Debian Bug report logs -
#600188
tiff: CVE-2010-3087
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Thu, 14 Oct 2010 13:24:02 UTC
Severity: grave
Tags: security
Fixed in version tiff/3.9.4-5
Done: Jay Berkenbilt <qjb@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#600188; Package tiff.
(Thu, 14 Oct 2010 13:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Jay Berkenbilt <qjb@debian.org>.
(Thu, 14 Oct 2010 13:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tiff
Severity: grave
Tags: security
Justification: user security hole
Please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3087
This patch should fix it:
http://bugzilla.maptools.org/show_bug.cgi?id=2140
(Lenny is not affected)
Cheers,
Moritz
-- System Information:
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#600188; Package tiff.
(Sat, 16 Oct 2010 14:48:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list.
(Sat, 16 Oct 2010 14:48:10 GMT) (full text, mbox, link).
Message #10 received at 600188@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff <muehlenhoff@univention.de> wrote:
> Package: tiff
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Please see:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3087
>
> This patch should fix it:
> http://bugzilla.maptools.org/show_bug.cgi?id=2140
Upstream rejected the patch in their bug 2140, and the patch's author
said it was only a partial fix. The CVE references a bug in Novell's
bugzilla, but even after creating an account, I don't have access to
read the bug. So I'm really not sure what to do here. I could just
blindly accept the patch, but then I'm permanently deviating from
upstream. Should I discuss with upstream? I could grab Red Hat's
latest SRPM and see how long they've been using this patch, or I could
dig through upstream's CVS repository and see what the status is there.
--
Jay Berkenbilt <qjb@debian.org>
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#600188; Package tiff.
(Sun, 17 Oct 2010 20:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list.
(Sun, 17 Oct 2010 20:48:03 GMT) (full text, mbox, link).
Message #15 received at 600188@bugs.debian.org (full text, mbox, reply):
Disregard my previous response. Red Hat and SUSE have both taken the
patch from the bugzilla issue that upstream rejected, so I will do so as
well. Uploading momentarily.
Jay Berkenbilt <qjb@debian.org> wrote:
> Moritz Muehlenhoff <muehlenhoff@univention.de> wrote:
>
>> Package: tiff
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> Please see:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3087
>>
>> This patch should fix it:
>> http://bugzilla.maptools.org/show_bug.cgi?id=2140
>
> Upstream rejected the patch in their bug 2140, and the patch's author
> said it was only a partial fix. The CVE references a bug in Novell's
> bugzilla, but even after creating an account, I don't have access to
> read the bug. So I'm really not sure what to do here. I could just
> blindly accept the patch, but then I'm permanently deviating from
> upstream. Should I discuss with upstream? I could grab Red Hat's
> latest SRPM and see how long they've been using this patch, or I could
> dig through upstream's CVS repository and see what the status is there.
Reply sent
to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility.
(Sun, 17 Oct 2010 21:06:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Sun, 17 Oct 2010 21:06:05 GMT) (full text, mbox, link).
Message #20 received at 600188-close@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 3.9.4-5
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive:
libtiff-doc_3.9.4-5_all.deb
to main/t/tiff/libtiff-doc_3.9.4-5_all.deb
libtiff-opengl_3.9.4-5_amd64.deb
to main/t/tiff/libtiff-opengl_3.9.4-5_amd64.deb
libtiff-tools_3.9.4-5_amd64.deb
to main/t/tiff/libtiff-tools_3.9.4-5_amd64.deb
libtiff4-dev_3.9.4-5_amd64.deb
to main/t/tiff/libtiff4-dev_3.9.4-5_amd64.deb
libtiff4_3.9.4-5_amd64.deb
to main/t/tiff/libtiff4_3.9.4-5_amd64.deb
libtiffxx0c2_3.9.4-5_amd64.deb
to main/t/tiff/libtiffxx0c2_3.9.4-5_amd64.deb
tiff_3.9.4-5.debian.tar.gz
to main/t/tiff/tiff_3.9.4-5.debian.tar.gz
tiff_3.9.4-5.dsc
to main/t/tiff/tiff_3.9.4-5.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 600188@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 17 Oct 2010 16:44:08 -0400
Source: tiff
Binary: libtiff4 libtiffxx0c2 libtiff4-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 3.9.4-5
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description:
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff4 - Tag Image File Format (TIFF) library
libtiff4-dev - Tag Image File Format library (TIFF), development files
libtiffxx0c2 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 600188
Changes:
tiff (3.9.4-5) unstable; urgency=high
.
