca346 371556 libdevel optional libtiff5-dev_4.0.9+git181026-1_amd64.deb
 2a93c016626b8dd9625cc51bacddfc3a 249928 libs optional libtiff5_4.0.9+git181026-1_amd64.deb
 558490734f0e939f9536c684608fea95 23368 debug optional libtiffxx5-dbgsym_4.0.9+git181026-1_amd64.deb
 7d9ad636ce338f856eba15c6e50e72be 100376 libs optional libtiffxx5_4.0.9+git181026-1_amd64.deb
 b8ac4eb53758bbada8a2c1f190b7f9df 12790 libs optional tiff_4.0.9+git181026-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlvVzksACgkQ3OMQ54ZM
yL9/Xw//XrjN/e1eBuBSbnL3XVvWGIcwH03KtyXIfZ5yg6VZJu48NrUeEjcj1uBp
yQOpJMbTdXDKNsXv0s8wGTSLQAAj4EUYEGGQ1Ln0DymndZUb4VL87vRTEStCBiMS
YxBoqZKN+qMSOY689ckBXnwa2PGp2VQb8TCcCDexGzV+KmJ8J0CiGlfHfGez+Iuf
U0AoZleuwH8QhdmPTfrxiwXVTOA/3+HPcNaqKwNo7fuMzOSnYUKVZHwNuzlSUn7L
2Eyppr6qPy4t9Qhfdu7mKqdrGmWYgI4gj0lAPUDnYAUsk//fY/jZJSNWHtea0dWV
BU433ub1U5eLK5WD4kagjRo0xb6m0F9z58IAhpptzsinXycouZEW1ZB6hfdLwO/Q
DbqIxHRstn0wni2ezKB+K5lAYExoXjnbssXZaXJ5DpKJJOc85ZEsL8RLT+X0qu3X
dvjKvSVct9umrMkZgC2OOGbM9/SjKLU2lg0g/iLdUiQoDmKbR7FXtVJCSWy/SQAt
5UOSq1NAJhST+dORN6AZcYE3+NKbkVPUAb0fXPq24gl8Tgz4PmEB9ZaJm/8vS0pc
ucMVIdYqZN1lfgr4LJuxdNPXL+kdf0JwDO7uCXUoQXglwpRuTivaUXRRwFT61HyW
hLcztccgFr7bNFItpQqvLTuocLFLT6lbg3D9U6PUYRDhgsX4PJw=
=ZObV
-----END PGP SIGNATURE-----

Message #19 received at 909037-close@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@debian.org>

