Bug#866611: marked as done (tiff: CVE-2017-10688)

Debian Bug Tracking System Sat, 15 Jul 2017 13:51:46 -0700

Your message dated Sat, 15 Jul 2017 20:48:11 +0000
with message-id <[email protected]>
and subject line Bug#866611: fixed in tiff 4.0.3-12.3+deb8u4
has caused the Debian Bug report #866611,
regarding tiff: CVE-2017-10688
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
866611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866611
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: tiff
Version: 4.0.8-2
Severity: important
Tags: upstream security
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2712

Hi,

the following vulnerability was published for tiff.

CVE-2017-10688[0]:
| In LibTIFF 4.0.8, there is a assertion abort in the
| TIFFWriteDirectoryTagCheckedLong8Array function in tif_dirwrite.c. A
| crafted input will lead to a remote denial of service attack.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10688
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10688
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2712

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: tiff
Source-Version: 4.0.3-12.3+deb8u4

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 02 Jul 2017 08:35:22 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl 
libtiff-doc
Architecture: source all amd64
Version: 4.0.3-12.3+deb8u4
Distribution: jessie-security
Urgency: high
Maintainer: Ondřej Surý <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Description:
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 850316 863185 866113 866611
Changes:
 tiff (4.0.3-12.3+deb8u4) jessie-security; urgency=high
 .
   * Backport fix for the following vulnerabilities:
     - CVE-2017-9403: fix memory leak in non DEFER_STRILE_LOAD mode,
     - CVE-2017-9404: memory leak vulnerability was found in the function
       OJPEGReadHeaderInfoSecTablesQTable(),
     - CVE-2016-10095 and CVE-2017-9147: add _TIFFCheckFieldIsValidForCodec()
       and use it in TIFFReadDirectory() (closes: #850316, #863185),
     - CVE-2017-9936: memory leak in error code path of JBIGDecode()
       (closes: #866113),
     - prevent out of memory in gtTileContig() on corrupted files,
     - CVE-2017-10688, assertion failure in TIFFWriteDirectoryTagCheckedXXXX()
       (closes: #866611).
   * Add required _TIFFCheckFieldIsValidForCodec@LIBTIFF_4.0 and
     _TIFFReadEncodedStripAndAllocBuffer@LIBTIFF_4.0 symbols to the
     libtiff5 package.
Checksums-Sha1:
 464c9062f2e1c187bfc62fbf2c0685501a8000f8 2240 tiff_4.0.3-12.3+deb8u4.dsc
 96cd34b33632ff0e0c902ea556565b9f2a5684cc 59668 
tiff_4.0.3-12.3+deb8u4.debian.tar.xz
 f2773fa8656c505d13cd3bb04cbf6060572f370c 370656 
libtiff-doc_4.0.3-12.3+deb8u4_all.deb
 ca29c3ba817fe0938857cfb67aec2ce840cfc99b 221088 
libtiff5_4.0.3-12.3+deb8u4_amd64.deb
 e55762a11f627a677e7540cdfb21749354cd5bc3 80488 
libtiffxx5_4.0.3-12.3+deb8u4_amd64.deb
 cac90abaa7cf91638b9f44f25f2d9fb61fa47076 343602 
libtiff5-dev_4.0.3-12.3+deb8u4_amd64.deb
 43e39ceb07173dcdc3a484514c2b9d3f23debafc 274296 
libtiff-tools_4.0.3-12.3+deb8u4_amd64.deb
 81b05e7aaf2c6ec362e3fd180efce9228df731da 85398 
libtiff-opengl_4.0.3-12.3+deb8u4_amd64.deb
Checksums-Sha256:
 50e944559c1588ac8cdaca8034a3a74e9178d6f026edc5f48e9c4ab77540e82f 2240 
tiff_4.0.3-12.3+deb8u4.dsc
 3e637b2784715aa3a4b6e9111d9265682b73997eed0750460afe29662166595f 59668 
tiff_4.0.3-12.3+deb8u4.debian.tar.xz
 42c92b854a55df5e6fd394dd9ffef2dfcb62cbfa23c26e4e4d676d8c3683dade 370656 
libtiff-doc_4.0.3-12.3+deb8u4_all.deb
 79eb932460fb975af5f0672201ec656eab1d1f2d0a5f25b0d5308de803b84c77 221088 
libtiff5_4.0.3-12.3+deb8u4_amd64.deb
 56ccc8d1c899aaec398132747da046acf1d11f89facd4b3ff08d0400d118dbd8 80488 
libtiffxx5_4.0.3-12.3+deb8u4_amd64.deb
 37a9da414935963a1ec63ecfa87fb3b473777aaaa946f8f176e8be80e19865c5 343602 
libtiff5-dev_4.0.3-12.3+deb8u4_amd64.deb
 675be25b329c38aec7fd30a96fe73afe4c3b342da4d3d085c118221d1930002c 274296 
libtiff-tools_4.0.3-12.3+deb8u4_amd64.deb
 7c6195738305c664d3c9cf63b1b3d5ebba4f8967abc1003e60b6ce4fe8418dfc 85398 
libtiff-opengl_4.0.3-12.3+deb8u4_amd64.deb
Files:
 727a6acc201fc2abc6b5ac5764da0c82 2240 libs optional tiff_4.0.3-12.3+deb8u4.dsc
 9020cf788fbae80ed0343543a7d8842d 59668 libs optional 
tiff_4.0.3-12.3+deb8u4.debian.tar.xz
 c41c8eb083888f7e83d2295d7779acd5 370656 doc optional 
libtiff-doc_4.0.3-12.3+deb8u4_all.deb
 35a5b92c15fa9e3cf7963d65f740b07f 221088 libs optional 
libtiff5_4.0.3-12.3+deb8u4_amd64.deb
 4e5b64d38e719871710f9060c1f9ab5a 80488 libs optional 
libtiffxx5_4.0.3-12.3+deb8u4_amd64.deb
 bfe2ffdf111cdab5b378320c2a3f2b11 343602 libdevel optional 
libtiff5-dev_4.0.3-12.3+deb8u4_amd64.deb
 25a95583e54acc36e172edf6c62d09ec 274296 graphics optional 
libtiff-tools_4.0.3-12.3+deb8u4_amd64.deb
 8f825062eb394370e93a613d1b7bce46 85398 graphics optional 
libtiff-opengl_4.0.3-12.3+deb8u4_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAllZE24ACgkQ3OMQ54ZM
yL+XuQ//fzg7slqtwL3wAmQpm4G0Q0Jy2iXHxvVmRN70GrsKdK9R4C+EKDf/Eqoi
G5BmKZllwcAX7ao5x4oo9IT5F9zbiRRRV5ZegkK8aUXvoFy22HLh1J1U8c08V7JN
NEttXvoHiNQLrzinwaavi2qRTYJWp7Ga7Ph3DG6PX/G1w8pDjcq0R1TIZZtkiQvY
XYeJ7mE/fapP6N7LlxfFBI6uE4lWa2Lq0e+3ACsFQ6ICylJCRAg1YLVAal1VJOdF
p2sHMtL5SdCAjtqRWGcuOC7NxIRVKpJid62fHWmWeoRLCvtuAT59v/2h5PHyzxwv
mZLeIeA+OjVzfSFzXsKyCaF5tTlsKyjjVs/SN5OmJZVXa2mb6pPZ1cXKl/d0oz4G
FtACpzp201SrW690E9wmUPacbbHc0JiFUv3UJqTFba4/hJ/Bf7tOAp3rBAwv1X01
HIUTecHa5unIVHCC4q2b6w7oL4rfOjIqTwwjZo1SC+R6DhkdWut1i2oWh7BSLFet
J3VoDq4SUhvesvz/jGfjHjR9nnNqYwLCnei74/CTqHkVitoM+hFj1YKYBOPIB5AM
Tg/C63z4k2CQ24Fvsnd10XRI/r9c9daoYNdxq3ap3EH2beHqbQhxXRBdM4QtPEQQ
KHR83iW82O+cyDa6amITuoXcMdo1UQ+p0ZF1RxkrqWLXBMa6BXw=
=2mHB
-----END PGP SIGNATURE-----

--- End Message ---

Bug#866611: marked as done (tiff: CVE-2017-10688)

Reply via email to