* Incorporated fix to CVE-2010-3087, a potential denial of service
exploitable with a specially crafted TIFF file. (Closes: #600188)
Checksums-Sha1:
140f55879c1b698ae73d6a09be5585a9ed8b793f 1836 tiff_3.9.4-5.dsc
5505dae33e91faf42ab6088a40e489c6d0c91567 15843 tiff_3.9.4-5.debian.tar.gz
8e2102ddf803af42a084035769273de034ebfd1f 385798 libtiff-doc_3.9.4-5_all.deb
97b4e68b2678bd5e9766f19ee86d53278746e5a6 194180 libtiff4_3.9.4-5_amd64.deb
bd698fbd01c24ebf3b32992203fd615d3388eb22 58756 libtiffxx0c2_3.9.4-5_amd64.deb
053d714ca81d7fdd5e2da1865e50c9024c51bee0 321330 libtiff4-dev_3.9.4-5_amd64.deb
8d4dda561b48f06d13ed2bf088e6a66de130bbf0 301864 libtiff-tools_3.9.4-5_amd64.deb
e87f3bbc0ced69e545aede07ae45b05f1e3a73ac 64170 libtiff-opengl_3.9.4-5_amd64.deb
Checksums-Sha256:
5973e13949ccf30d7f6f9adff1179c77ae661be528c81f77f554a912fba6aa6b 1836 tiff_3.9.4-5.dsc
a6d89e57ce3e80bd656f101991a26bab9e61132ff7703e995c57189361efed20 15843 tiff_3.9.4-5.debian.tar.gz
66baca22eb44feca334456cfc6f310c9027710b78426f804936bfac81452f470 385798 libtiff-doc_3.9.4-5_all.deb
dd891b48b4eea1e68fc46d4a5bbd2a0caf89bbad0766ade000350efce5153dc6 194180 libtiff4_3.9.4-5_amd64.deb
dae926462b418f28bfcd24a1856186d6da3d8ca3e567191ea9565b26a04be5ba 58756 libtiffxx0c2_3.9.4-5_amd64.deb
e088b2b8be329fd61b26b0142e7cf082414efe1ffaaf7786bcac792299eb02bd 321330 libtiff4-dev_3.9.4-5_amd64.deb
71993714a6e481283e93a308b007e24061f00ccd09571fc2a884ffb50322fff6 301864 libtiff-tools_3.9.4-5_amd64.deb
d54d5d705ac998d284b97f94226258ded6f4792afe08681f6a246a5550a1b23f 64170 libtiff-opengl_3.9.4-5_amd64.deb
Files:
2ec1daf1fb8457f268bd50b7341cfc01 1836 libs optional tiff_3.9.4-5.dsc
809cf67141086afa9683d5baadef33bb 15843 libs optional tiff_3.9.4-5.debian.tar.gz
70c9a1f62f46edb0419bb8dbd917c615 385798 doc optional libtiff-doc_3.9.4-5_all.deb
b3f998fcd68f765b45837d9c2a73397a 194180 libs optional libtiff4_3.9.4-5_amd64.deb
1e0b26afd53e2f2db5996a066e6de136 58756 libs optional libtiffxx0c2_3.9.4-5_amd64.deb
0e37030d24dc550f1d6db0bb22886c4c 321330 libdevel optional libtiff4-dev_3.9.4-5_amd64.deb
03cc07ba6a9b11f6b06f354bff37bddf 301864 graphics optional libtiff-tools_3.9.4-5_amd64.deb
a163014d225546e90c7485133b1b29d9 64170 graphics optional libtiff-opengl_3.9.4-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJMu2F8AAoJEIp10QmYASx+xeoP/R3Ij2Cl+BEvD0R0te+JUG8K
zLJkEjp6vxFhWKKZgnctWRb4a5i780BMLeaNNaNi6adJQWnwiJB3OPlQxtsAfiX4
9ySJ8j118uCiT3wqtDkXcVrWzROE5kMQ10jpcOBDXJt6fONMLU3pjMMxrqCUtD+f
y/pptDwgMz0seeXIyybh4Wtt2acBvT6KGnZ51UBlSRwYmLLEtQzE2kiI7kFEFdMN
CmekuimAReSj8VuNuOzOhwI5D9vJmUQZ1NJ+Qv6Z89en0wuFuoxp+YUGw6J7M2fM
uJt/PGxa/iiavkGLU9zryK9pzwJrgaAVRIDup+gitK6tIniscbBC/mliqBOvDb10
4St3xbjRQiNcO3RlMNK1xPS946F6kpKL7C3sAs/KocayaNkjAC74Rp645PdCa+aS
DEYiDpFF4CDR0f2r09qsA7hPLvpG22z6dB2ElmAy/AewBhvGfQebZ5G0ICJYTEJL
+lpQ0l0ELa51RUyNtzQVyor/p/2FlsefgerySZtaszMfawQrkkk9gak9TOkX0zbC
oRvP4JKUXon74AVQ+G2S0MRJchIvlI32r5apU6nS4xx4HO0w/GvSKumHQIJh9TnM
7ZGVb3ngaGrqNOzWtaEWoczndpIvlxj8kzgcgAMIysGOFzhxBI5LsUvDWkgGDnsE
76NqjaFsz5UA7BBcY+pq
=omHr
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 15 Nov 2010 07:36:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:09:35 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon