Debian Bug report logs -
#851297
tiff: CVE-2017-5225
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 13 Jan 2017 18:57:08 UTC
Severity: important
Tags: patch, security, upstream
Found in versions tiff/4.0.3-12.3, tiff/4.0.7-4
Fixed in version tiff/4.0.7-5
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#851297; Package src:tiff.
(Fri, 13 Jan 2017 18:57:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Fri, 13 Jan 2017 18:57:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tiff
Version: 4.0.7-4
Severity: important
Tags: security patch upstream
Hi,
the following vulnerability was published for tiff.
CVE-2017-5225[0]:
| LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the
| tools/tiffcp resulting in DoS or code execution via a crafted
| BitsPerSample value.
For 4.0.7, reproducible with an ASAN build and the reproducers given
in the upstream bug reports [1], [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2656
[2] http://bugzilla.maptools.org/show_bug.cgi?id=2657
Please adjust the affected versions in the BTS as needed. Only found
time to check 4.0.7 source.
Regards,
Salvatore
Marked as found in versions tiff/4.0.3-12.3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 13 Jan 2017 19:15:13 GMT) (full text, mbox, link).
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Sun, 15 Jan 2017 18:39:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 15 Jan 2017 18:39:05 GMT) (full text, mbox, link).
Message #12 received at 851297-close@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 4.0.7-5
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 851297@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 15 Jan 2017 16:49:05 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.7-5
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff5 - Tag Image File Format (TIFF) library
libtiff5-dev - Tag Image File Format library (TIFF), development files
libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 851297
Changes:
tiff (4.0.7-5) unstable; urgency=high
.
* Fix CVE-2017-5225: heap buffer overflow via a crafted BitsPerSample value
(closes: #851297).
Checksums-Sha1:
6565ff8fac0237bd10d7c34c7847063f4f8cd9c4 2157 tiff_4.0.7-5.dsc
0c7555964933101dab0291e983c4fd700336b0e5 24756 tiff_4.0.7-5.debian.tar.xz
d94199f826c76e65d6d1d07136786121369b1529 388206 libtiff-doc_4.0.7-5_all.deb
0ece36a7f48eefa70cb310ed066b015d7965933f 14178 libtiff-opengl-dbgsym_4.0.7-5_amd64.deb
c8efda6839dd6f374480b1013069f4f65343c9dc 95956 libtiff-opengl_4.0.7-5_amd64.deb
019460ac0d63d3b113e3ea878179c6f839a4abbd 351366 libtiff-tools-dbgsym_4.0.7-5_amd64.deb
ba2879450e322c8d96da05a93572e6f05ab69465 276452 libtiff-tools_4.0.7-5_amd64.deb
2db292db8cc603162172a1f915bb056e56c26981 366156 libtiff5-dbgsym_4.0.7-5_amd64.deb
f7fde28e8d039f9dcf21f131a23936230977cf61 352132 libtiff5-dev_4.0.7-5_amd64.deb
53c6168a562e2bda60ed223cce1f6a438a6eca09 230144 libtiff5_4.0.7-5_amd64.deb
38405b64e579864827b6157c8b771c54482934a5 21018 libtiffxx5-dbgsym_4.0.7-5_amd64.deb
23025e46627113acffca0946669c2413eefb160e 91250 libtiffxx5_4.0.7-5_amd64.deb
c2f0efb76445fb69355a862263afc1485fc67d7e 10075 tiff_4.0.7-5_amd64.buildinfo
Checksums-Sha256:
da84a0420d7c93f6a52dd7c9e97aef4e82fcf73ddb07b89f92c91f4ce4ad5da6 2157 tiff_4.0.7-5.dsc