To: 909037-close@bugs.debian.org

Subject: Bug#909037: fixed in tiff 4.0.8-2+deb9u3

Date: Mon, 03 Dec 2018 21:47:28 +0000

Source: tiff
Source-Version: 4.0.8-2+deb9u3

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 909037@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 29 Nov 2018 20:45:11 +0100
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.8-2+deb9u3
Distribution: stretch-security
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Description:
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 869823 883320 890441 891288 893806 898348 909037 909038 911635
Changes:
 tiff (4.0.8-2+deb9u3) stretch-security; urgency=medium
 .
   * CVE-2018-5784 (Closes: #890441)
   * CVE-2018-7456 (Closes: #891288)
   * CVE-2018-8905 (Closes: #893806)
   * CVE-2018-10963 (Closes: #898348)
   * CVE-2018-17100 (Closes: #909038)
   * CVE-2018-17101 (Closes: #909037)
   * CVE-2018-18557 (Closes: #911635)
   * CVE-2017-11613 (Closes: #869823)
   * CVE-2017-17095 (Closes: #883320)
Checksums-Sha1:
 2cb52e8c6efcd8c6d38e1c5f6d60192523c51b55 2185 tiff_4.0.8-2+deb9u3.dsc
 898127f7001ec225677d51fe53141007a57bb7b1 32756 tiff_4.0.8-2+deb9u3.debian.tar.xz
 aa38fdf8821543d70952afec491e66b4c4a046d4 395778 libtiff-doc_4.0.8-2+deb9u3_all.deb
 f6b428e72a2c164f83ec0ae30e0d5372cf377890 14186 libtiff-opengl-dbgsym_4.0.8-2+deb9u3_amd64.deb
 81cdae9420ef6e2c5f008361e74ff555d3cf4be8 100438 libtiff-opengl_4.0.8-2+deb9u3_amd64.deb
 d5e9be97e401f76b83118635b35d2af93b3322f8 352006 libtiff-tools-dbgsym_4.0.8-2+deb9u3_amd64.deb
 7e3641266fc2431ca99c8e88edcd1054ee5333ca 281534 libtiff-tools_4.0.8-2+deb9u3_amd64.deb
 139aacc12679be0ff274cf3627af93052346cc4f 372710 libtiff5-dbgsym_4.0.8-2+deb9u3_amd64.deb
 cf5432b5709115c518acf1e694e997af2e9a6497 360908 libtiff5-dev_4.0.8-2+deb9u3_amd64.deb
 a27f420c88c1e321fda42126bdb4d8ac2a3cffbd 238154 libtiff5_4.0.8-2+deb9u3_amd64.deb
 cc6235ba32beafd423cebee85303e4161cd5c2f4 21044 libtiffxx5-dbgsym_4.0.8-2+deb9u3_amd64.deb
 7265689f624cc079517af6462136b4598e768219 95730 libtiffxx5_4.0.8-2+deb9u3_amd64.deb
 388c3bdfe26ad834ac6d37cfca87b7ad5229d9cd 10898 tiff_4.0.8-2+deb9u3_amd64.buildinfo
Checksums-Sha256:
 bd92bfafd8c4918a8a27fd234cf73c35f56e762a4c09d50cc46cf31563f32c3d 2185 tiff_4.0.8-2+deb9u3.dsc
 3fa255bdca1852653425fabc2f12884116fd688ccd1a018feb14877fb3a02f99 32756 tiff_4.0.8-2+deb9u3.debian.tar.xz
 12fd55720c500960495a659508618eb1ca4ac68531ad4dc4d3b74ca5c70e1b2f 395778 libtiff-doc_4.0.8-2+deb9u3_all.deb
 e92e0b6c9f8a47378902448a6376ff3a96b7d6da2ff37b71ba9c41ba9d6dbbe6 14186 libtiff-opengl-dbgsym_4.0.8-2+deb9u3_amd64.deb
 d97170b0a42d1973ee9baafbc4bc331479b43df281f702ce23c229c09de8ec53 100438 libtiff-opengl_4.0.8-2+deb9u3_amd64.deb
 2be1adb5db654f6904a0e67c845a12566266b5a6e2f8173e054b45745af0945b 352006 libtiff-tools-dbgsym_4.0.8-2+deb9u3_amd64.deb
 b4827f18e5ec1763a8477bfae813fa413018ba9243830ce113238fd0f376523c 281534 libtiff-tools_4.0.8-2+deb9u3_amd64.deb
 f28cfd4099254030cb7f630cad492fc9dd0cf6341e4c85c917a4e7faca3e3b56 372710 libtiff5-dbgsym_4.0.8-2+deb9u3_amd64.deb
 519e1ade7358499043f0450f9770e3e5060c3165bc03062296f1ea1da2586158 360908 libtiff5-dev_4.0.8-2+deb9u3_amd64.deb
 de919fe3b2052e462c7b18a836a913b3ae6fe89a7f77835134991d78404192b9 238154 libtiff5_4.0.8-2+deb9u3_amd64.deb
 d5684408b5921c7ca5e3ab5be65cefd19be48ecc3887e23d2b0addfaec04d9b3 21044 libtiffxx5-dbgsym_4.0.8-2+deb9u3_amd64.deb
 bdbcd72872fd58be5ca862915d4c5964d9852705fbd18f6182a0be1271b3e8bb 95730 libtiffxx5_4.0.8-2+deb9u3_amd64.deb
 d2d1b6401fc4b23d9a6c3b4b28f6270b43096adb4e9c7872cce61f6981a4c839 10898 tiff_4.0.8-2+deb9u3_amd64.buildinfo
Files:
 f59f746c3bbae9f17676b83420780cd9 2185 libs optional tiff_4.0.8-2+deb9u3.dsc
 e814b54f2477641278eca5bcaa4f4acb 32756 libs optional tiff_4.0.8-2+deb9u3.debian.tar.xz
 0f5d404a3438be6597839159ee403c35 395778 doc optional libtiff-doc_4.0.8-2+deb9u3_all.deb
 b3fb9038740b02be609a929cc967624a 14186 debug extra libtiff-opengl-dbgsym_4.0.8-2+deb9u3_amd64.deb
 482c3d39785f462979b61aaf5bcde335 100438 graphics optional libtiff-opengl_4.0.8-2+deb9u3_amd64.deb
 b4fbac27d7c43a342290e5992fa4a2ba 352006 debug extra libtiff-tools-dbgsym_4.0.8-2+deb9u3_amd64.deb
 3ca8e1538fe57a4948871865021d98d4 281534 graphics optional libtiff-tools_4.0.8-2+deb9u3_amd64.deb
 25390f391ab809ef4468a5487e3cf2e9 372710 debug extra libtiff5-dbgsym_4.0.8-2+deb9u3_amd64.deb
 4c03c052cb53ff2e74c880ed4f82d8a4 360908 libdevel optional libtiff5-dev_4.0.8-2+deb9u3_amd64.deb
 d02d89c48b9ac263fecbdb75bb1a7c87 238154 libs optional libtiff5_4.0.8-2+deb9u3_amd64.deb
 e5b4f0cca3c89bdd05d72a23e9228a1b 21044 debug extra libtiffxx5-dbgsym_4.0.8-2+deb9u3_amd64.deb
 2ad358b2204823906149a95a580b88c0 95730 libs optional libtiffxx5_4.0.8-2+deb9u3_amd64.deb
 e9c5631ac7e31b180499a33dca1f6438 10898 libs optional tiff_4.0.8-2+deb9u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlwASXoACgkQEMKTtsN8
TjayFw//de7iqw1Mt0cbYvmaTUgelfC/m8lZXLfjNfL0mOmiiVJpHaQwI2ti5eJm
Jct+OtQCpmwQr1sJg7QC/i++KmIYPbmERFdQjZGI/Zsq+1nhEU7DcOXkLRRrZySt
ftACsBm1AoakUwmixcrSUFvYbJ05LQP5mfmDa+mKjQ75OlV1FxKgAfRyMIW8QVQU
u9r95xOXswVw0JNtqX5ziYJd8FUGDwUHdzXgZG1CUDQF4hsQJ8QVSR5Wsfk2y4f6
xmqPw0/uw1xNNx01mGXUUSskxqKBjXBw+7lU0D0rPATuR1Sh4v+pL3aBHBYDERX2
5CYYAsH5xdxyuE7qRfhYwAqvoH4rFiXWrxlIY7ihbhKSM3Jz4ZxWE69SChf7q+dp
9/6BXmaGmrSAXELiJ2H/ryD5MQzfpCVY0PAmGo6WgGR4joobFblTQO3aVdQGr/Oy
0M2KU/HuuVkd24deIJsVFUFYhty2ezWfTkRTgaFngpOm0rGTbUMTmCAoPF6mgtdk
QBmXgkoDaCGta4XtxVXLdiEpANP1xhYIkj1dlGPl1b6qJiBhV/wSu3gnxdnnQUEB
EcvAnROUu71i6Y8NVOkNo5xSmcWWEKZmTxLbaZTy8BGspntKZCEt8NU+NekJmmEa
LmVftfLrUmzKLlqMUW0Qt9jKv1kah6yagy7hYOn09jIefVqfsXU=
=fAGn
-----END PGP SIGNATURE-----

Message #24 received at 909037-close@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@debian.org>

To: 909037-close@bugs.debian.org

Subject: Bug#909037: fixed in tiff 4.0.8-2+deb9u4

Date: Mon, 03 Dec 2018 21:47:38 +0000

Source: tiff
Source-Version: 4.0.8-2+deb9u4

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 909037@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 29 Nov 2018 20:45:11 +0100
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.8-2+deb9u4
Distribution: stretch-security
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Description:
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 869823 883320 890441 891288 893806 898348 909037 911635
Changes:
 tiff (4.0.8-2+deb9u4) stretch-security; urgency=medium
 .
   * CVE-2018-5784 (Closes: #890441)
   * CVE-2018-7456 (Closes: #891288)
   * CVE-2018-8905 (Closes: #893806)
   * CVE-2018-10963 (Closes: #898348)
   * CVE-2018-17101 (Closes: #909037)
   * CVE-2018-18557 (Closes: #911635)
   * CVE-2017-11613 (Closes: #869823)
   * CVE-2017-17095 (Closes: #883320)
     (deb9u3 is unreleased, broken interim)
Checksums-Sha1:
 6d2b64d74f17a8f35e1edd7bb8dd7cde4336ef3e 2185 tiff_4.0.8-2+deb9u4.dsc
 96e3db13a353be5a6f60b3bc0e21106e47126b54 32508 tiff_4.0.8-2+deb9u4.debian.tar.xz
 0aed71e9b72c210193047378dd0ab92b531403bd 395966 libtiff-doc_4.0.8-2+deb9u4_all.deb
 6a5db516702eb4ef1edd0e4bba79b810040ebf3a 14186 libtiff-opengl-dbgsym_4.0.8-2+deb9u4_amd64.deb
 ba374e80b0ea7fea64855601af8c4ebe1c40a5d7 100452 libtiff-opengl_4.0.8-2+deb9u4_amd64.deb
 93b8c61377a1e171b68196f151506ea856127a2a 352192 libtiff-tools-dbgsym_4.0.8-2+deb9u4_amd64.deb
 ba9839c15866c35eadf6b41c5886daa8dd76aba1 281526 libtiff-tools_4.0.8-2+deb9u4_amd64.deb
 b5d440f325c45e79c53222edee33d60d35fe738d 372710 libtiff5-dbgsym_4.0.8-2+deb9u4_amd64.deb
 dd769ae088199ce61bb816e0fa0fca457bc1ad52 360902 libtiff5-dev_4.0.8-2+deb9u4_amd64.deb
 e620699d45acce79d57a0c28220d4670614d74aa 238176 libtiff5_4.0.8-2+deb9u4_amd64.deb
 c1833888522342f5ae252bd2ac81a5f03c56c65c 21042 libtiffxx5-dbgsym_4.0.8-2+deb9u4_amd64.deb
 a1a55fbca39966249d0060b99e6b8e5e520b8d21 95758 libtiffxx5_4.0.8-2+deb9u4_amd64.deb
 a6b03e9f716fb6c0133e3e3860a871c4e99b657b 10898 tiff_4.0.8-2+deb9u4_amd64.buildinfo
Checksums-Sha256:
 7f2a8ae92ea3ea871eb9baca399e589d256163e9689a64ac41ac64253c84b0b7 2185 tiff_4.0.8-2+deb9u4.dsc
 2096e012af91b8503e656212409c438ad2105fd42c22e8f811fe5ef25810342d 32508 tiff_4.0.8-2+deb9u4.debian.tar.xz
 819aee1a718341424e5c003aa8c9d2e1b91e4f06d064aabac935282892f0ea59 395966 libtiff-doc_4.0.8-2+deb9u4_all.deb
 d2290327372aff7292151c46ebbcdff540362b174d20457aae377164da3db5b4 14186 libtiff-opengl-dbgsym_4.0.8-2+deb9u4_amd64.deb
 0c23ccd1da69425412789c09605f4adc74f72146f2c33f22b2e8a8a780db0045 100452 libtiff-opengl_4.0.8-2+deb9u4_amd64.deb
 18c20c25900b0379b29eb2d06e3d5fc5df9d12acc49dcbd2eefd09284dbea9df 352192 libtiff-tools-dbgsym_4.0.8-2+deb9u4_amd64.deb
 216f428e410e42e6e76e0b0deb0a5059f1a7a37b89346df53e176a5d2f104f9f 281526 libtiff-tools_4.0.8-2+deb9u4_amd64.deb
 b40f06db15fb12c75e42470c9bdf22494722b57ce42f83583934fa79aefd1bd8 372710 libtiff5-dbgsym_4.0.8-2+deb9u4_amd64.deb
 210f1381ed49fc416d3924bbabf95f1cd3f23c9cf2a1b125a4daf51b4c23221e 360902 libtiff5-dev_4.0.8-2+deb9u4_amd64.deb
 16d5ca9b2c846ed56b141b7cff251abe17183566f55a1f5ef6c9a26ba8ff4bde 238176 libtiff5_4.0.8-2+deb9u4_amd64.deb
 ce603861e4b922de5ff0d5c4ad6ce1628b866e3572aa10f363032230c4afe92b 21042 libtiffxx5-dbgsym_4.0.8-2+deb9u4_amd64.deb
 72ff4f4b006e79737e12df5910c03ea9162668c1da49e56d56b6b325fe98feac 95758 libtiffxx5_4.0.8-2+deb9u4_amd64.deb
 e12f8e5f16bb4ac5184944c9fbab4505820728038bfee8c5b7315c35a771d9e8 10898 tiff_4.0.8-2+deb9u4_amd64.buildinfo
Files:
 8e41890b5ff7dfc154393c9d0ca20f9a 2185 libs optional tiff_4.0.8-2+deb9u4.dsc
 73282487e795e65e9148f99ae4d3ef5c 32508 libs optional tiff_4.0.8-2+deb9u4.debian.tar.xz
 2aa8dc17a5f0ca90de0ed0cd59508355 395966 doc optional libtiff-doc_4.0.8-2+deb9u4_all.deb
 4ad3bc70adccc8cb7b86cbda58431986 14186 debug extra libtiff-opengl-dbgsym_4.0.8-2+deb9u4_amd64.deb
 b36299f94df8f8dc639b5ceba3172b40 100452 graphics optional libtiff-opengl_4.0.8-2+deb9u4_amd64.deb
 0ec5ec7081b19090d833f66721840dcc 352192 debug extra libtiff-tools-dbgsym_4.0.8-2+deb9u4_amd64.deb
 63e675588c9db18ccf2e3ea0c5565c2f 281526 graphics optional libtiff-tools_4.0.8-2+deb9u4_amd64.deb
 f0bac1e24b21a669d6124bc761e1d5b9 372710 debug extra libtiff5-dbgsym_4.0.8-2+deb9u4_amd64.deb
 ab2b6522f674902da6b3322612311ec2 360902 libdevel optional libtiff5-dev_4.0.8-2+deb9u4_amd64.deb
 5a71ebab612fc28a4aa5d16367cdc156 238176 libs optional libtiff5_4.0.8-2+deb9u4_amd64.deb
 17b9c393a4b22ba1363c02e080026619 21042 debug extra libtiffxx5-dbgsym_4.0.8-2+deb9u4_amd64.deb
 21c461d08a8486c4bf5e437b4447c026 95758 libs optional libtiffxx5_4.0.8-2+deb9u4_amd64.deb
 888fd447d687b2a55dd2cd6ce3f5fbb3 10898 libs optional tiff_4.0.8-2+deb9u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlwBVCgACgkQEMKTtsN8
TjYEPxAAnxOzF3GlbAenjaushsH/CaHw1vIeiAAieq2/vnhMPWkE/OIfCOrGJRYw
3GKEnucwUzkuro41gRXW2qHHcHjKkM2zNKEc72paKI1YdpQURVXXY2V4l0JwTh4P
ihvnNa649LYEEP2sHuRztju3PvQjXq7CFZZOUCMrMP1HRtjtCB8lzUtqSdbw6k/o
QkjmZaxDLZVCaPeBHckA++dGnhrd1SjlBDy8qYwkleHPZXYuiFOp8d0tmaRqEaAl
+ADnfXeEvbsLm1TpIrSRiqfddpsPfV8/E8nElFU+ATW/oUO4Qkf4DCuoXCO/eXUz
Dfne/469yAlqoav5t47ODk0akkkbS+IRvFQFyUqz4+wr8HzlBtQ/1+DBTbE56Qvk
RmE5s7DxB8FPChLAE/NTiC01ta4ZX0iEqABBLZmfM1RJF70NPa6Y7sxvtF0nPHBk
yTP5f1V3oBEDJwPNQK+ssomcHnrVr8XWJ344PeL6CZt1vd8nH4/kyce4rh4kfhZ1
r3rggZbI2BJ5fQnK4qV3hL/ZPTUhO2HAomYic5UF+Gja12fTIljQaJ+mT1BkGWON
rzcOGWZO3M9ao7duj84gT4ew6yziO+uHaSGRAUTQfeefrDMs3F/XPv69mDf8aklU
OrWBxF0ZDMBZIV0L7j7lMvuUaoVMmmMKa9195Utl8sLudIEVSSs=
=f4Lp
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.