Debian Bug report logs -
#912012
tiff: CVE-2018-18661
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#912012; Package src:tiff.
(Sat, 27 Oct 2018 09:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 27 Oct 2018 09:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tiff
Version: 4.0.9-6
Severity: important
Tags: security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2819
Hi,
The following vulnerability was published for tiff.
CVE-2018-18661[0]:
| An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer
| dereference in the function LZWDecode in the file tif_lzw.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-18661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18661
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2819
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 01 Nov 2018 20:30:12 GMT) (full text, mbox, link).
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Mon, 19 Nov 2018 23:39:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 19 Nov 2018 23:39:15 GMT) (full text, mbox, link).
Message #12 received at 912012-close@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 4.0.10-1
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 912012@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 19 Nov 2018 17:16:05 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff-dev libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source amd64 all
Version: 4.0.10-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
libtiff-dev - Tag Image File Format library (TIFF), development files
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff5 - Tag Image File Format (TIFF) library
libtiff5-dev - Tag Image File Format library (TIFF), development files (transiti
libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 672858 884978 904165 907794 912012
Changes:
tiff (4.0.10-1) unstable; urgency=high
.
* New upstream release.
* Fix CVE-2018-18661: NULL pointer dereference in LZWDecode()
(closes: #912012).
* Move libtiff5-dev contents to libtiff-dev .
* Mark libtiff-dev as Multi-Arch same (closes: #884978).
* Mark libtiff-{tools,opengl} as Multi-Arch foreign (closes: #904165).
* Mark libtiff-doc as Multi-Arch foreign (closes: #907794).
* Fix TIFFReadRawStrip man page typo (closes: #672858).
* Update Standards-Version to 4.2.1 .
Checksums-Sha1:
69da2145f7816fcf1d6070cf14506faf6c02ae78 2218 tiff_4.0.10-1.dsc
c783b80f05cdacf282aa022dc5f5b0ede5e021ae 2402867 tiff_4.0.10.orig.tar.gz
26de02a34b020427537e8bd3ed62baa0d69e7e71 17948 tiff_4.0.10-1.debian.tar.xz
148141babb8f370427fd7699511a99f881676cb6 378432 libtiff-dev_4.0.10-1_amd64.deb
9b672d53fdbcaccfb2fcc292bd5c5dfefdbeef69 413204 libtiff-doc_4.0.10-1_all.deb
812e1c50eff59d558f85d3411a2ff404c64daafc 14900 libtiff-opengl-dbgsym_4.0.10-1_amd64.deb
f7f4b3d681f90901a3b4f8fc61f87e1134930745 112056 libtiff-opengl_4.0.10-1_amd64.deb
0b146b489b29786ba69c36b54b34ef9cef8996da 425596 libtiff-tools-dbgsym_4.0.10-1_amd64.deb
b21ff0656ca0f22041f3dfae651f0abf76dde264 294108 libtiff-tools_4.0.10-1_amd64.deb
63a571972a597975c293e6cefb7a65dc06eb1974 480596 libtiff5-dbgsym_4.0.10-1_amd64.deb
a944dee76d21de8175922562699fc1813af38e7d 103520 libtiff5-dev_4.0.10-1_amd64.deb
8118c21d82f0272e4c88e72d32cc0e1749f306a4 256644 libtiff5_4.0.10-1_amd64.deb
63ffc78e8c3871d87c4aea933c985cade1f29bea 23376 libtiffxx5-dbgsym_4.0.10-1_amd64.deb
0c1ea6c065883f066695bd4b58ac6b2518347071 107304 libtiffxx5_4.0.10-1_amd64.deb
d53eac4a788bc3cd4a081b6f939baeb0666bc786 12297 tiff_4.0.10-1_amd64.buildinfo
Checksums-Sha256:
3b27dce31f948c7f8a3b8b6e94857a72972ab953cd27e42027cf3108340cd278 2218 tiff_4.0.10-1.dsc
2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4 2402867 tiff_4.0.10.orig.tar.gz
7e0d2c10f10966458dd6187d8946ddbe4be1baaef44a9f66411b60a7636296b3 17948 tiff_4.0.10-1.debian.tar.xz
a52601e4f47f2ccdc292eb12d2a663c3765ce4b0ee8aecccf22f314904b90e43 378432 libtiff-dev_4.0.10-1_amd64.deb
a7b7fab6e6379063fc7719ea9c9094fb8883c98333bd9098137a461fb1cfb45f 413204 libtiff-doc_4.0.10-1_all.deb
3e328c9a1885ff9128a45d8603f50c7db335f230a1e71d66e5029b7f7cb86120 14900 libtiff-opengl-dbgsym_4.0.10-1_amd64.deb
f53e612bc2d7b0e552c78a0752f80c639e013c46e840f290af1f7125e24640c8 112056 libtiff-opengl_4.0.10-1_amd64.deb
c5dcfac1fa8513138f078af50f8aa3587a5e4061aeb2a19288cb44dac010877e 425596 libtiff-tools-dbgsym_4.0.10-1_amd64.deb
6eedcacfd687bbc992ef5bc39bc4f811a22249683e1415700f5e5de1b0d1973f 294108 libtiff-tools_4.0.10-1_amd64.deb
3fbe1edc46936520a53d71e3fd9d62ab04f04406bd828e058ca91419cdbadbb7 480596 libtiff5-dbgsym_4.0.10-1_amd64.deb
2b3c192c15f91c86a4540677c95182d139af849433f6852146e91c8338e98667 103520 libtiff5-dev_4.0.10-1_amd64.deb
2c0f65d761a6b5522de9ee161a11d62fbce59d9a4abd674636d79d50d5059cd7 256644 libtiff5_4.0.10-1_amd64.deb
3f68a2b80d88561e14404676121e27768dab599974e4fcbc81b53ed15875488f 23376 libtiffxx5-dbgsym_4.0.10-1_amd64.deb
5826fe47ce5fc3c66f665599210392d30d9b831608f10aa2cf10666907c52714 107304 libtiffxx5_4.0.10-1_amd64.deb
b87e4b31046220a4590c3bbcb58533356b717ce7b54aca2ad542845b84ff7cca 12297 tiff_4.0.10-1_amd64.buildinfo
Files:
bae815e64c77e6b6967b0ef9ee78738e 2218 libs optional tiff_4.0.10-1.dsc
114192d7ebe537912a2b97408832e7fd 2402867 libs optional tiff_4.0.10.orig.tar.gz
262b8ef1b6ac473e0d0e5229d11ed7d7 17948 libs optional tiff_4.0.10-1.debian.tar.xz
82f7964bb6ed423040567a4ccb93b232 378432 libdevel optional libtiff-dev_4.0.10-1_amd64.deb
3f41851c8a0db67643db06256f1a470d 413204 doc optional libtiff-doc_4.0.10-1_all.deb
5540a6c9496584dcf7440e67c48d4c82 14900 debug optional libtiff-opengl-dbgsym_4.0.10-1_amd64.deb
190ed7477888e532c17416598c9aa901 112056 graphics optional libtiff-opengl_4.0.10-1_amd64.deb
ae85cacb2b457c56088c887d5a33c024 425596 debug optional libtiff-tools-dbgsym_4.0.10-1_amd64.deb
babfdc8aac7a9d5f39a0d8d4547a317b 294108 graphics optional libtiff-tools_4.0.10-1_amd64.deb
07a1082f0f7ac14228ac019cd739bd32 480596 debug optional libtiff5-dbgsym_4.0.10-1_amd64.deb
ba76ddb6da3c9bc2a488088164a807b1 103520 oldlibs optional libtiff5-dev_4.0.10-1_amd64.deb
9e82a3fd4a6762d7b3d93d91de4714d6 256644 libs optional libtiff5_4.0.10-1_amd64.deb
ce6d697e8e75a4512f844cfcca5fb741 23376 debug optional libtiffxx5-dbgsym_4.0.10-1_amd64.deb
47d3433ab6682629708b0f3dfcac11bd 107304 libs optional libtiffxx5_4.0.10-1_amd64.deb
1625c10cca0675130d96030d194f0dd8 12297 libs optional tiff_4.0.10-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlvzQMEACgkQ3OMQ54ZM
yL/vdhAAmOBdBWEWrys4OQ/Q8Pvz3H1eizSygQPsIhMAoXe5kmXIU8Nnj9cH54lQ
lbm7SgBjMw9Z5wTdRhvPuRnOG56r8i480UxvDrPapIHoSFuvcJ/8uQAJpe6nrmKV
hYb/ZLWYWGYXVclRobHisUDbskGjwZpLnf4GaWLN5FFIiofdV/+VyU44n2HtLS1N
DY4YgL/i3OyFIPLr1OqkjN3cORaV80IR+I6TyVC83epXl8wxNQ60w3hxbLZqzugR
Ch0z0u3Hz9q4/a8VO0iGdcpxaa20n76utAEQ9yG3D5pa/AMcTtS2MX3+CrJXjy6e
5+6fPHv21vFHtHRAt4jMR5ulf8fZ7fo1Y5hDxuOFBKsItfsme3sPlNuPQu/aYSWF
7cd+VVwNz+21fVNDPW/6ZWMAxMP/oFgC34sri+CLRyxLauXdgj+KD9UjPQf6Q8yL
JS8PQ3wJEwAPNUff7uCVJ/EmmxRSG8G7JbhFAq2e9o68uIWpp/pGfEZinHvdo0Ir
VZgUuKZ1KgCY3EkN3+nTOTwRq7ivet8pfD91r5oCkXqavVWuKqY+7b6uyj1lVWQb
vFnVd3ShnA2RK7ALZU1QKnx+dhksW4zFLBY/swB2qkgz55QV/FUyACdkLEa2GrBT
wW0S0P3tPMefQ8TklE2HyhRjh4z/G0YNEGtp3lJzxYjLdI3MBAI=
=s4yy
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 26 Dec 2018 07:26:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:40:54 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon