Your message dated Thu, 17 Apr 2014 16:00:09 +0000
with message-id <[email protected]>
and subject line Bug#684247: fixed in povray 1:3.7.0.0-1
has caused the Debian Bug report #684247,
regarding tiff code embedded in povray and possibly may be out of date and
vulnerable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
684247: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684247
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: povray
Severity: important
Tags: security
I have been working on a tool called Clonewise to automatically identify
embedded code copies in Debian packages and determine if they are out of
date and vulnerable. Ideally, embedding code and libraries should be
avoided and a system wide library should be used instead.
I recently ran the tool on Debian 6 stable. The results are here at
http://www.foocodechu.com/downloads/Clonewise-report.txt*
*The povray package reported potential issues appended to this message.
The analysis tries to justify why it believes a library or code is embedded
in the package and if the relationship is not already being tracked by
Debian in the embedded-code-copies database it shows the files that are
shared between the two pieces of software.
Apologies if these are false positives. Your help in advising me on whether
these issues are real will help me improve the analysis for the future.
--
Silvio Cesare
Deakin University
### Summary:
###
tiff CLONED_IN_SOURCE povray <unfixed> CVE-2010-2597
tiff CLONED_IN_SOURCE povray <unfixed> CVE-2011-1167
### Reports by package:
###
# Package povray may be vulnerable to the following issues:
#
CVE-2010-2597
CVE-2011-1167
# SUMMARY: The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0
and 3.9.2 makes incorrect calls to the TIFFGetField function, which
allows remote attackers to cause a denial of service (application
crash) via a crafted TIFF image, related to "downsampled OJPEG input"
and possibly related to a compiler optimization that triggers a
divide-by-zero error.
#
# CVE-2010-2597 relates to a vulnerability in package tiff.
# The following source filenames are likely responsible:
# tifstrip.c
#
# The following package clones are NOT tracked in the embedded-code-copies
# database.
#
tiff CLONED_IN_SOURCE povray <unfixed> CVE-2010-2597
MATCH addtiffo.c/addtiffo.c (8.200837)
MATCH faxps.c/faxps.c (8.200837)
MATCH faxtiff.c/faxtiff.c (8.200837)
MATCH getopt.c/getopt.c (3.471681)
MATCH giftiff.c/giftiff.c (8.200837)
MATCH iptcutil.c/iptcutil.c (8.200837)
MATCH listtif.c/listtif.c (8.200837)
MATCH macmain.c/macmain.c (7.171218)
MATCH mactrans.c/mactrans.c (8.200837)
MATCH maketif.c/maketif.c (8.200837)
MATCH mfsfile.c/mfsfile.c (8.200837)
MATCH mkgmain.c/mkgmain.c (8.200837)
MATCH mkgstates.c/mkgstates.c (7.102225)
MATCH palrgb.c/palrgb.c (8.200837)
MATCH ppmtiff.c/ppmtiff.c (8.200837)
MATCH rastif.c/rastif.c (8.200837)
MATCH rawtiff.c/rastiff.c (8.200837)
MATCH rgbycbcr.c/rgbycbcr.c (8.200837)
MATCH sgisv.c/sgisv.c (8.200837)
MATCH sgitiff.c/sgitiff.c (8.200837)
MATCH strcasecmp.c/strcasecmp.c (4.890294)
MATCH strtoul.c/strtoul.c (5.332938)
MATCH thumbnail.c/thumbnail.c (6.552179)
MATCH tifacorn.c/tifacorn.c (7.325368)
MATCH tifapple.c/tifapple.c (7.245326)
MATCH tifatari.c/tifatari.c (7.325368)
MATCH tifaux.c/tifaux.c (6.865836)
MATCH tifclose.c/tifclose.c (6.865836)
MATCH tifcodec.c/tifcodec.c (6.977062)
MATCH tifcolor.c/tifcolor.c (7.102225)
MATCH tifcompress.c/tifcompress.c (6.865836)
MATCH tifdir.c/tifdir.c (6.865836)
MATCH tifdirinfo.c/tifdirinfo.c (6.865836)
MATCH tifdirread.c/tifdirread.c (6.865836)
MATCH tifdirwrite.c/tifdirwrite.c (6.865836)
MATCH tifdumpmode.c/tifdumpmode.c (6.865836)
MATCH tiferror.c/tiferror.c (6.865836)
MATCH tifextension.c/tifextension.c (7.102225)
MATCH tiffax.c/tiffax.c (6.865836)
MATCH tiffbi.c/tiffbi.c (8.200837)
MATCH tiffcmp.c/tiffcmp.c (8.200837)
MATCH tiffdib.c/tiffdib.c (8.200837)
MATCH tiffdither.c/tiffdither.c (8.200837)
MATCH tiffdump.c/tiffdump.c (8.200837)
MATCH tiffgrayscale.c/tiffgrayscale.c (8.200837)
MATCH tiffgt.c/tiffgt.c (8.200837)
MATCH tiffile.c/tiffile.c (8.200837)
MATCH tiffinfo.c/tiffinfo.c (8.200837)
MATCH tifflush.c/tifflush.c (6.865836)
MATCH tiffmedian.c/tiffmedian.c (8.200837)
MATCH tiffpalette.c/tiffpalette.c (8.200837)
MATCH tiffpdf.c/tiffpdf.c (7.864365)
MATCH tiffps.c/tiffps.c (8.018516)
MATCH tiffrgb.c/tiffrgb.c (8.200837)
MATCH tiffset.c/tiffset.c (8.200837)
MATCH tiffsplit.c/tiffsplit.c (8.200837)
MATCH tifgetimage.c/tifgetimage.c (6.865836)
MATCH tifimageiter.c/tifimageiter.c (8.200837)
MATCH tifjpeg.c/tifjpeg.c (6.865836)
MATCH tifluv.c/tifluv.c (6.977062)
MATCH tiflzw.c/tiflzw.c (6.865836)
MATCH tifmsdos.c/tifmsdos.c (7.325368)
MATCH tifnext.c/tifnext.c (6.865836)
MATCH tifopen.c/tifopen.c (6.865836)
MATCH tifoverview.c/tifoverview.c (8.200837)
MATCH tifovrcache.c/tifovrcache.c (8.200837)
MATCH tifpackbits.c/tifpackbits.c (6.865836)
MATCH tifpdsdirread.c/tifpdsdirread.c (8.200837)
MATCH tifpdsdirwrite.c/tifpdsdirwrite.c (8.200837)
MATCH tifpixarlog.c/tifpixarlog.c (6.977062)
MATCH tifpredict.c/tifpredict.c (6.977062)
MATCH tifprint.c/tifprint.c (6.865836)
MATCH tifras.c/tifras.c (8.200837)
MATCH tifread.c/tifread.c (6.865836)
MATCH tifstrip.c/tifstrip.c (6.865836)
MATCH tifswab.c/tifswab.c (6.814543)
MATCH tifthunder.c/tifthunder.c (6.865836)
MATCH tifunix.c/tifunix.c (7.102225)
MATCH tifversion.c/tifversion.c (6.865836)
MATCH tifwarning.c/tifwarning.c (6.865836)
MATCH tifwin.c/tifwin.c (7.102225)
MATCH tifwrite.c/tifwrite.c (6.865836)
MATCH tifzip.c/tifzip.c (6.977062)
MATCH xtiff.c/xtiff.c (7.507690)
MATCH ycbcr.c/ycbcr.c (8.018516)
# SUMMARY: Heap-based buffer overflow in the thunder (aka ThunderScan)
decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote
attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS
data in a .tiff file that has an unexpected BitsPerSample value.
#
# CVE-2011-1167 relates to a vulnerability in package tiff.
# The following source filenames are likely responsible:
# tifthunder.c
#
# The following package clones are NOT tracked in the embedded-code-copies
# database.
#
tiff CLONED_IN_SOURCE povray <unfixed> CVE-2011-1167
MATCH addtiffo.c/addtiffo.c (8.200837)
MATCH faxps.c/faxps.c (8.200837)
MATCH faxtiff.c/faxtiff.c (8.200837)
MATCH getopt.c/getopt.c (3.471681)
MATCH giftiff.c/giftiff.c (8.200837)
MATCH iptcutil.c/iptcutil.c (8.200837)
MATCH listtif.c/listtif.c (8.200837)
MATCH macmain.c/macmain.c (7.171218)
MATCH mactrans.c/mactrans.c (8.200837)
MATCH maketif.c/maketif.c (8.200837)
MATCH mfsfile.c/mfsfile.c (8.200837)
MATCH mkgmain.c/mkgmain.c (8.200837)
MATCH mkgstates.c/mkgstates.c (7.102225)
MATCH palrgb.c/palrgb.c (8.200837)
MATCH ppmtiff.c/ppmtiff.c (8.200837)
MATCH rastif.c/rastif.c (8.200837)
MATCH rawtiff.c/rastiff.c (8.200837)
MATCH rgbycbcr.c/rgbycbcr.c (8.200837)
MATCH sgisv.c/sgisv.c (8.200837)
MATCH sgitiff.c/sgitiff.c (8.200837)
MATCH strcasecmp.c/strcasecmp.c (4.890294)
MATCH strtoul.c/strtoul.c (5.332938)
MATCH thumbnail.c/thumbnail.c (6.552179)
MATCH tifacorn.c/tifacorn.c (7.325368)
MATCH tifapple.c/tifapple.c (7.245326)
MATCH tifatari.c/tifatari.c (7.325368)
MATCH tifaux.c/tifaux.c (6.865836)
MATCH tifclose.c/tifclose.c (6.865836)
MATCH tifcodec.c/tifcodec.c (6.977062)
MATCH tifcolor.c/tifcolor.c (7.102225)
MATCH tifcompress.c/tifcompress.c (6.865836)
MATCH tifdir.c/tifdir.c (6.865836)
MATCH tifdirinfo.c/tifdirinfo.c (6.865836)
MATCH tifdirread.c/tifdirread.c (6.865836)
MATCH tifdirwrite.c/tifdirwrite.c (6.865836)
MATCH tifdumpmode.c/tifdumpmode.c (6.865836)
MATCH tiferror.c/tiferror.c (6.865836)
MATCH tifextension.c/tifextension.c (7.102225)
MATCH tiffax.c/tiffax.c (6.865836)
MATCH tiffbi.c/tiffbi.c (8.200837)
MATCH tiffcmp.c/tiffcmp.c (8.200837)
MATCH tiffdib.c/tiffdib.c (8.200837)
MATCH tiffdither.c/tiffdither.c (8.200837)
MATCH tiffdump.c/tiffdump.c (8.200837)
MATCH tiffgrayscale.c/tiffgrayscale.c (8.200837)
MATCH tiffgt.c/tiffgt.c (8.200837)
MATCH tiffile.c/tiffile.c (8.200837)
MATCH tiffinfo.c/tiffinfo.c (8.200837)
MATCH tifflush.c/tifflush.c (6.865836)
MATCH tiffmedian.c/tiffmedian.c (8.200837)
MATCH tiffpalette.c/tiffpalette.c (8.200837)
MATCH tiffpdf.c/tiffpdf.c (7.864365)
MATCH tiffps.c/tiffps.c (8.018516)
MATCH tiffrgb.c/tiffrgb.c (8.200837)
MATCH tiffset.c/tiffset.c (8.200837)
MATCH tiffsplit.c/tiffsplit.c (8.200837)
MATCH tifgetimage.c/tifgetimage.c (6.865836)
MATCH tifimageiter.c/tifimageiter.c (8.200837)
MATCH tifjpeg.c/tifjpeg.c (6.865836)
MATCH tifluv.c/tifluv.c (6.977062)
MATCH tiflzw.c/tiflzw.c (6.865836)
MATCH tifmsdos.c/tifmsdos.c (7.325368)
MATCH tifnext.c/tifnext.c (6.865836)
MATCH tifopen.c/tifopen.c (6.865836)
MATCH tifoverview.c/tifoverview.c (8.200837)
MATCH tifovrcache.c/tifovrcache.c (8.200837)
MATCH tifpackbits.c/tifpackbits.c (6.865836)
MATCH tifpdsdirread.c/tifpdsdirread.c (8.200837)
MATCH tifpdsdirwrite.c/tifpdsdirwrite.c (8.200837)
MATCH tifpixarlog.c/tifpixarlog.c (6.977062)
MATCH tifpredict.c/tifpredict.c (6.977062)
MATCH tifprint.c/tifprint.c (6.865836)
MATCH tifras.c/tifras.c (8.200837)
MATCH tifread.c/tifread.c (6.865836)
MATCH tifstrip.c/tifstrip.c (6.865836)
MATCH tifswab.c/tifswab.c (6.814543)
MATCH tifthunder.c/tifthunder.c (6.865836)
MATCH tifunix.c/tifunix.c (7.102225)
MATCH tifversion.c/tifversion.c (6.865836)
MATCH tifwarning.c/tifwarning.c (6.865836)
MATCH tifwin.c/tifwin.c (7.102225)
MATCH tifwrite.c/tifwrite.c (6.865836)
MATCH tifzip.c/tifzip.c (6.977062)
MATCH xtiff.c/xtiff.c (7.507690)
MATCH ycbcr.c/ycbcr.c (8.018516)
--- End Message ---
--- Begin Message ---
Source: povray
Source-Version: 1:3.7.0.0-1
We believe that the bug you reported is fixed in the latest version of
povray, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Beckmann <[email protected]> (supplier of updated povray package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 31 Jan 2014 18:34:39 +0100
Source: povray
Binary: povray povray-includes povray-doc povray-examples
Architecture: source amd64 all
Version: 1:3.7.0.0-1
Distribution: unstable
Urgency: low
Maintainer: Andreas Beckmann <[email protected]>
Changed-By: Andreas Beckmann <[email protected]>
Description:
povray - Persistence of vision raytracer (3D renderer)
povray-doc - Persistence of vision raytracer (3D renderer) documentation
povray-examples - Persistence of vision raytracer (3D renderer) sample files
povray-includes - Persistance of vision raytracer (3D renderer) include files
Closes: 501591 501592 684247 686510 687948 729754
Changes:
povray (1:3.7.0.0-1) unstable; urgency=low
.
[ Andreas Beckmann ]
* New upstream release. (Closes: #729754, #686510)
* New maintainer.
* POV-ray is now licensed under GNU AGPL-3.0+.
* Sample scenes and includes are licensed under CC-BY-SA-3.0/CC-BY-3.0.
* Move the package back from non-free into main.
* Switch to source format 3.0 (quilt).
* Refresh patches: 10_includes-location, 40_bashism.diff.
* Remove patch: 20_glass.diff, fixed upstream.
* Disable patch: 80_beta.diff.
* Cherry-picked build system fixes from upstream git:
0001-quiet-compiler-warnings-building-with-gcc-and-clang.patch
0002-Account-for-changes-in-boost-dependencies.patch
0003-Make-sure-Makefile.in-gets-generated-properly.patch
0004-Fix-for-configure-attempting-to-link-boost_system-ev.patch
0005-fix-typo-in-configure.ac.patch
0006-fix-GitHub-issues-5-and-6.patch
0007-added-header-files-to-hold-Unix-flavor-specific-conf.patch
* Add new patch to fix some typos: fix-typos.patch.
* Switch to debhelper compat level 9.
* Bump Standards-Version to 3.9.5.
* Update Build-Depends.
* Build against libopenexr, libsdl, and libxpm.
* Ensure to build against system libraries. (Closes: #684247)
* Install files in upstream's default (/usr/share/povray-3.7).
* d/rules: Run unix/pre-build.sh to generate configure.
* d/rules: Minimize and use dh.
* d/watch: Point to github.
* d/povray.docs: Add more documentation.
* Install changes.txt as upstream changelog.
* Disable building the currently empty povray-doc package.
* Remove Suggests: kpovmodeler (was for KDE3 only). (Closes: #687948)
* Apply manpage patch from Olivier STOLTZ DOUCHET: povray.man.patch.
(Closes: #501591, #501592)
* Upload to unstable.
Checksums-Sha1:
ae5ef977540f50e685a88301456fccfe509c1a54 2147 povray_3.7.0.0-1.dsc
1d160d45e69d096e4c22f3b034dcc9ee94d22208 38191521 povray_3.7.0.0.orig.tar.gz
376ea50862abd4e9cdc9b6f7fa729a3986822262 70800 povray_3.7.0.0-1.debian.tar.xz
c3face234c6e74604bbaf38e45ff0043e9dad2ba 1115212 povray_3.7.0.0-1_amd64.deb
5594c110dcadce8e67d593028c0299959da0053a 262798
povray-includes_3.7.0.0-1_all.deb
11817dddbfd2a29fab701c26bb3ef78ba24cdd79 10158774
povray-examples_3.7.0.0-1_all.deb
Checksums-Sha256:
db757eabf775253f2f9e9b1881371b76822af518fb9f510a2157f151d5bc150d 2147
povray_3.7.0.0-1.dsc
bf68861d648e3acafbd1d83a25016a0c68547b257e4fa79fb36eb5f08d665f27 38191521
povray_3.7.0.0.orig.tar.gz
24f649508e42d9a73e2d20053b03f52909341e839dc4a221830f51e8d917cc35 70800
povray_3.7.0.0-1.debian.tar.xz
2e53d306d3fa9403edb482cbf81f80b8bac851b4d29abd747a0bf92b6d331f3e 1115212
povray_3.7.0.0-1_amd64.deb
0abbfb853ac4c40aac65af84e226467649813c45f8304ec5377307d2783c522a 262798
povray-includes_3.7.0.0-1_all.deb
c548965da019ad37adf22665fa1bbb02b64e9e626dd3dc67de477fdb64ec337a 10158774
povray-examples_3.7.0.0-1_all.deb
Files:
e8a63732868f90cdcab7483b9ecbe511 2147 graphics extra povray_3.7.0.0-1.dsc
c9473256677808e9e3246e6eb8f69a75 38191521 graphics extra
povray_3.7.0.0.orig.tar.gz
81cfb475e48d63082f14343995d89faa 70800 graphics extra
povray_3.7.0.0-1.debian.tar.xz
88b6bec2dffa8f29fcf6cc3c29230ffa 1115212 graphics extra
povray_3.7.0.0-1_amd64.deb
fdbbfb082c4cd39e670d86e7740f04b9 262798 graphics extra
povray-includes_3.7.0.0-1_all.deb
b41c781123ccc0344c53d64c08aaa672 10158774 graphics extra
povray-examples_3.7.0.0-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJS6+CzAAoJEF+zP5NZ6e0InKgQAJxja7f6eZuB6tWPCwGhUg7U
yyC1hwK2nhkNZ+Bi0s/wbDWENwPP9UPxmQxBuYtWuLWrOJ7SjYQbmPYVp1+rLN2e
FgevXfrsQ/l4AnaliXgPj/pX6xzviCb5L+ENLSu9cNZVw+iQ0TnbQGt3dmoRVgks
H4c5AM2i12yS15g6pDzxqqaAPR4EQXwOAMP+GPbmJZtbm/xtoI7AkgZ4gjhoxKEP
3YBZuO6RuyDqWhYePLoBNLtVfRpRdNmVLwEqVcM/ibAc0m7MzrGLeFfWtAgKWRgd
MBPizRgdltEvcPw+eGUJynD/DsNMAI2dWu1Pu5B43zHUeLuR+g7oERyXrKdiLCk0
49qFHSYDPeP6Mwg/1r+6jUKVquVQylcWBCB8mUsC8zUmeJnpCTk3cNOLH+T5tZhG
jZ4OneBkArKcKssl6Kzs+jYRetvRFNnUGqp/m6nFJeOGdvvBTF0Q7NrExgLnX72m
aWUTmFMYyAkWLrezlylX7aQ4F1YVVj3wrdZosoLDqLJs/mfDa5hmlCQq9YBXB6nf
G+uFXldtzWej87KD7IqNp9Rgwy0LBjOdlQ9rYusVMt7iQKwVSh9d3D0eW2hps41P
tfQR2qCFD9NGpBrUCNyU+wo+fzzBbb1H5F0D29mHVbvTHHYkrGVvECKz/AtFc7Pb
dSx0EGfBH5lfsWxxH3bp
=f9Fr
-----END PGP SIGNATURE-----
--- End Message ---