f4183c48ed74b6c3c3a74ff1f10f0cf972d3dba0f840cf28b5a3f3846ceb2be6 24756 tiff_4.0.7-5.debian.tar.xz
669ecb8c63e9008346576cf1ca1335d6e604ac6b565f81b7ab4ba52bc26c929d 388206 libtiff-doc_4.0.7-5_all.deb
c4e0f019f268a4b4f8ccde79b599d50ab81d8aa1475355c22abf70e965f0ba49 14178 libtiff-opengl-dbgsym_4.0.7-5_amd64.deb
2c2152da2a28dd40e5f644e8bd6a1f6e055ca4c55316b83500c6879596ee47a9 95956 libtiff-opengl_4.0.7-5_amd64.deb
4bb04f7b17f85e08d54a3af0457741db1d84591df17b37ac17cafc4e74a69710 351366 libtiff-tools-dbgsym_4.0.7-5_amd64.deb
2798c5d800c28bd19623e8b4715d4c87b619e24410c98f6f9afaf776ec6141ef 276452 libtiff-tools_4.0.7-5_amd64.deb
31f614c783960a9b247911e1a2f27c825b07dcd8382c24c57f6c7e48c9dab9a1 366156 libtiff5-dbgsym_4.0.7-5_amd64.deb
e5b098db24f4f8ae14afc8b3959cb6a393fc03030f3dd4bc8a0293d402c4ad21 352132 libtiff5-dev_4.0.7-5_amd64.deb
bb39962ceab3870a135f444c758f7c47b150d3ebec44a02074c53ffa4a2d9afa 230144 libtiff5_4.0.7-5_amd64.deb
c72c0474393c964a3f49b98e281edf8071496c2ec612e4dabb703ac1278e8d6c 21018 libtiffxx5-dbgsym_4.0.7-5_amd64.deb
91f8b4a0f9d908a3c598ded79e1f8e2abe89b7e3976019b7a5f13f2f9591ba7b 91250 libtiffxx5_4.0.7-5_amd64.deb
ff6c8837c91659e1248d6c108cdb1a9621a2eaed875a354ccd8513cc7d15061e 10075 tiff_4.0.7-5_amd64.buildinfo
Files:
9a4d81688c696c99bab097cf4ce4a136 2157 libs optional tiff_4.0.7-5.dsc
5c8ed4864c8e2f52be43f15d62d46838 24756 libs optional tiff_4.0.7-5.debian.tar.xz
3e694317ea433de33beda4b9822b870a 388206 doc optional libtiff-doc_4.0.7-5_all.deb
d79a5e8d316c9c3176aa092ece3a8f87 14178 debug extra libtiff-opengl-dbgsym_4.0.7-5_amd64.deb
ecb5f785ce116fd8368e8174eb9c30a2 95956 graphics optional libtiff-opengl_4.0.7-5_amd64.deb
e6ce1ba8b19ec074369e7757d85f4e06 351366 debug extra libtiff-tools-dbgsym_4.0.7-5_amd64.deb
8a7e99962632fb2b2563941a050c25f6 276452 graphics optional libtiff-tools_4.0.7-5_amd64.deb
e91a875b3a9978641ceaad68b74c90ee 366156 debug extra libtiff5-dbgsym_4.0.7-5_amd64.deb
312de930d75ae42403b1dc5f3f0c6f03 352132 libdevel optional libtiff5-dev_4.0.7-5_amd64.deb
0a18caf5b160b85f27b92d569b26eb26 230144 libs optional libtiff5_4.0.7-5_amd64.deb
40663c1bc6443475d58c4903cf34c9ed 21018 debug extra libtiffxx5-dbgsym_4.0.7-5_amd64.deb
2ad1a5fda78c674fa91d1e9b678607c1 91250 libs optional libtiffxx5_4.0.7-5_amd64.deb
90b8598cca19829a246184fbeb5fe2bc 10075 libs optional tiff_4.0.7-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlh7vaoACgkQ3OMQ54ZM
yL8TZg/+JpIgpQQlCQrqzQAeL992fz4Y/Vk+ejpboy75VQiU0UvRU2S4Wx1cgprA
VKEyg0bFG8GTPkL4YEN06ttXp2MnlhVud3VOfTc2vzHe30+r/ozYxdvavW8i0KQX
8pLri6M18D58MtnX9qme19iFhVSPQi0G1iDMV5aowDYm3IcKNPTOaXC7DHfHeHOo
1eWJGS6yL7n5WjE6kSGvvCt6UNIyTw3JPeCCT6kCm2ZqItOw/Y3yBmF1tZk0iQRl
MZ+VYeBv33itBVK5raIZgyqEIfH7fRMU5RynMPBuLREgaSpfDCiu6eF49JWKeEos
ZORBiEilw/jQlZMPuufWYNCgMrnJjixeAy+BW3b5UPaRbYGboEgegl8bzGdxty+l
MajgMBgoBmNWPYj0XubUO6Oft6bTmpxUOpMAXjEo02JO5j2y9a0uKGHXVxzJ1C8o
9H71+Lc7WSBCMY1WxZYAzj22JYBPAobLslXRzWW0WFJH3scoVz7mWSDlCz/suBBo
XN+gIbjhSI3gvfVNvOr7iISasE8V1h0T9tDddmF0NMzlzWgOKTJK37rAWfcEXOY4
vWTYegMpRRxR0l0pBTpq2uErqX651+TppEYRS36b/qrtgU4DnBXAUCRLW4BKp+7e
DG6BS+tmiCG46QFzL3lUf+jS81K9RLTpJD51bjKKA0QH5e+std4=
=HtCv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 23 Feb 2017 07:39:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:20:56 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon