Your message dated Thu, 21 Dec 2017 16:37:32 +0000
with message-id <[email protected]>
and subject line Bug#866109: fixed in tiff 4.0.9-2
has caused the Debian Bug report #866109,
regarding tiff: CVE-2017-9935: Heap-based buffer overflow in t2p_write_pdf
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
866109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866109
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tiff
Version: 4.0.8-2
Severity: grave
Tags: upstream security
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2704
Hi,
the following vulnerability was published for tiff, using severity
grave for now since I'm not sure code execution can be ruled out.
CVE-2017-9935[0]:
| In LibTIFF 4.0.8, there is a heap-based buffer overflow in the
| t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could
| lead to different damages. For example, a crafted TIFF document can
| lead to an out-of-bounds read in TIFFCleanup, an invalid free in
| TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or
| a double free in t2p_free. Given these possibilities, it probably could
| cause arbitrary code execution.
In the upstream bugtracker the reporter has provided his reproducers
which can be used later on to verfiy a fix as well with the given
testcases.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9935
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2704
Please adjust the affected versions in the BTS as needed, specifically
no checks have been done yet for older versions than 4.0.8-2.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tiff
Source-Version: 4.0.9-2
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 15 Dec 2017 17:45:42 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-dev libtiff-tools
libtiff-opengl libtiff-doc
Architecture: source amd64 all
Version: 4.0.9-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Description:
libtiff-dev - Tag Image File Format library (TIFF), development files, current
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff5 - Tag Image File Format (TIFF) library
libtiff5-dev - Tag Image File Format library (TIFF), development files
libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 866109
Changes:
tiff (4.0.9-2) unstable; urgency=high
.
* Fix CVE-2017-9935: heap-based buffer overflow in the t2p_write_pdf()
function (closes: #866109).
* Update debhelper level to 11 .
* Update Standards-Version to 4.1.2 .
Checksums-Sha1:
099310eee1fa57092462ef2e75039dc583423054 2184 tiff_4.0.9-2.dsc
aa2ed83b38238be1b570758b3dda4cdfd3eff28d 18020 tiff_4.0.9-2.debian.tar.xz
2a6ff45c1a2f4d8120d7c02fd9cac8b958730ed5 96124 libtiff-dev_4.0.9-2_amd64.deb
2b5ab20f1117ae495ca6df244a87c9637805c676 403092 libtiff-doc_4.0.9-2_all.deb
4d1ac77de084578b7f5116352cb494aa51e839d7 14312
libtiff-opengl-dbgsym_4.0.9-2_amd64.deb
721f4a5673fc033799b8ffda4e4d88c0b6f56d8b 104692
libtiff-opengl_4.0.9-2_amd64.deb
ddd8cc86db89b47ee40e97cfb25d6a254f5bbda7 352396
libtiff-tools-dbgsym_4.0.9-2_amd64.deb
551109d704e4b40939f1a0693ab2c685a9197a1d 286760 libtiff-tools_4.0.9-2_amd64.deb
c0702078f27d687804ff4d5bcdf606979313876b 376192
libtiff5-dbgsym_4.0.9-2_amd64.deb
3a9c27948d6f4dce4d30e0f66b0b9e2c33879abe 366648 libtiff5-dev_4.0.9-2_amd64.deb
a8147cd8086314b51ddd02529d0fe1aca7b7af68 245124 libtiff5_4.0.9-2_amd64.deb
79db89a8a684c5f68865c50ff1017e3bf30b237d 21096
libtiffxx5-dbgsym_4.0.9-2_amd64.deb
a93e101cf857f3b2eb23e275b9358a605b797d8f 99808 libtiffxx5_4.0.9-2_amd64.deb
2e20ca99a05ee47354a3cf772181630afbd0483e 11917 tiff_4.0.9-2_amd64.buildinfo
Checksums-Sha256:
92f18a33fe226c434778ff805bb4b5dcb3c1dbc30bb6f62069c19a110fa6453a 2184
tiff_4.0.9-2.dsc
59b0617a304c166cf123a8c33c8a5b287890b753125dbf04aa5c22a322d1fa80 18020
tiff_4.0.9-2.debian.tar.xz
9a98169be6f6dcffab99eaa06b57c6c24e90481fc3f5aa4bbc2838eb2ce75afe 96124
libtiff-dev_4.0.9-2_amd64.deb
bb6709b3d04d81ead8b0ea958fac1fe36f2a433a4133980748b760dee25e6fae 403092
libtiff-doc_4.0.9-2_all.deb
f675200f3b52c3863d2282712cfb22a4c7947dc9088119576821e6ec62cb85b6 14312
libtiff-opengl-dbgsym_4.0.9-2_amd64.deb
7a009a18962d67dd56a2821d5689569a81546942c0d46c771890cf08003293a2 104692
libtiff-opengl_4.0.9-2_amd64.deb
15ddca78a1474019a110a73f095bb7060a7f717e24f150e50c2014a0d342b057 352396
libtiff-tools-dbgsym_4.0.9-2_amd64.deb
a647c949c09aabcbb65d568e616910c64085b0f125fbf62ecb78ceb71f30b1ab 286760
libtiff-tools_4.0.9-2_amd64.deb
db23890c885e7ce33fbfa9e417653c3a743b407ea3697d288a2c4c89d4b2be4a 376192
libtiff5-dbgsym_4.0.9-2_amd64.deb
904b7fc88ab31f56d5537a2bf3107653fa6a618ec966132417c8f3b31a0680a5 366648
libtiff5-dev_4.0.9-2_amd64.deb
9e92d71294b6b484b93daa26e0055824c2d65d76b14ee787b650289855287990 245124
libtiff5_4.0.9-2_amd64.deb
c64dfecf80ed5c804288019a0d5e8a6ab7650cb1ab8bac39bfbce2ff2cec5f35 21096
libtiffxx5-dbgsym_4.0.9-2_amd64.deb
97dbb4233cf08839cd7cfbba0fd05547b4cc8fcd192a67f768c4909cc03abc22 99808
libtiffxx5_4.0.9-2_amd64.deb
33114207bfe6c17cebfdb6e716518d380270d5b008718f10a5ec8ef2800b8dc1 11917
tiff_4.0.9-2_amd64.buildinfo
Files:
ab7a38af96ab79e21e83e6b8fca67382 2184 libs optional tiff_4.0.9-2.dsc
34be5eae52e2edba92135f3d91c85ea7 18020 libs optional tiff_4.0.9-2.debian.tar.xz
ef77401ed17ab7673c9aa99244fc0386 96124 oldlibs optional
libtiff-dev_4.0.9-2_amd64.deb
fbec089414e9e335d3849fd3b9658445 403092 doc optional
libtiff-doc_4.0.9-2_all.deb
f877127ebbb4eab008448d0c14f4216a 14312 debug optional
libtiff-opengl-dbgsym_4.0.9-2_amd64.deb
18b1040aa4773a2fd8d0ab4d166d88de 104692 graphics optional
libtiff-opengl_4.0.9-2_amd64.deb
ecd0f2007e502919ad97a18eaf2e0f39 352396 debug optional
libtiff-tools-dbgsym_4.0.9-2_amd64.deb
8b6e4f1514d8d24d2d14f45719d49f69 286760 graphics optional
libtiff-tools_4.0.9-2_amd64.deb
dd85aac73aef5c85fd101285eb5b8d13 376192 debug optional
libtiff5-dbgsym_4.0.9-2_amd64.deb
2dcc1116ea161a57dfe5feb10e022b5c 366648 libdevel optional
libtiff5-dev_4.0.9-2_amd64.deb
58680ed6c323a72fc0cc85bc54c8e60f 245124 libs optional
libtiff5_4.0.9-2_amd64.deb
366945f0a52692d9b52c13e3b60482de 21096 debug optional
libtiffxx5-dbgsym_4.0.9-2_amd64.deb
f819686c899dc7751aac3b86cbd50dd5 99808 libs optional
libtiffxx5_4.0.9-2_amd64.deb
1546b7d71d286d78f0ea94455253b7f9 11917 libs optional
tiff_4.0.9-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlo73KcACgkQ3OMQ54ZM
yL+Y3w/8D8froAArTfUC9ckFg5YH8Z0N7hcVCLxK6a9IDLsS9xMA9+I8hMBeIany
9wDXpUmRoLRcmVYUi5xGbaLp9U2flkge6XhiDwgPudaMxqgfjIK/T86DoKqmZHSV
2NmbTiLnTgZsyQZRWeNQBzafaE1u0CRjh7MVxPJ/dfVz6bllxiX6/2xK2aRMEErS
IvbqakBKWZUlFd8xPnetIV5/Ur8vhzGr7VWeh0t1PIS1t1pZ0U8XV808bTvrKOxB
i3dz8thOTIopLrPg4q2kEQLhQfUHeSlYEYTlQMAGqfMFfOXI0l/IwlDgfM8KjQoG
4Y97LQ0VNl5ImyoHdqR0LMQGnCoslzPXuTDIImOCZ161tq3UI+ZbXXbZSDDSXmCl
81x+PO0HrOuDZx6J3q4fOlnECv+Hxu6gDlbIRoam7O/+j5Bu16EjAzhVzNcNppet
EPJpUHQkAqj++9Ub6+pthN/n/fNjl46KLI4igaoZBuki5gILNUY1tvbKmm4LUyd4
hrntogg1PjSvO6lXQpd/Ij6PBBvw9vvwgAHhArdbmsMwNK4UlzkMXrDQlcbnCzuS
DtpmXmHRINvH8hjknbR/8eMsdbx/wZ1IlVeW0SgOI+BEKMLqptczB8A72RNB4c2B
/2f3xyAhEb4GewBvHc34Cllc9dleK+Q24DSSf2WGovTRA3JTGIM=
=rd5o
-----END PGP SIGNATURE-----
--- End Message ---
