Bug#844013: marked as done (tiff: CVE-2016-9273)

[Debian Bug Tracking System]

Your message dated Sun, 20 Nov 2016 13:50:43 +0000
with message-id <e1c8sw3-000htf...@fasolo.debian.org>
and subject line Bug#844013: fixed in tiff 4.0.7-1
has caused the Debian Bug report #844013,
regarding tiff: CVE-2016-9273
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
844013: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844013
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: tiff
Version: 4.0.6-3
Severity: grave
Tags: security upstream patch
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2587

Hi,

the following vulnerability was published for tiff, reproducible with
a ASAN build an the provided reproducer upstream.

CVE-2016-9273[0]:
libtiff heap overflow

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-9273
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2587

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: tiff
Source-Version: 4.0.7-1

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 844...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 19 Nov 2016 18:05:24 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl 
libtiff-doc
Architecture: source all amd64
Version: 4.0.7-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Description:
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 800124 820365 844013 844226
Changes:
 tiff (4.0.7-1) unstable; urgency=high
 .
   * New upstream release.
   * Fixes the following vulnerabilities:
     - CVE-2015-7313, OOM when parsing crafted tiff files (closes: #800124),
     - CVE-2016-3622, denial of service (divide-by-zero error) via
       the fpAcc function in tif_predict.c (closes: #820365),
     - CVE-2016-3945, multiple integer overflows in the tiff2rgba tool,
     - CVE-2016-3990, write buffer overflow in PixarLogEncode,
     - CVE-2016-3991 and CVE-2016-5322, heap-based buffer overflow in the
       loadImage function,
     - CVE-2016-9273, heap-buffer-overflow in cpStrips (closes: #844013),
     - CVE-2016-9297, segfault in _TIFFPrintField() (closes: #844226),
     - CVE-2016-9448, in TIFFFetchNormalTag(), do not dereference NULL pointer
       (regression of CVE-2016-9297),
     - heap buffer overflow via writeBufferToSeparateStrips() in tiffcrop.
   * Remove backported vulnerability fixes, this release contains those.
   * Update libtiff5 symbols.
Checksums-Sha1:
 131d573ae0277cea17434c21db280e8c5e33aca4 2125 tiff_4.0.7-1.dsc
 2c1b64478e88f93522a42dd5271214a0e5eae648 2076392 tiff_4.0.7.orig.tar.gz
 6d7d690b8f543c319f2d3b5cc98dd06506fdc2ac 15144 tiff_4.0.7-1.debian.tar.xz
 917dfbdd62cab09291a670c92c33b6b25d46ae87 387232 libtiff-doc_4.0.7-1_all.deb
 8b70c390e913b263f12f1f50a71c27f9be0fc2fe 14178 
libtiff-opengl-dbgsym_4.0.7-1_amd64.deb
 9db569d883859f115cd129ee178f2eeda94c808b 94074 libtiff-opengl_4.0.7-1_amd64.deb
 77910b9deb6272bfe0a110a6ce08283882ba92fc 351152 
libtiff-tools-dbgsym_4.0.7-1_amd64.deb
 5a80e9be5aaea8866f9b858d739cd1881cb4e866 277304 libtiff-tools_4.0.7-1_amd64.deb
 70272614882dc1aadb57c752c11c6f0b0e567e3a 365614 
libtiff5-dbgsym_4.0.7-1_amd64.deb
 87df8f00e6f5ef2691313c54c7cc2ee8efc4770e 350242 libtiff5-dev_4.0.7-1_amd64.deb
 99a6188e5adf67ad1a2dde1bb5a5804594bd7e81 228122 libtiff5_4.0.7-1_amd64.deb
 e61728cef5ddaa1f5163051cab329d1b7a5c3323 21030 
libtiffxx5-dbgsym_4.0.7-1_amd64.deb
 20edd62656132b0b5d547a795a85df11c83083f1 89376 libtiffxx5_4.0.7-1_amd64.deb
 3ef82cae9c80be3019e7dfab0b7daca21d1bb563 10066 tiff_4.0.7-1_amd64.buildinfo
Checksums-Sha256:
 7b066eec518b8d8f4f5bcd06dd3dda672194bb37b7f8ad9c46630b8031fa41d5 2125 
tiff_4.0.7-1.dsc
 9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019 2076392 
tiff_4.0.7.orig.tar.gz
 add4fbb212a89f967f38285f0adb5b976a60a52e2efff3004de83610e51339dc 15144 
tiff_4.0.7-1.debian.tar.xz
 c706a429913008113f36a8b3fb7990ad91efca71c8f8d417ce23a4737356239e 387232 
libtiff-doc_4.0.7-1_all.deb
 1baffb10565a25d66fed74e115d33130e37dae4ff2e48fc7b55462d6e4752d79 14178 
libtiff-opengl-dbgsym_4.0.7-1_amd64.deb
 b12146e7d9ddbf9ac504407a939b008d637d0b49d7a9bc500f0bc3e3b8aceafe 94074 
libtiff-opengl_4.0.7-1_amd64.deb
 7a7c7b192cadde81e8618f0f8c2db5f365847ecdad71484df0203b380dabab71 351152 
libtiff-tools-dbgsym_4.0.7-1_amd64.deb
 7a78b53b431b70ae4c6dc1334d53fb321cadc4a60bef6846a7214a5ee653f925 277304 
libtiff-tools_4.0.7-1_amd64.deb
 c85aecd53cd820f24e6d3e896967b34cb525f0d3174d58a4e48ea54f71bb82d3 365614 
libtiff5-dbgsym_4.0.7-1_amd64.deb
 e8d831eb4004e1072c2cd5e7b368afc30b7b5113a9c0230c508e886bcf6f0906 350242 
libtiff5-dev_4.0.7-1_amd64.deb
 fb9fd61ea5645ff60ecf0e5b7276c0b15221b82c8ac79850b10c5038f7f0a9ed 228122 
libtiff5_4.0.7-1_amd64.deb
 e241f4a59cdefdf6b058ea9014680e6691966bc7950187902409b3cf614263d1 21030 
libtiffxx5-dbgsym_4.0.7-1_amd64.deb
 d5bf0fde9dbded7aba10dd68cf5add8b13d16f68a790985b1957d86a81675738 89376 
libtiffxx5_4.0.7-1_amd64.deb
 da0ad7e2b622787e052090e9369cdda342d92a9e79276f9d42038c5d0294e8c4 10066 
tiff_4.0.7-1_amd64.buildinfo
Files:
 58b3062e1403b1267f5b296b30b985db 2125 libs optional tiff_4.0.7-1.dsc
 77ae928d2c6b7fb46a21c3a29325157b 2076392 libs optional tiff_4.0.7.orig.tar.gz
 45e0d4909b965334be2253953da3a222 15144 libs optional tiff_4.0.7-1.debian.tar.xz
 f553d6a3a5a123fcb830aaa5ba69d4a1 387232 doc optional 
libtiff-doc_4.0.7-1_all.deb
 0638c39c60e98a153b0b8d48da8063b2 14178 debug extra 
libtiff-opengl-dbgsym_4.0.7-1_amd64.deb
 ff4bf4273ed313a5962dfbaef66c8b3b 94074 graphics optional 
libtiff-opengl_4.0.7-1_amd64.deb
 b5d8121d9a19bb338dc7826843e3bb02 351152 debug extra 
libtiff-tools-dbgsym_4.0.7-1_amd64.deb
 39cd8185ae21e14c9066e2f920d84ea2 277304 graphics optional 
libtiff-tools_4.0.7-1_amd64.deb
 0e0153ebade05b64a11fdafecc8f4418 365614 debug extra 
libtiff5-dbgsym_4.0.7-1_amd64.deb
 bf01669377a80b44b4e226f65e1d282a 350242 libdevel optional 
libtiff5-dev_4.0.7-1_amd64.deb
 b238b8fa668171aaba8d3188fcd78f89 228122 libs optional 
libtiff5_4.0.7-1_amd64.deb
 bd909227c047c5c3916a03ec525a8466 21030 debug extra 
libtiffxx5-dbgsym_4.0.7-1_amd64.deb
 79bf58db2473f035140fcc89855be73e 89376 libs optional 
libtiffxx5_4.0.7-1_amd64.deb
 7e9cf923f8ae8e36f45be27621ece79d 10066 libs optional 
tiff_4.0.7-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYMacNAAoJENzjEOeGTMi/LAwP/RsjPN/hdJuF93mPtqJA4Mcr
NgoerE4imaStmFkniAWVTo7tYS4jnuPDMEGhvvTDJ8iUbxbASFdZrb/ITz1LPEV+
4yZw0vqNY8dhDkjsinn+4gCDRye+xHb3dMl2WhfdM6DPWWHyAthquhKkVkCw8kvl
h9ymzFvgBKgd+ESrTax3EEeJDZOyiu6yr9v6dn3pvb8/Z3v1SPv5F6fD8facp0XR
O9h/X765RdMHGye9ox9bJX/LkHm3W5bigX0eK3yY4JKAmw30KDOvBvtsFb1hQSMi
zhSdXBc0xFCx2reO8nMdydeo9AteT8psAEQNB7w7xgzymsS9aktBgasH9d71LRwZ
xRjGxMk3IeNEr5t8HQX8zgqIa7jcmPgYGrPuazyUSL7M3kaSrEBwj/FCkegbDNMf
f4Azb3vyLFYRXd7j0oNJ5WcmmEhosZwgwS76TbKBoB47QtQR1cxTJ/KrtkIB09Z6
/MUBkKVJudbiwM2QFD8gzsftJ077cPHWSIrEgQwX2I34zZvgLa4GhZ2ke24Ozjw5
oXpTE3uhTl8Wz/ZUp4kQfq1T/4nW2vW5kfHpfLFDV1bIlwaz/BiTILH4W1aK0nr3
rWYgvG77Asb84YHeLwmel2cGhZsty5jFpmV1b4z6/8VLGu0SkE+6pJVCj3Y6TYwZ
TFQLdnHVHKjuhBRBrATc
=lE+v
-----END PGP SIGNATURE-----

--- End Message ---