Your message dated Thu, 19 May 2005 11:32:20 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#309739: fixed in tiff 3.7.2-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 19 May 2005 08:17:40 +0000
>From [EMAIL PROTECTED] Thu May 19 01:17:40 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail01.pironet-ndh.com (mail02.pironet-ndh.com) [194.64.31.10]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DYgDs-000500-00; Thu, 19 May 2005 01:17:40 -0700
Received: from mail.fbn-dd.de (mail.fbn-dd.de [195.227.105.178])
by mail02.pironet-ndh.com (Postfix) with ESMTP id 752D834258
for <[EMAIL PROTECTED]>; Thu, 19 May 2005 10:17:07 +0200 (CEST)
Received: from sonne.intranet.fbn-dd.de
(192-168-0-1.transfer-000.intranet.fbn-dd.de [192.168.0.1])
by mail.fbn-dd.de (Postfix) with ESMTP id 243A81F950
for <[EMAIL PROTECTED]>; Thu, 19 May 2005 10:17:07 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by sonne.intranet.fbn-dd.de (Postfix) with ESMTP id 11E521E6B9
for <[EMAIL PROTECTED]>; Thu, 19 May 2005 10:17:07 +0200 (CEST)
Received: from sonne.intranet.fbn-dd.de (localhost [127.0.0.1])
by localhost (AvMailGate-2.0.1.16) id 14901-488D7C00;
Thu, 19 May 2005 10:17:06 +0200
Received: from localhost.localdomain (10-28-130-200.intranet-28-130.fbn-dd.de
[10.28.130.200])
by sonne.intranet.fbn-dd.de (Postfix) with ESMTP id E42E51E6B9
for <[EMAIL PROTECTED]>; Thu, 19 May 2005 10:17:06 +0200 (CEST)
Received: by localhost.localdomain (Postfix, from userid 1000)
id 8E90642F; Thu, 19 May 2005 10:17:07 +0200 (CEST)
Date: Thu, 19 May 2005 10:17:07 +0200
From: Martin Pitt <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: libtiff4: vulnerable to CAN-2005-1544
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.16; AVE: 6.30.0.12;
VDF: 6.30.0.184; host: sonne)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: libtiff4
Version: 3.7.2-2
Severity: critical
Tags: security
Hi!
Libtiff is vulnerable to another exploitable segfault, see
http://bugzilla.remotesensing.org/show_bug.cgi?id=3D843
for details.
However, please don't take the patch attached to that bug report, it's
incomplete. Upstream CVS has the complete patch, you can also grab it
=66rom
http://bugs.gentoo.org/attachment.cgi?id=3D58276
For Sid you should probably just package the new upstream version, but
for Sarge the patch is fine (I already ported it to 3.6.1 for Ubuntu's
releases and tested it).
Thanks,
Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org
--qDbXVdCdHGoSgWSk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCjEuDDecnbV4Fd/IRApvUAKDzo3ddG99ogHlVDvfMluSmviXEFgCffvko
iK3dMiMNuQ7Vy5nzAyjV1Lo=
=qyC1
-----END PGP SIGNATURE-----
--qDbXVdCdHGoSgWSk--
---------------------------------------
Received: (at 309739-close) by bugs.debian.org; 19 May 2005 15:41:41 +0000
>From [EMAIL PROTECTED] Thu May 19 08:41:41 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DYn9Z-0005NA-00; Thu, 19 May 2005 08:41:41 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DYn0W-0003dA-00; Thu, 19 May 2005 11:32:20 -0400
From: Jay Berkenbilt <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#309739: fixed in tiff 3.7.2-3
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 19 May 2005 11:32:20 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: tiff
Source-Version: 3.7.2-3
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive:
libtiff-opengl_3.7.2-3_i386.deb
to pool/main/t/tiff/libtiff-opengl_3.7.2-3_i386.deb
libtiff-tools_3.7.2-3_i386.deb
to pool/main/t/tiff/libtiff-tools_3.7.2-3_i386.deb
libtiff4-dev_3.7.2-3_i386.deb
to pool/main/t/tiff/libtiff4-dev_3.7.2-3_i386.deb
libtiff4_3.7.2-3_i386.deb
to pool/main/t/tiff/libtiff4_3.7.2-3_i386.deb
libtiffxx0_3.7.2-3_i386.deb
to pool/main/t/tiff/libtiffxx0_3.7.2-3_i386.deb
tiff_3.7.2-3.diff.gz
to pool/main/t/tiff/tiff_3.7.2-3.diff.gz
tiff_3.7.2-3.dsc
to pool/main/t/tiff/tiff_3.7.2-3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Berkenbilt <[EMAIL PROTECTED]> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 19 May 2005 05:41:28 -0400
Source: tiff
Binary: libtiff-opengl libtiffxx0 libtiff4 libtiff-tools libtiff4-dev
Architecture: source i386
Version: 3.7.2-3
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <[EMAIL PROTECTED]>
Changed-By: Jay Berkenbilt <[EMAIL PROTECTED]>
Description:
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff4 - Tag Image File Format (TIFF) library
libtiff4-dev - Tag Image File Format library (TIFF), development files
libtiffxx0 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 309739
Changes:
tiff (3.7.2-3) unstable; urgency=high
.
* Fix for exploitable segmentation fault on files with bad BitsPerSample
values. (Closes: #309739)
[libtiff/tif_dirread.c, CAN-2005-1544]
Thanks to Martin Pitt for the report.
Files:
14ed5f799c0d34b3f4d258abb76b448a 735 libs optional tiff_3.7.2-3.dsc
1fc94f29d3a15165419a247d700ccbdd 9149 libs optional tiff_3.7.2-3.diff.gz
1e41dddfdcc5e433282e3594dd7487da 451754 libs optional libtiff4_3.7.2-3_i386.deb
eba84b0e5ed28fe006e21966d1617cc5 40262 libs optional
libtiffxx0_3.7.2-3_i386.deb
13272b256ec7ab7c7d3db0cbc388cfcf 250716 libdevel optional
libtiff4-dev_3.7.2-3_i386.deb
3d369fa5c93aa1e456c1832e7f94eb25 205830 graphics optional
libtiff-tools_3.7.2-3_i386.deb
936dddcc6265d3468c14bfbcb4a9b9b6 44828 graphics optional
libtiff-opengl_3.7.2-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCjK2REBVk6taI4KcRAuGHAKC9rmUracGLJutKXObvOGWy1cE3oQCgnQi6
uS13arrWpS1oW5y1TjRBTd0=
=SR9K
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
