Package: tiff Version: 4.0.2-6 Severity: important Tags: security Hi,
many vulnerabilities have been reported against libtiff and a few of them have been dismissed on the upstream side by simply dropping some of the tools shipped in libtiff-tools. Until 4.0.7 is available, we should do the same in Debian. The vulnerabilities below are about bmp2tiff that has been dropped. But if you look up at the full list of vulnerabilities you will find other about tools dropped (I noticed "thumbnail" in CVE-2016-3633). https://security-tracker.debian.org/tracker/source-package/tiff CVE-2016-5319[0]: libtiff: PackBitsEncode heap buffer overflow CVE-2015-8668[1]: | Heap-based buffer overflow in the PackBitsPreEncode function in | tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote | attackers to execute arbitrary code or cause a denial of service via a | large width field in a BMP image. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-5319 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5319 [1] https://security-tracker.debian.org/tracker/CVE-2015-8668 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8668 Please adjust the affected versions in the BTS as needed. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
