Debian Bug report logs -
#890441
tiff: CVE-2018-5784: Uncontrolled resource consumption in TIFFSetDirectory
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#890441; Package src:tiff.
(Wed, 14 Feb 2018 19:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Wed, 14 Feb 2018 19:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tiff
Version: 4.0.9-1
Severity: important
Tags: patch security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2772
Hi,
the following vulnerability was published for tiff.
CVE-2018-5784[0]:
| In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
| TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage
| this vulnerability to cause a denial of service via a crafted tif file.
| This occurs because the declared number of directory entries is not
| validated against the actual number of directory entries.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5784
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2772
[2] https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Wed, 14 Feb 2018 21:15:34 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 14 Feb 2018 21:15:34 GMT) (full text, mbox, link).
Message #10 received at 890441-close@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 4.0.9-4
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 890441@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 14 Feb 2018 20:07:21 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source amd64 all
Version: 4.0.9-4
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
libtiff-dev - Tag Image File Format library (TIFF), development files, current
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff5 - Tag Image File Format (TIFF) library
libtiff5-dev - Tag Image File Format library (TIFF), development files
libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 890441
Changes:
tiff (4.0.9-4) unstable; urgency=high
.
* Fix CVE-2018-5784: uncontrolled resource consumption in TIFFSetDirectory()
(closes: #890441).
Checksums-Sha1:
f83b16a97588e2be6e953daac77d8fc1543ae1cf 2184 tiff_4.0.9-4.dsc
66c646802eb51bfe9b32a1b52910b99265d33692 19572 tiff_4.0.9-4.debian.tar.xz
e95bbcc17b9e9f3236cb932b802c24570356a50a 96216 libtiff-dev_4.0.9-4_amd64.deb
ee48d669201f67aee21922cb620b065a23db5bc2 403188 libtiff-doc_4.0.9-4_all.deb
7f76a9f6e54fb58dbd5a34f807ed22a30ffc7d0a 13736 libtiff-opengl-dbgsym_4.0.9-4_amd64.deb
8d918c964b8d9840f794f5134310778316681d52 104776 libtiff-opengl_4.0.9-4_amd64.deb
1a1481b317311dd69e5c2b4c5a00af87af3b4cc2 348632 libtiff-tools-dbgsym_4.0.9-4_amd64.deb
be6f4fe23a2c4cb0fc187217f95d4d5594c6e331 286780 libtiff-tools_4.0.9-4_amd64.deb
33408dd43293bab470010d5540d8fc3c4c9c3933 376332 libtiff5-dbgsym_4.0.9-4_amd64.deb
08b4cf6099fffd094ca46f14ece945c6b6db3aab 366768 libtiff5-dev_4.0.9-4_amd64.deb
68d8f4c6d3774978fc4e1bad9f18fbfcecbb4b96 245256 libtiff5_4.0.9-4_amd64.deb
20cb256f444d9a82d27c7a0432466c29cb02226f 21208 libtiffxx5-dbgsym_4.0.9-4_amd64.deb
63a6f5ad664eceb318bf80efd28bdef9aa26d5ff 99908 libtiffxx5_4.0.9-4_amd64.deb
6f55965b9f185d0384ab55cb7ddebe6e6c6a717d 11994 tiff_4.0.9-4_amd64.buildinfo
Checksums-Sha256:
52120121e154939321fed49a2200e477bfd421e8c94d55e9ad2d1fcafe7adc0e 2184 tiff_4.0.9-4.dsc
f078da1da538109c1e5403dc1f44d23c91f5a5d6ddc5ffc41ff60de006cb2b2e 19572 tiff_4.0.9-4.debian.tar.xz
175cf58d80ffd02dd3f7fa094a2b383f6051a9d53d5cba64b1ce0ba355099433 96216 libtiff-dev_4.0.9-4_amd64.deb
d8270f117bbcf82396cfdde24f23fca328650f2fa75f339899ac15f079db9ece 403188 libtiff-doc_4.0.9-4_all.deb
9db8af2433bc3d0ab3baeab17d47203b402b13b88b3f6443c510bdb1ea2cb694 13736 libtiff-opengl-dbgsym_4.0.9-4_amd64.deb
9b10bf4ec957fb43c8f4f23daccd96197594a26a051e4fa9b0c876ec7a1b681c 104776 libtiff-opengl_4.0.9-4_amd64.deb
502fd08247c6ee4b8c0d34a6f7e509e7f51cf4a06e3983570cad81370d16a985 348632 libtiff-tools-dbgsym_4.0.9-4_amd64.deb
726292a08f4ad485063e49a03bf4aedae409654a21b45c5f79b4f47cecbb874c 286780 libtiff-tools_4.0.9-4_amd64.deb
4ffb4cdb7bb5656f1a7520d84209a3123160554db9fc2164141a06d3e302a15a 376332 libtiff5-dbgsym_4.0.9-4_amd64.deb
7b96a182567eb621a36b736b9b60e0863c420321a41c4c3bf82813aec087730f 366768 libtiff5-dev_4.0.9-4_amd64.deb
a67ef13f68f464e2927059d6f4604c06b27bdb9e6297f171e93f2917d75dc86f 245256 libtiff5_4.0.9-4_amd64.deb
bd9f6b24e7afb7e1d169f4e3c082bbfa12bb48763da199e918440ee8320f6f78 21208 libtiffxx5-dbgsym_4.0.9-4_amd64.deb
01c133d4641cb9fff2177cd5b43f9093c8ea194088e7a15d4896d21153a7116d 99908 libtiffxx5_4.0.9-4_amd64.deb
2f27c907cb011e9fd936bb81530629ccdf9ce88ccf88277c24e9b8ebf47925d5 11994 tiff_4.0.9-4_amd64.buildinfo
Files:
d9cb68fbb3f193a3a88d4816b4c3b749 2184 libs optional tiff_4.0.9-4.dsc
435a9dcf25c1dd39c7ae9f7592d0f294 19572 libs optional tiff_4.0.9-4.debian.tar.xz
14dd6df05907f99b563b86af81bc2ca7 96216 oldlibs optional libtiff-dev_4.0.9-4_amd64.deb
76af379c454ec49d05d04dbf413e30fd 403188 doc optional libtiff-doc_4.0.9-4_all.deb
270d9ce443909497216f0150e034e928 13736 debug optional libtiff-opengl-dbgsym_4.0.9-4_amd64.deb
dfd1c267e36d40fb5ebfb7df9f8307ff 104776 graphics optional libtiff-opengl_4.0.9-4_amd64.deb
3788a41b3360e075bfb91c4730643a8e 348632 debug optional libtiff-tools-dbgsym_4.0.9-4_amd64.deb
ebf6c0073adb7fb108660aac58f8c655 286780 graphics optional libtiff-tools_4.0.9-4_amd64.deb
c772d921e3b0ca0712ac8266ddcf69c0 376332 debug optional libtiff5-dbgsym_4.0.9-4_amd64.deb
5e10d903986411f990067f99b30d275a 366768 libdevel optional libtiff5-dev_4.0.9-4_amd64.deb
874d5ce383ed4fdb9d9a5f50aac0dcc1 245256 libs optional libtiff5_4.0.9-4_amd64.deb
c6b26e62eab1f08aff7d3a474de765c1 21208 debug optional libtiffxx5-dbgsym_4.0.9-4_amd64.deb
6c83e9404a3db29edf51f615e6605fcf 99908 libs optional libtiffxx5_4.0.9-4_amd64.deb
62ca92056599e7b1b8c55ae79dd56da7 11994 libs optional tiff_4.0.9-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlqEm3QACgkQ3OMQ54ZM
yL+guw//ft4Ln4GeWDuhOsylKM1Grl1Du9jc40fpQhX+Jro2Qp+SOuZ9yoAWL+6r
YogQilkLY272FhsrrwFvo6TKKWwPmKu6+8MV5MRNSy+lxR9UasSdzCE5phUXe+pP
/Pb3/pnc6isD2JYD7MXg35pf1VGjMa7XoODg8AHgc2ZQKr2O9QPzF+qhmMmLx33G
FG44h/4N53+yZghFTk/ZcUIPZZsqhBAqpeSbII2VbGQkKyPqAVdBTgbChhZT67vV
jeZcSKU8/fgss27oG0D3g5J+HAXeMPvPolNWENczV5xGj3iWvrkJ1hSXYO3rgrnq
+3fg3ET188bG5PQaf7Omq+VHIC/xkOBRCJnqnTTfRMyZsMGJlygYRZ+kwYMawhcC
wGyKugX6l1fczu8JlLpgackCVX/lDRq3o5NKeFq20wzTV6sakzexqk/YSSVk9Psn
LxVBWhuJSdpOxQ3NXIdKOhkv9IJbmr4xgwXoFOdIk6bqX3NXlRY3J1j69tzhMxe5
v9m6Yj7O3NZMJmWZUcaf4REffLPbB2Q2RbWunSLf/ntIqdMpGER8dy1WnLZqaDT0
0/rBGuq6hJe3onIwCyCL8Anb3NTGMgqJY1CnJ3P6vBuWIO1w38KXXbhKQx3YRUA6
ZstexZq62vzfufVYYkaq9nJREsO5UGS+pL/lOxGjcwYoFhS0n+o=
=Qk7w
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 17 Mar 2018 07:27:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:09:30 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon