Hi László, On Wed, Jul 12, 2023 at 10:12:50PM +0200, László Böszörményi wrote: > Hi Salvatore, > > On Wed, Jul 12, 2023 at 9:39 PM Salvatore Bonaccorso <car...@debian.org> > wrote: > > Source: tiff > > Version: 4.5.1-1 > > CVE-2023-3618[0]: > > | A flaw was found in libtiff. A specially crafted tiff file can lead > > | to a segmentation fault due to a buffer overflow in the Fax3Encode > > | function in libtiff/tif_fax3.c, resulting in a denial of service. > [...] > > Please adjust the affected versions in the BTS as needed. > Done my quick testing. My experience is the following. > 1) libtiff6 and libtiff-tools are both 4.5.1-1 (ie, Trixie): the tool > reports several warnings, exists with 1 (non-zero) but doesn't > segfault. Even tried with valgrind, still no segfault. > 2) libtiff6 is 4.5.1-1 backported to Bookworm and libtiff-tools are > not, ie it's 4.5.0-6 : the tool reports the same warnings like above, > but this time it _does_ segfault. > 3) If libtiff-tools also updated to 4.5.1-1 on Bookworm: it's like the > first case, several warnings, non-zero exit code without a segfault. > > In short, it seems: > - it's a non-dsa as only a crash in a CLI tool (which has end of life now), > - doesn't affect the library, > - while 4.5.0-6 (and in fact, at least from 4.5.0-1) is vulnerable, > 4.5.1-1 fixed this issue. > > But you may find it otherwise, I do not alter this report in the BTS.
Thanks for coming back that quickly, impressive :). I do completely agree, it's a no-dsa issue similar to the others, was done already. For about having the issue fixed: The problem I have is that upstream has not yet closed the issue. Is it completely fixed and what is the fixing commit? https://gitlab.com/libtiff/libtiff/-/issues/529 is slight unhelpful on that front. Are you able to identify the fixing commit confirming it is done in 4.5.1-1? Regards, Salvatore
