-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Package: tiff Version: 4.0.6-1 Severity: critical Tags: security, fixed-upstream
Hi LibTIFF maintainer(s), Kaixiang Zhang from Qihoo 36 and Mathias Svensson from Google discovered heap-based buffer overflow vulnerability from PixarLogDecode() function in libtiff/tif_pixarlog.c in the TIFF library, which may result in denial of service or the execution of arbitrary code if a malformed TIFF file is processed. Upstream has fixed this vulnerability in following commit (repository is a mirror of upstream CVS repository): https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2 This was reported by several researchers simultaneously. CVE-2016-5314 upstream bug report: http://bugzilla.maptools.org/show_bug.cgi?id=2554 CVE-2016-5316 has been marked as duplicate of upstream bug #2554 as it is fixed by the same commit: http://bugzilla.maptools.org/show_bug.cgi?id=2556 http://www.openwall.com/lists/oss-security/2016/06/30/3 says: """I think this is a duplicate with CVE-2016-5320 and CVE-2016-5314. CVE-2016-5875 (buffer overrun in PixarLogDecode()) is CVE-2016-5314 (PixarLogDecode() out-of-bound writes) which causes CVE-2016-5320 (rgb2ycbcr command execution).""" Reproducers: http://bugzilla.maptools.org/attachment.cgi?id=654 http://bugs.fi/media/afl/libtiff/CVE-2016-5875.tif http://bugzilla.maptools.org/attachment.cgi?id=656 Please double check the situation before making changes to Debian source package. Feel free to contact me or Debian security team in case you have any questions. - -- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXgmFSAAoJECet96ROqnV0xIMP/12NuYUO3NSqPkAk3C/35go5 aTItQmBr5DqG0a/wS/R5vR0FwyLbJ8FGh36hjXHCC7VBRiQfj4t1Vq7TAFn0c3jE pTcnxW/hzhPeRIQR7pdQkQMYQe4ODB9irL6m8EqH4uHhhE9mPJ9j6cUKGRhi25fx TO99Mtv8Aqlb9GO1rggaAQUiRN3E4E4xVE0g5Qlw4ad8FeP1IQSPHbYyGG1pUF20 os46/ODxaDqi3QLpla3rRAJVNQoiUhYoUmVfqgN4htaSTn28b/qPdZ+oQV1cpvLo A8g0RThuazgkRO4wGIMVsZVxFJnRPrkVZL2RW5fqF3efw39qHtopOvi5dAScyOgX dIqFlz8Yv9Tx9DQYzfVmp1rEtZL80Xd3D6cAdFbxUwFJq4ZN2sr2RTZXufrhlMm6 +N776cbidBR8j8jPKFZxQpgQWwC+h7SJmsuiZsO8hCkZopE0DJf8O/4j2sPioG6M ajHtlB63ed99eFb3Z+tl37z+6XogT33xslAe/Ux0muWpavoItWA9G5Kx1yBHGBVn 8k9xP889veqJVO2qzWo3r64MvTUltD7x1Y6fzOaPBUWrHU/mG+Epgk1KAEk3aGSt L6zkKhEYq0hLERWqY2hdVYD3HfPb+jaEkEc9eJNK6mQ0yzbQxws/uaXHOvA4ZOAm HcLaKK1BLe+6opMAZWRx =XDbp -----END PGP SIGNATURE-----