Debian Bug report logs -
#885985
tiff: CVE-2017-18013: NULL Pointer Dereference
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#885985; Package src:tiff.
(Mon, 01 Jan 2018 10:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Mon, 01 Jan 2018 10:06:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tiff
Version: 4.0.9-2
Severity: important
Tags: patch security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2770
Control: found -1 4.0.3-1
Hi,
the following vulnerability was published for tiff.
CVE-2017-18013[0]:
| In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the
| tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo
| crash.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-18013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
Please adjust the affected versions in the BTS as needed, looking at
the code, and unless I miss something this issue goes back to
4.0.3-1, thus marking it as such. Please correct me if I was wrong.
Regards,
Salvatore
Marked as found in versions tiff/4.0.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 01 Jan 2018 10:06:03 GMT) (full text, mbox, link).
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Mon, 01 Jan 2018 17:06:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 01 Jan 2018 17:06:14 GMT) (full text, mbox, link).
Message #12 received at 885985-close@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 4.0.9-3
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 885985@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 01 Jan 2018 16:26:47 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source amd64 all
Version: 4.0.9-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
libtiff-dev - Tag Image File Format library (TIFF), development files, current
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff5 - Tag Image File Format (TIFF) library
libtiff5-dev - Tag Image File Format library (TIFF), development files
libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 885985
Changes:
tiff (4.0.9-3) unstable; urgency=high
.
* Fix CVE-2017-18013: NULL pointer dereference in TIFFPrintDirectory()
(closes: #885985).
Checksums-Sha1:
7eb3d91865df7e3e25ee6f92c094ae2612aef2b5 2184 tiff_4.0.9-3.dsc
602f7c1a6765bce309e3b79e48e125624a4591a9 18528 tiff_4.0.9-3.debian.tar.xz
cf32652345ffd45243f68d6958f8c5ab056a7c95 96176 libtiff-dev_4.0.9-3_amd64.deb
be7906622590241292b7726d0948f3deeb132030 403132 libtiff-doc_4.0.9-3_all.deb
f2e3612fb15129c7e13cd5c90168ebcf890b60b5 14312 libtiff-opengl-dbgsym_4.0.9-3_amd64.deb
ec940d69877076708f688af9a2fcf3602c69d89e 104748 libtiff-opengl_4.0.9-3_amd64.deb
14155c9f4b71394e7cdb1a919f5eae785b14087d 352412 libtiff-tools-dbgsym_4.0.9-3_amd64.deb
bf0ffeb6e21a0c1780209615fb59faf80dde67e1 286924 libtiff-tools_4.0.9-3_amd64.deb
02bd680ffa247a12106e2004169c0eae175fbeb4 376244 libtiff5-dbgsym_4.0.9-3_amd64.deb
a91a922bc8db3d78888af168ebe090acdd3cdd23 366648 libtiff5-dev_4.0.9-3_amd64.deb
a7100d029bc3b309639c8f3e7d45b60487a5acd8 245164 libtiff5_4.0.9-3_amd64.deb
c2f38ca8d5e702143e978d2ea519b9e036b6bbf9 21104 libtiffxx5-dbgsym_4.0.9-3_amd64.deb
b715f285c1c20856b7ab71764b047342f115cc56 99876 libtiffxx5_4.0.9-3_amd64.deb
2730b25f2f2c9da74720862ec4c6f5ddcc638e41 11917 tiff_4.0.9-3_amd64.buildinfo
Checksums-Sha256:
c0c57fa7f155918e117a3e6b79e581279d16d19fabc4ed49fa79433b691ddd3a 2184 tiff_4.0.9-3.dsc
c413f5b2423b95d8b068adca695f0ddaea5219088a1d38de4800b379bc20ca73 18528 tiff_4.0.9-3.debian.tar.xz
46f436520fdce340cb078638b36344b7498de39d50cc0996e3d09970e87e299e 96176 libtiff-dev_4.0.9-3_amd64.deb
f1caa2c9462e09573190c36424597ba5117128d689214aaf889f044c9c469a77 403132 libtiff-doc_4.0.9-3_all.deb
02cab12d373e6d6b93d1a7a28ec7643eb791f1694cd5ac2f37b449d08d5c8018 14312 libtiff-opengl-dbgsym_4.0.9-3_amd64.deb
da3e48ccba4531ee1dc31dc902c9fe2f907444539c152b6df4aa86cffeec808c 104748 libtiff-opengl_4.0.9-3_amd64.deb
42ad0283231f59f7ed915b50c08303e0ea0d4bc18355831978b526c16cf9ef44 352412 libtiff-tools-dbgsym_4.0.9-3_amd64.deb
1078d145c24bcdbafbf0d67594d10ad495fd588bbe5b5f68727687f6967a12ff 286924 libtiff-tools_4.0.9-3_amd64.deb
32d726442e700f63d2f277fe0811a7b95c8e7953efb7d48ad64a591441a1ca37 376244 libtiff5-dbgsym_4.0.9-3_amd64.deb
75a30ed6ffa4850bf284365ac1eab8d601f994553676fe082a8bec8e96a07250 366648 libtiff5-dev_4.0.9-3_amd64.deb
6d73992cec14bdfc44c6013dadc8a2b31f24255a9aa2e0dbd55e5fbc8269e14d 245164 libtiff5_4.0.9-3_amd64.deb
49de4c17ace4c6d3be2c23772305a29633f5097bfd1691adcbd795add99b059a 21104 libtiffxx5-dbgsym_4.0.9-3_amd64.deb
af0e2408edd5636d887795910afae347cbb51eef48c9f2b0bd4da0f3024ce924 99876 libtiffxx5_4.0.9-3_amd64.deb
26c3aec52dc017713fca5613d361c0644ab89ec87b820e38ca57466e15b9646c 11917 tiff_4.0.9-3_amd64.buildinfo
Files:
08bb8e3f5bba946bfcccc8f97428c1e5 2184 libs optional tiff_4.0.9-3.dsc
60155b32c1db42360e15e6e27dd803e7 18528 libs optional tiff_4.0.9-3.debian.tar.xz
d69e44a9514fbaae24d1cdd76a0c3bb3 96176 oldlibs optional libtiff-dev_4.0.9-3_amd64.deb
4f2b8f37123b5f7b49f2a631ebd70502 403132 doc optional libtiff-doc_4.0.9-3_all.deb
089b714522a60a3479dc45963d7da80f 14312 debug optional libtiff-opengl-dbgsym_4.0.9-3_amd64.deb
46b8028b84bb2ff3c02790a37f989814 104748 graphics optional libtiff-opengl_4.0.9-3_amd64.deb
6acef1217ca58a3798c907a81f23816a 352412 debug optional libtiff-tools-dbgsym_4.0.9-3_amd64.deb
98304e120f5d8c6e9f01f575c2373be5 286924 graphics optional libtiff-tools_4.0.9-3_amd64.deb
d098cdb2a821040fba60011c343094c1 376244 debug optional libtiff5-dbgsym_4.0.9-3_amd64.deb
16a3770269e850461bd49ede2184cdab 366648 libdevel optional libtiff5-dev_4.0.9-3_amd64.deb
a01f5bfc704086d0ea6b76e9a260c15d 245164 libs optional libtiff5_4.0.9-3_amd64.deb
7b0675e3c830945db3d0886df6d78fd9 21104 debug optional libtiffxx5-dbgsym_4.0.9-3_amd64.deb
f061e1cf770aac0a9098971cbdda3279 99876 libs optional libtiffxx5_4.0.9-3_amd64.deb
c8efe8ab7bb6d3509ae784d3320aba47 11917 libs optional tiff_4.0.9-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlpKZ1EACgkQ3OMQ54ZM
yL9rXw/+N2Z0HwNip2w+lLy4aNE4F8jSe/l1wJPD8laqOH/rw73wfOlzPl6Mq/y6
Hh99ZdPElmJqVwcXhqktHML6zeywMoAdw8Qi0SWPyT5rx43B5VVwXCczk+812SPZ
AOIUF0EYSH2tPHATmSj8MNs2q7DLJW/21r3rbHuOJcg19RBQJKjj+iyHOSLYXrhA
a6Nh4QBEvB/zrbNQe9aVLBxmHL9KQMztmRIr8F+L9GFEJnE6ePuk51yGfiZkXqUY
ZU4WyChnk2KZDMUfNwWWncM3A0qCJnfZiSVB/rGHSNLC7YH42Q4H4x5WdL9hADB9
FHEralofYagaUqYlyFJIU+9Bpo/AlmzdeirHvQAWX9hGWGJCemD6Vh4MOUWtIbUc
pZ4f33oaQL08VNz2OBTJdRIRWQBoLMPBhLYQ1JqpfAnZnLdYe5qa+O19eT/mbYkI
UmuZN5Z6kpkKMnufJd+OOqDoETF/2Q4vqhXmwKJqFGjEvKsEAZ23RBwRXYJNiBFI
PxHO/PMFICPFeUjYT/oE9mqmK+cnoCv1yGoFWHqzQgMyo/gxXsr5ZWHYyKTgW5f7
QxsOrWYnQDfuu1zq+vGC8Iv7GAANrPkPPuezjLBCpdvuolxB8GMOE9G+Fc1SlO/o
5T8YP6/BCt/kaxuKVJLUFCtRQT7ejjtf/4GkWePx1xRbAObJbRY=
=9bti
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 01 Feb 2018 07:30:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:09:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon