Author: jmm
Date: 2016-11-03 14:18:43 +0000 (Thu, 03 Nov 2016)
New Revision: 45931
Modified:
data/CVE/list
Log:
more tiff fixes
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-11-03 14:17:03 UTC (rev 45930)
+++ data/CVE/list 2016-11-03 14:18:43 UTC (rev 45931)
@@ -2250,10 +2250,11 @@
NOTE: https://github.com/uclouvain/openjpeg/pull/820
CVE-2016-8331 (An exploitable remote code execution vulnerability exists in
the ...)
{DLA-693-1}
- - tiff <unfixed>
+ - tiff 4.0.6-3
- tiff3 <removed>
[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0190/
+ NOTE: thumbnail(1) removed in 4.0.6-3
NOTE: From the backtrace shared in the report, we can see that the
crash is triggered though the thumbnail tool which has been dropped upstream.
CVE-2016-8330
RESERVED
@@ -10927,7 +10928,7 @@
CVE-2016-5652 [heap based buffer overflow in LibTIFFs TIFF2PDF tool]
RESERVED
{DLA-693-1}
- - tiff <unfixed> (bug #842361)
+ - tiff 4.0.6-3 (bug #842361)
- tiff3 <removed>
[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0187/
@@ -17686,7 +17687,7 @@
CVE-2016-3636
RESERVED
CVE-2016-3635 (SAP Netweaver 7.4 allows remote authenticated users to bypass
an ...)
- TODO: check
+ NOT-FOR-US: SAP Netweaver
CVE-2016-3634 (The tagCompare function in tif_dirinfo.c in the thumbnail tool
in ...)
{DLA-693-1}
- tiff <unfixed>
@@ -17697,6 +17698,7 @@
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2547
NOTE: Upstream will remove thumbnail from 4.0.7 release
NOTE: No patch available. Issue marked as wontfix by upstream.
+ NOTE: thumbnail(1) removed in 4.0.6-3, but vulnerable library code
still present
CVE-2016-3633 (The setrow function in the thumbnail tool in LibTIFF 4.0.6 and
earlier ...)
{DLA-693-1}
- tiff 4.0.6-3 (bug #842046)
@@ -17748,7 +17750,7 @@
[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2566
CVE-2016-3624 (The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6
and ...)
- - tiff <unfixed>
+ - tiff 4.0.6-3
[jessie] - tiff <no-dsa> (Minor issue)
[wheezy] - tiff <no-dsa> (Minor issue)
- tiff3 <not-affected> (tiff tools not built)
@@ -17756,8 +17758,7 @@
NOTE: Upstream marked this duplicate of bug 2569
CVE-2016-3623 (The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote
...)
{DLA-610-1}
- - tiff <unfixed>
- [jessie] - tiff <no-dsa> (Minor issue)
+ - tiff 4.0.6-3
[wheezy] - tiff <no-dsa> (Minor issue)
- tiff3 <removed>
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2569
_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
