Debian Bug report logs -
#898348
tiff: CVE-2018-10963
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#898348; Package src:tiff.
(Thu, 10 May 2018 15:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Thu, 10 May 2018 15:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tiff
Version: 4.0.9-1
Severity: important
Tags: security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2795
Hi,
The following vulnerability was published for tiff.
CVE-2018-10963[0]:
| The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF
| through 4.0.9 allows remote attackers to cause a denial of service
| (assertion failure and application crash) via a crafted file, a
| different vulnerability than CVE-2017-13726.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10963
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2795
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions tiff/4.0.3-12.3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 12 May 2018 14:18:08 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 14 May 2018 17:09:17 GMT) (full text, mbox, link).
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Sun, 01 Jul 2018 21:24:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 01 Jul 2018 21:24:05 GMT) (full text, mbox, link).
Message #14 received at 898348-close@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 4.0.9-6
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 898348@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 01 Jul 2018 19:46:23 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source amd64 all
Version: 4.0.9-6
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
libtiff-dev - Tag Image File Format library (TIFF), development files, current
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff5 - Tag Image File Format (TIFF) library
libtiff5-dev - Tag Image File Format library (TIFF), development files
libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 893806 898348
Changes:
tiff (4.0.9-6) unstable; urgency=high
.
* Fix CVE-2018-8905: eap-based buffer overflow in LZWDecodeCompat()
(closes: #893806).
* Fix CVE-2018-10963: remote denial of service (closes: #898348).
Checksums-Sha1:
81b18818f1320c27c3e09c9c55e4b24db957ee59 2184 tiff_4.0.9-6.dsc
01cb0f32986d44622a7f5af6d596d5b4bece91f7 23684 tiff_4.0.9-6.debian.tar.xz
3b1a55ba1ab15ce13879226bddfe6155ff32d4ea 96372 libtiff-dev_4.0.9-6_amd64.deb
fc00cb195061521c5e8e69ba57117c5526276e39 403296 libtiff-doc_4.0.9-6_all.deb
0ebcd77ce059ecd244e479a5d1d0c4094cf96363 13764 libtiff-opengl-dbgsym_4.0.9-6_amd64.deb
38dbda0cebcc248b46b7a19a50658b3a8eae3309 104940 libtiff-opengl_4.0.9-6_amd64.deb
a29d89e20e429184aa87ce5a68cd57f930239e3a 348212 libtiff-tools-dbgsym_4.0.9-6_amd64.deb
740b294ae8a817836dd485f18b06e1330c0bbd3f 287080 libtiff-tools_4.0.9-6_amd64.deb
ac2d0415b515dcc32b3e0e30a33238a7431d4de6 376832 libtiff5-dbgsym_4.0.9-6_amd64.deb
e0cd10c04a2ef4108b528a3c4c98238cbdb2276e 367624 libtiff5-dev_4.0.9-6_amd64.deb
290186af454e325c6fa91c35e8c9bffca4a8a4c9 245968 libtiff5_4.0.9-6_amd64.deb
f0e5cf62a910e23c499346663e56af7e5184053e 21284 libtiffxx5-dbgsym_4.0.9-6_amd64.deb
90beb0e54223387c87451c95e8ec7579d64a51ed 100092 libtiffxx5_4.0.9-6_amd64.deb
fcca80bd5517cfbe179e8acc6b9a27c2345e1f06 12234 tiff_4.0.9-6_amd64.buildinfo
Checksums-Sha256:
9200f8f74e28e99b46bc083ad7a253d38e4dd0838fe0355c473c409610b8b14e 2184 tiff_4.0.9-6.dsc
4e145dcde596e0c406a9f482680f9ddd09bed61a0dc6d3ac7e4c77c8ae2dd383 23684 tiff_4.0.9-6.debian.tar.xz
