Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

tiff: CVE-2015-8665: out-of-bound read in tif_getimage.c

Related Vulnerabilities: CVE-2015-8665   CVE-2015-8683   CVE-2015-8781   CVE-2015-8782   CVE-2015-8783   CVE-2015-8784  

Source

Debian Bug report logs - #808968
tiff: CVE-2015-8665: out-of-bound read in tif_getimage.c

version graph

Package: src:tiff; Maintainer for src:tiff is Laszlo Boszormenyi (GCS) <gcs@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 25 Dec 2015 08:03:02 UTC

Severity: important

Tags: security, upstream

Found in version tiff/3.9.4-5

Fixed in versions tiff/4.0.6-1, tiff/4.0.3-12.3+deb8u1

Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ondřej Surý <ondrej@debian.org>:
Bug#808968; Package src:tiff. (Fri, 25 Dec 2015 08:03:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ondřej Surý <ondrej@debian.org>. (Fri, 25 Dec 2015 08:03:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tiff: CVE-2015-8665: out-of-bound read in tif_getimage.c
Date: Fri, 25 Dec 2015 08:59:56 +0100
Source: tiff
Version: 3.9.4-5
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for tiff.

CVE-2015-8665[0]:
Out-of-bounds Read

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8665
[1] http://www.openwall.com/lists/oss-security/2015/12/24/2

Regards,
Salvatore

Marked as fixed in versions tiff/4.0.6-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 01 Jan 2016 19:45:13 GMT) (full text, mbox, link).

Reply sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility. (Wed, 10 Feb 2016 22:22:57 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 10 Feb 2016 22:22:57 GMT) (full text, mbox, link).

Message #12 received at 808968-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>
To: 808968-close@bugs.debian.org
Subject: Bug#808968: fixed in tiff 4.0.3-12.3+deb8u1
Date: Wed, 10 Feb 2016 22:18:19 +0000
Source: tiff
Source-Version: 4.0.3-12.3+deb8u1

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 808968@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 02 Jan 2016 09:18:06 +0100
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.3-12.3+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 808968 809021
Changes:
 tiff (4.0.3-12.3+deb8u1) jessie-security; urgency=high
 .
   * Backport upstream fixes for:
     - CVE-2015-8665 an out-of-bound read in TIFFRGBAImage interface
       (closes: #808968),
     - CVE-2015-8683 an out-of-bounds read in CIE Lab image format
       (closes: #809021),
     - CVE-2015-8781 out of bounds write at tif_luv.c:208,
     - CVE-2015-8782 potential out-of-bound writes in decode,
     - CVE-2015-8783 potential out-of-bound reads in case of short input data,
     - CVE-2015-8784 potential out-of-bound write in NeXTDecode().
Checksums-Sha1:
 1592d69661d4bffeb0924770cadb0280dc6c6bfd 2226 tiff_4.0.3-12.3+deb8u1.dsc
 652e97b78f1444237a82cbcfe014310e776eb6f0 2051630 tiff_4.0.3.orig.tar.gz
 16b525b3b71102ba1992427c85ffea6d5fa7044a 31764 tiff_4.0.3-12.3+deb8u1.debian.tar.xz
 59f99a67bd84376b1bf6956334e7288c98d70fb2 363528 libtiff-doc_4.0.3-12.3+deb8u1_all.deb
 2f42ea521422199af07572678f573bb86c438138 213448 libtiff5_4.0.3-12.3+deb8u1_amd64.deb
 017e23930fa66c217d579e4a4a930df5267279df 74990 libtiffxx5_4.0.3-12.3+deb8u1_amd64.deb
 6340bab6581ae5f9bfabbb338cb61b846f483dc0 335260 libtiff5-dev_4.0.3-12.3+deb8u1_amd64.deb
 f225923488fd1c419d54fbbfeeccbdaaafe24e4e 285694 libtiff-tools_4.0.3-12.3+deb8u1_amd64.deb
 c9706d6a178b9d85f1e0638f128534adad05cb3a 79906 libtiff-opengl_4.0.3-12.3+deb8u1_amd64.deb
Checksums-Sha256:
 eb8d25c4f28aafb3ddbe29d29f91876c13539da38011837ad974f65838cf5fec 2226 tiff_4.0.3-12.3+deb8u1.dsc
 ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872 2051630 tiff_4.0.3.orig.tar.gz
 a689adbd64ff8220fb095bceface04417068e69d6ec98063db3489f1c02410a6 31764 tiff_4.0.3-12.3+deb8u1.debian.tar.xz
 682b3f9e7e2cd7fd982dc3c51ed92a4529e25ad3336496f11358f7f0c30c9e6d 363528 libtiff-doc_4.0.3-12.3+deb8u1_all.deb
 06b4254a0a78fdf199b044975d5b750902ca8916400db7cc309deeba44dee42e 213448 libtiff5_4.0.3-12.3+deb8u1_amd64.deb
 132dc95ca561cfa7f0ac7bd25e1c73ded1052414566f74128d921ad73bfaf817 74990 libtiffxx5_4.0.3-12.3+deb8u1_amd64.deb
 66475418fa4790016ed42e91b9fead8214605a2b604b4cab7837cadb6ad6ada5 335260 libtiff5-dev_4.0.3-12.3+deb8u1_amd64.deb
 43ca07b50381d45ecf1e2430c7960c0e0a301ad0d0567d51a7e8bc4c328b5347 285694 libtiff-tools_4.0.3-12.3+deb8u1_amd64.deb
 6e2680ef375c241484fa8e4c354ebf3f8519e4bbe72533d985c76cb1d23ef084 79906 libtiff-opengl_4.0.3-12.3+deb8u1_amd64.deb
Files:
 336b29c642a4c3f44eca5644b95c0600 2226 libs optional tiff_4.0.3-12.3+deb8u1.dsc
 051c1068e6a0627f461948c365290410 2051630 libs optional tiff_4.0.3.orig.tar.gz
 8994b58cf108e18084acd4813f376963 31764 libs optional tiff_4.0.3-12.3+deb8u1.debian.tar.xz
 1ee185ebe665b2fa80d2dfdf857a9b35 363528 doc optional libtiff-doc_4.0.3-12.3+deb8u1_all.deb
 97b01df72c1d4b2c94db92ef79e6dddc 213448 libs optional libtiff5_4.0.3-12.3+deb8u1_amd64.deb
 691332632e03c9bf4393ba3f2763227c 74990 libs optional libtiffxx5_4.0.3-12.3+deb8u1_amd64.deb
 952ae037759bc976f131e78ac1f49262 335260 libdevel optional libtiff5-dev_4.0.3-12.3+deb8u1_amd64.deb
 0f0121dc6100287e623ecb6836f0bbfb 285694 graphics optional libtiff-tools_4.0.3-12.3+deb8u1_amd64.deb
 6afe47c3712577cc97147a1a76ac98c0 79906 graphics optional libtiff-opengl_4.0.3-12.3+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWskzoAAoJENzjEOeGTMi/BOIQAJ3KABfZjXqpDUS8tkX3JMLg
Xwvf9p6EviRXLME3cCW/WBHQBfJ72mBUxergJEgzUydQXnl6rKvyCKmpegnNdFu/
j7oJ8Jnw1kCxqf/UT3gDMsUZxd6ghaYBmR/qEbrq0DmruI7GNUXzoHmT+PaNrny1
4fhQf5Fr+6V+iswVdy8Yxy1IMDYxzmai8xLYJ2AThw1mjdj92TBOJPpfFVkAHVWN
8t2nA6fcgH6D1Ubj/bfcRIWXIt38j10oSND1WBss1qyLEgj0HyxHD3kuEqcN/YSx
STCJ9VYrROk4JH8wPQqDdDXEl5v+Hx0vy2SIvofR2/ShpRvKVQHyQgYb/L9UsueP
RrcKiHg8k0HyyMLGCs7KSmCC1jDYt9d59laxY0iunaBT1KJqALNw0X46AtyyzZkL
7E5mPM7z9y8IDHl3oqZ6u8hYi+YLk44J3yB7el0JAVd6y1VdgGQdYzv37u/iESZG
7frYw/lkU2R91st+f5d6HDk88qwQm0dK/L1zFf813oIrOGlxdQqJshFHMYWKQJYp
x30LYxsRPkLqpABGO1ep2uoYMBJqStYPsdZYDG7onca1W8nPm+YnXUPEXcJwQUYH
8uwVFJgEaosQpRkNgyeoc9tKkXsOM29olt7IPywMspWEWDD+gvXVFC7hz8kEXlZC
GuyIx7lMG0gDL7czhQpo
=yyTs
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 10 Mar 2016 07:37:08 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:13:40 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started