Your message dated Mon, 03 Dec 2018 21:47:28 +0000
with message-id <e1gtw3s-0003l7...@fasolo.debian.org>
and subject line Bug#869823: fixed in tiff 4.0.8-2+deb9u3
has caused the Debian Bug report #869823,
regarding tiff: CVE-2017-11613
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
869823: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869823
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: tiff
Version: 4.0.8-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for tiff.
CVE-2017-11613[0]:
| In LibTIFF 4.0.8, there is a denial of service vulnerability in the
| TIFFOpen function. A crafted input will lead to a denial of service
| attack. During the TIFFOpen process, td_imagelength is not checked. The
| value of td_imagelength can be directly controlled by an input file. In
| the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc
| function is called based on td_imagelength. If we set the value of
| td_imagelength close to the amount of system memory, it will hang the
| system or trigger the OOM killer.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-11613
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11613
[1] https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f
Can you check if that was as well reported upstream
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tiff
Source-Version: 4.0.8-2+deb9u3
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 869...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <j...@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 29 Nov 2018 20:45:11 +0100
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl
libtiff-doc
Architecture: source all amd64
Version: 4.0.8-2+deb9u3
Distribution: stretch-security
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Description:
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff5 - Tag Image File Format (TIFF) library
libtiff5-dev - Tag Image File Format library (TIFF), development files
libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 869823 883320 890441 891288 893806 898348 909037 909038 911635
Changes:
tiff (4.0.8-2+deb9u3) stretch-security; urgency=medium
.
* CVE-2018-5784 (Closes: #890441)
* CVE-2018-7456 (Closes: #891288)
* CVE-2018-8905 (Closes: #893806)
* CVE-2018-10963 (Closes: #898348)
* CVE-2018-17100 (Closes: #909038)
* CVE-2018-17101 (Closes: #909037)
* CVE-2018-18557 (Closes: #911635)
* CVE-2017-11613 (Closes: #869823)
* CVE-2017-17095 (Closes: #883320)
Checksums-Sha1:
2cb52e8c6efcd8c6d38e1c5f6d60192523c51b55 2185 tiff_4.0.8-2+deb9u3.dsc
898127f7001ec225677d51fe53141007a57bb7b1 32756
tiff_4.0.8-2+deb9u3.debian.tar.xz
aa38fdf8821543d70952afec491e66b4c4a046d4 395778
libtiff-doc_4.0.8-2+deb9u3_all.deb
f6b428e72a2c164f83ec0ae30e0d5372cf377890 14186
libtiff-opengl-dbgsym_4.0.8-2+deb9u3_amd64.deb
81cdae9420ef6e2c5f008361e74ff555d3cf4be8 100438
libtiff-opengl_4.0.8-2+deb9u3_amd64.deb
d5e9be97e401f76b83118635b35d2af93b3322f8 352006
libtiff-tools-dbgsym_4.0.8-2+deb9u3_amd64.deb
7e3641266fc2431ca99c8e88edcd1054ee5333ca 281534
libtiff-tools_4.0.8-2+deb9u3_amd64.deb
139aacc12679be0ff274cf3627af93052346cc4f 372710
libtiff5-dbgsym_4.0.8-2+deb9u3_amd64.deb
cf5432b5709115c518acf1e694e997af2e9a6497 360908
libtiff5-dev_4.0.8-2+deb9u3_amd64.deb
a27f420c88c1e321fda42126bdb4d8ac2a3cffbd 238154
libtiff5_4.0.8-2+deb9u3_amd64.deb
cc6235ba32beafd423cebee85303e4161cd5c2f4 21044
libtiffxx5-dbgsym_4.0.8-2+deb9u3_amd64.deb
7265689f624cc079517af6462136b4598e768219 95730
libtiffxx5_4.0.8-2+deb9u3_amd64.deb