a0cbd2d798102712293abc410eb27835fe6e39bc11ab6cb088db3418e186cba1 96372 libtiff-dev_4.0.9-6_amd64.deb
398c64aaac654cefa6abe7910fccbdd16cf5a09e8244d20f94eedc849a46c7a7 403296 libtiff-doc_4.0.9-6_all.deb
6425e10ef610d46e79a0ee5c3db75e98858a3806bb0bc6f93f6849e3ec524af1 13764 libtiff-opengl-dbgsym_4.0.9-6_amd64.deb
e1d4a44ff7c3cb9a9851345361f4f85894813255da2684ad06bc4cc4e9e6ffa3 104940 libtiff-opengl_4.0.9-6_amd64.deb
0323bf86bdc35a28be2f62fd839b6b6ef4ec39934a2c11af2ecbe29ba8efad1a 348212 libtiff-tools-dbgsym_4.0.9-6_amd64.deb
63999dec55c0e547c1b5478873be2427206e5d20d0484574f641988c4eab8268 287080 libtiff-tools_4.0.9-6_amd64.deb
640c81bcd91cb0e45aaf3df7fa946e50856a1e8affb2d290b6429576e5506f7b 376832 libtiff5-dbgsym_4.0.9-6_amd64.deb
05cfda1af6ce290b40495f39d1f82a22741ecd029126524319db8b819f24072d 367624 libtiff5-dev_4.0.9-6_amd64.deb
75f55511749790c6c184b722485292e963a7d71922bfa7de496e0e96d347d668 245968 libtiff5_4.0.9-6_amd64.deb
d6aa9a1731a51742d8c740149238f7a0301dfd1c3f678d49c02a8b6f7a1a8b00 21284 libtiffxx5-dbgsym_4.0.9-6_amd64.deb
52694e9b853bf2bc19d73a42ed3aa55ccce7845ef3e48f2b619f998b06ef101c 100092 libtiffxx5_4.0.9-6_amd64.deb
e312ca9b77c3bf478126b533d19be17b74d6c495ead0c8b3f99e888e581489d5 12234 tiff_4.0.9-6_amd64.buildinfo
Files:
ef14e5221e1a221cc028aaf3a8a60f67 2184 libs optional tiff_4.0.9-6.dsc
53e60381c0c7838fb766ce4f93887ce8 23684 libs optional tiff_4.0.9-6.debian.tar.xz
db40836594b7bdbde7ebc50fb7ee50a6 96372 oldlibs optional libtiff-dev_4.0.9-6_amd64.deb
2ac029d6f64727f199488584e3f6c7be 403296 doc optional libtiff-doc_4.0.9-6_all.deb
46ebd544eece4850934d8f3a9de9c4e2 13764 debug optional libtiff-opengl-dbgsym_4.0.9-6_amd64.deb
bddec8c2a2122930e8c48a18ed3cca05 104940 graphics optional libtiff-opengl_4.0.9-6_amd64.deb
06713bde8891ffba63994ed96b7da604 348212 debug optional libtiff-tools-dbgsym_4.0.9-6_amd64.deb
4709e343fd4570e271c5fb8e8c26006d 287080 graphics optional libtiff-tools_4.0.9-6_amd64.deb
0acb1ca8eff66d81048a4b39be4466fc 376832 debug optional libtiff5-dbgsym_4.0.9-6_amd64.deb
1f48f8dc202cc4b4821c38ad45bfa946 367624 libdevel optional libtiff5-dev_4.0.9-6_amd64.deb
38a1e30f97d020caf7016993ba85b34a 245968 libs optional libtiff5_4.0.9-6_amd64.deb
912111894b84ce5cfb6537c9734e476c 21284 debug optional libtiffxx5-dbgsym_4.0.9-6_amd64.deb
ccdc2899e536eb94559ba69fab203e24 100092 libs optional libtiffxx5_4.0.9-6_amd64.deb
78cf0a40a51962f811a671f1c252062f 12234 libs optional tiff_4.0.9-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAls5P8cACgkQ3OMQ54ZM
yL9XWQ//ZFz8o1EqdVUBC+Tue5wpTN4d88phuk3mgVMAo1bFcA110SH2qF8tch/P
q+DcmKY36Wprqm3S6Ra6d85ovw2tDuqR1AvQwR7JKTuDwxkgoh/Sy945qazLGAuG
I0y3xh43litw2oYkarZNa6KXbq+BgSN3h78oUAOETW9edRfJqfqKYbjCw64gh8gG
gtfTMMHPiHXbmWHEWCIjP5YDsDVBPVQ/p7ffiD9ZdZIWsyFelvrL/qlOlFBl0/d/
YmmRcwo4+39D5AYnW14SFIfBB/WIyiYbYB8LYAUqgcFjcQmHAf0wlR8foyb/QCya
w0T451eHutuqkyZP2plFnwNogT78Ae+yjOtz53Lgw1SP9K1rlgPVguG3QQ3czhp1
q6gYiqESxyrBccsZWwPMkg3zJFeklL8Gxb/412U+yLnC7mt0AkT8ELbi+BbScIDa
4NP8Kw77/UO7+pXb6LUrnh4RxO8GfQDqyGniE3SUdfHsjVTz8SBy9Mo7ws8URXSU
ttSYf+6ngIAdKe8s3MSLCtU3uRnD3vCdW/lOvOW5hkih/TIGK3mv095N4R4YYkHY
5L2K8wPGE4GFqxsoLBjro6+rWNcdujHlc4r4sd27ieBibxlQF9tSduVZ8vWaH3Ep
N7K4xiNpLT0SLyrJY0IkS8ll92DlggLAipxdxsXhvmevVSUrQAs=
=KTsh
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 01 Aug 2018 07:27:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:05:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon