Your message dated Sat, 27 Jan 2024 10:05:23 +0000
with message-id <[email protected]>
and subject line Bug#1061524: fixed in tiff 4.5.1+git230720-4
has caused the Debian Bug report #1061524,
regarding tiff: CVE-2023-52356
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1061524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061524
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tiff
Version: 4.5.1+git230720-3
Severity: important
Tags: security upstream
Forwarded: https://gitlab.com/libtiff/libtiff/-/issues/622
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for tiff.
CVE-2023-52356[0]:
| A segment fault (SEGV) flaw was found in libtiff that could be
| triggered by passing a crafted tiff file to the
| TIFFReadRGBATileExt() API. This flaw allows a remote attacker to
| cause a heap-buffer overflow, leading to a denial of service.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-52356
https://www.cve.org/CVERecord?id=CVE-2023-52356
[1] https://gitlab.com/libtiff/libtiff/-/issues/622
[2] https://gitlab.com/libtiff/libtiff/-/merge_requests/546
https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tiff
Source-Version: 4.5.1+git230720-4
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 27 Jan 2024 10:32:25 +0100
Source: tiff
Architecture: source
Version: 4.5.1+git230720-4
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1061524
Changes:
tiff (4.5.1+git230720-4) unstable; urgency=high
.
* Backport security fix for CVE-2023-52355, an out-of-memory flaw that
could be triggered by passing a crafted tiff file with documentation
update how to prevent it.
* Backport security fix for CVE-2023-52356, a segment fault flaw that
could be triggered by passing a crafted tiff file (closes: #1061524).
Checksums-Sha1:
72516761177e955c8b5378b98f712239083503b3 2322 tiff_4.5.1+git230720-4.dsc
b6dbbe04c4b1db88c5d4b140afaec39022c03e01 26260
tiff_4.5.1+git230720-4.debian.tar.xz
Checksums-Sha256:
84f3fe1110e4633c897e63a6cc0122d2db3afb36140f089ec727ffe0f61facd1 2322
tiff_4.5.1+git230720-4.dsc
a4ba563349fe2e53759703dce1aa476cbb3621ab3b4389df97faf60dd06067ad 26260
tiff_4.5.1+git230720-4.debian.tar.xz
Files:
438d9ecffed1dc7fea0c5ce03ace6e61 2322 libs optional tiff_4.5.1+git230720-4.dsc
7010f692159675d50ed364f5a925c523 26260 libs optional
tiff_4.5.1+git230720-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmW00lsACgkQ3OMQ54ZM
yL+VhQ//eyxwyboe3I2oU0Oounre1YVYMMSUP3nb5quE09GmAu/vIrKmClqZonJI
OqNLyWmNno6WY54XAaouEF3o8YWyTkdAlBPsbNuDEfopjM3S/58Fn2Tnx4d5tL4V
QmsZaspeaVlraINeGk9l0zNtI2kMQ9z7R4rivdrAdwfNtYB9RJndmYWqbyXoE6T5
ojPeUHc+ksAMQNbfxP42vkJnn8K4taO5XZ1Hly/pNXEW1IxXOuf/1sSJ5Wpw6ZYo
R4ya+3XAHxeh1BAgX/ho5nDLc47r1HbAAMHKwfTD+yTJhYipSsEhi4r1y8muRZba
RXohAk3ykds8J9L6fYL47aYyFtG8QAcSCVL0pGuh9fhcmVfb5n4fq5EKiTo5aau/
6rR9T+sx8bc5Qmdpft521AxAzR3+BD25O3TBQXAcQTXZyLWxQcib/mLBhOrK3HKO
HxXHqcvbBLGBixXQ6hfFMXUXttXtK/4NQh6jCDPpQdE8Vd1u19ZUL5r7zuRCTUw3
OKncgnBbkXnYDdnIwRs4p1Ym1LQjSwitI8z2te+eMLSUG2XUP3+jJBPcTTAW4Lrf
+OiZf/zgSspl8oK+Ov/tWh3lNmMX+4gFe2yMqv3UFqQD3GJUJFv8FxbxAV4qjQRJ
G4Q8AbdulyZU82W8tlR7BF1tcJEhMhD87Uh1j9Art3bVOekpk9s=
=CRZV
-----END PGP SIGNATURE-----
--- End Message ---