388c3bdfe26ad834ac6d37cfca87b7ad5229d9cd 10898
tiff_4.0.8-2+deb9u3_amd64.buildinfo
Checksums-Sha256:
bd92bfafd8c4918a8a27fd234cf73c35f56e762a4c09d50cc46cf31563f32c3d 2185
tiff_4.0.8-2+deb9u3.dsc
3fa255bdca1852653425fabc2f12884116fd688ccd1a018feb14877fb3a02f99 32756
tiff_4.0.8-2+deb9u3.debian.tar.xz
12fd55720c500960495a659508618eb1ca4ac68531ad4dc4d3b74ca5c70e1b2f 395778
libtiff-doc_4.0.8-2+deb9u3_all.deb
e92e0b6c9f8a47378902448a6376ff3a96b7d6da2ff37b71ba9c41ba9d6dbbe6 14186
libtiff-opengl-dbgsym_4.0.8-2+deb9u3_amd64.deb
d97170b0a42d1973ee9baafbc4bc331479b43df281f702ce23c229c09de8ec53 100438
libtiff-opengl_4.0.8-2+deb9u3_amd64.deb
2be1adb5db654f6904a0e67c845a12566266b5a6e2f8173e054b45745af0945b 352006
libtiff-tools-dbgsym_4.0.8-2+deb9u3_amd64.deb
b4827f18e5ec1763a8477bfae813fa413018ba9243830ce113238fd0f376523c 281534
libtiff-tools_4.0.8-2+deb9u3_amd64.deb
f28cfd4099254030cb7f630cad492fc9dd0cf6341e4c85c917a4e7faca3e3b56 372710
libtiff5-dbgsym_4.0.8-2+deb9u3_amd64.deb
519e1ade7358499043f0450f9770e3e5060c3165bc03062296f1ea1da2586158 360908
libtiff5-dev_4.0.8-2+deb9u3_amd64.deb
de919fe3b2052e462c7b18a836a913b3ae6fe89a7f77835134991d78404192b9 238154
libtiff5_4.0.8-2+deb9u3_amd64.deb
d5684408b5921c7ca5e3ab5be65cefd19be48ecc3887e23d2b0addfaec04d9b3 21044
libtiffxx5-dbgsym_4.0.8-2+deb9u3_amd64.deb
bdbcd72872fd58be5ca862915d4c5964d9852705fbd18f6182a0be1271b3e8bb 95730
libtiffxx5_4.0.8-2+deb9u3_amd64.deb
d2d1b6401fc4b23d9a6c3b4b28f6270b43096adb4e9c7872cce61f6981a4c839 10898
tiff_4.0.8-2+deb9u3_amd64.buildinfo
Files:
f59f746c3bbae9f17676b83420780cd9 2185 libs optional tiff_4.0.8-2+deb9u3.dsc
e814b54f2477641278eca5bcaa4f4acb 32756 libs optional
tiff_4.0.8-2+deb9u3.debian.tar.xz
0f5d404a3438be6597839159ee403c35 395778 doc optional
libtiff-doc_4.0.8-2+deb9u3_all.deb
b3fb9038740b02be609a929cc967624a 14186 debug extra
libtiff-opengl-dbgsym_4.0.8-2+deb9u3_amd64.deb
482c3d39785f462979b61aaf5bcde335 100438 graphics optional
libtiff-opengl_4.0.8-2+deb9u3_amd64.deb
b4fbac27d7c43a342290e5992fa4a2ba 352006 debug extra
libtiff-tools-dbgsym_4.0.8-2+deb9u3_amd64.deb
3ca8e1538fe57a4948871865021d98d4 281534 graphics optional
libtiff-tools_4.0.8-2+deb9u3_amd64.deb
25390f391ab809ef4468a5487e3cf2e9 372710 debug extra
libtiff5-dbgsym_4.0.8-2+deb9u3_amd64.deb
4c03c052cb53ff2e74c880ed4f82d8a4 360908 libdevel optional
libtiff5-dev_4.0.8-2+deb9u3_amd64.deb
d02d89c48b9ac263fecbdb75bb1a7c87 238154 libs optional
libtiff5_4.0.8-2+deb9u3_amd64.deb
e5b4f0cca3c89bdd05d72a23e9228a1b 21044 debug extra
libtiffxx5-dbgsym_4.0.8-2+deb9u3_amd64.deb
2ad358b2204823906149a95a580b88c0 95730 libs optional
libtiffxx5_4.0.8-2+deb9u3_amd64.deb
e9c5631ac7e31b180499a33dca1f6438 10898 libs optional
tiff_4.0.8-2+deb9u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlwASXoACgkQEMKTtsN8
TjayFw//de7iqw1Mt0cbYvmaTUgelfC/m8lZXLfjNfL0mOmiiVJpHaQwI2ti5eJm
Jct+OtQCpmwQr1sJg7QC/i++KmIYPbmERFdQjZGI/Zsq+1nhEU7DcOXkLRRrZySt
ftACsBm1AoakUwmixcrSUFvYbJ05LQP5mfmDa+mKjQ75OlV1FxKgAfRyMIW8QVQU
u9r95xOXswVw0JNtqX5ziYJd8FUGDwUHdzXgZG1CUDQF4hsQJ8QVSR5Wsfk2y4f6
xmqPw0/uw1xNNx01mGXUUSskxqKBjXBw+7lU0D0rPATuR1Sh1v+pL3aBHBYDERX2
5CYYAsH5xdxyuE7qRfhYwAqvoH4rFiXWrxlIY7ihbhKSM3Jz4ZxWE69SChf7q+dp
9/6BXmaGmrSAXELiJ2H/ryD5MQzfpCVY0PAmGo6WgGR4joobFblTQO3aVdQGr/Oy
0M2KU/HuuVkd24deIJsVFUFYhty2ezWfTkRTgaFngpOm0rGTbUMTmCAoPF6mgtdk
QBmXgkoDaCGta4XtxVXLdiEpANP1xhYIkj1dlGPl1b6qJiBhV/wSu3gnxdnnQUEB
EcvAnROUu71i6Y8NVOkNo5xSmcWWEKZmTxLbaZTy8BGspntKZCEt8NU+NekJmmEa
LmVftfLrUmzKLlqMUW0Qt9jKv1kah6yagy7hYOn09jIefVqfsXU=
=fAGn
-----END PGP SIGNATURE-----
--- End Message ---
