Source: tiff Version: 4.0.8-1 Severity: important Tags: security upstream Hi,
the following vulnerability was published for tiff. CVE-2017-11613[0]: | In LibTIFF 4.0.8, there is a denial of service vulnerability in the | TIFFOpen function. A crafted input will lead to a denial of service | attack. During the TIFFOpen process, td_imagelength is not checked. The | value of td_imagelength can be directly controlled by an input file. In | the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc | function is called based on td_imagelength. If we set the value of | td_imagelength close to the amount of system memory, it will hang the | system or trigger the OOM killer. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-11613 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11613 [1] https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f Can you check if that was as well reported upstream Please adjust the affected versions in the BTS as needed. Regards, Salvatore _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
