Your message dated Mon, 03 Dec 2018 21:47:38 +0000 with message-id <e1gtw42-0003o8...@fasolo.debian.org> and subject line Bug#911635: fixed in tiff 4.0.8-2+deb9u4 has caused the Debian Bug report #911635, regarding tiff: CVE-2018-18557: JBIG: fix potential out-of-bounds write in JBIGDecode() to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 911635: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911635 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tiff Version: 4.0.9-6 Severity: important Tags: patch security upstream Forwarded: https://gitlab.com/libtiff/libtiff/merge_requests/38 Hi, The following vulnerability was published for tiff. CVE-2018-18557[0]: | LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a | buffer, ignoring the buffer size, which leads to a tif_jbig.c | JBIGDecode out-of-bounds write. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-18557 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18557 [1] https://gitlab.com/libtiff/libtiff/merge_requests/38 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: tiff Source-Version: 4.0.8-2+deb9u4 We believe that the bug you reported is fixed in the latest version of tiff, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 911...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Moritz Mühlenhoff <j...@debian.org> (supplier of updated tiff package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 29 Nov 2018 20:45:11 +0100 Source: tiff Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc Architecture: source all amd64 Version: 4.0.8-2+deb9u4 Distribution: stretch-security Urgency: medium Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Moritz Mühlenhoff <j...@debian.org> Description: libtiff-doc - TIFF manipulation and conversion documentation libtiff-opengl - TIFF manipulation and conversion tools libtiff-tools - TIFF manipulation and conversion tools libtiff5 - Tag Image File Format (TIFF) library libtiff5-dev - Tag Image File Format library (TIFF), development files libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface Closes: 869823 883320 890441 891288 893806 898348 909037 911635 Changes: tiff (4.0.8-2+deb9u4) stretch-security; urgency=medium . * CVE-2018-5784 (Closes: #890441) * CVE-2018-7456 (Closes: #891288) * CVE-2018-8905 (Closes: #893806) * CVE-2018-10963 (Closes: #898348) * CVE-2018-17101 (Closes: #909037) * CVE-2018-18557 (Closes: #911635) * CVE-2017-11613 (Closes: #869823) * CVE-2017-17095 (Closes: #883320) (deb9u3 is unreleased, broken interim) Checksums-Sha1: 6d2b64d74f17a8f35e1edd7bb8dd7cde4336ef3e 2185 tiff_4.0.8-2+deb9u4.dsc 96e3db13a353be5a6f60b3bc0e21106e47126b54 32508 tiff_4.0.8-2+deb9u4.debian.tar.xz 0aed71e9b72c210193047378dd0ab92b531403bd 395966 libtiff-doc_4.0.8-2+deb9u4_all.deb 6a5db516702eb4ef1edd0e4bba79b810040ebf3a 14186 libtiff-opengl-dbgsym_4.0.8-2+deb9u4_amd64.deb ba374e80b0ea7fea64855601af8c4ebe1c40a5d7 100452 libtiff-opengl_4.0.8-2+deb9u4_amd64.deb 93b8c61377a1e171b68196f151506ea856127a2a 352192 libtiff-tools-dbgsym_4.0.8-2+deb9u4_amd64.deb ba9839c15866c35eadf6b41c5886daa8dd76aba1 281526 libtiff-tools_4.0.8-2+deb9u4_amd64.deb b5d440f325c45e79c53222edee33d60d35fe738d 372710 libtiff5-dbgsym_4.0.8-2+deb9u4_amd64.deb dd769ae088199ce61bb816e0fa0fca457bc1ad52 360902 libtiff5-dev_4.0.8-2+deb9u4_amd64.deb e620699d45acce79d57a0c28220d4670614d74aa 238176 libtiff5_4.0.8-2+deb9u4_amd64.deb c1833888522342f5ae252bd2ac81a5f03c56c65c 21042 libtiffxx5-dbgsym_4.0.8-2+deb9u4_amd64.deb a1a55fbca39966249d0060b99e6b8e5e520b8d21 95758 libtiffxx5_4.0.8-2+deb9u4_amd64.deb a6b03e9f716fb6c0133e3e3860a871c4e99b657b 10898 tiff_4.0.8-2+deb9u4_amd64.buildinfo Checksums-Sha256: 7f2a8ae92ea3ea871eb9baca399e589d256163e9689a64ac41ac64253c84b0b7 2185 tiff_4.0.8-2+deb9u4.dsc 2096e012af91b8503e656212409c438ad2105fd42c22e8f811fe5ef25810342d 32508 tiff_4.0.8-2+deb9u4.debian.tar.xz 819aee1a718341424e5c003aa8c9d2e1b91e4f06d064aabac935282892f0ea59 395966 libtiff-doc_4.0.8-2+deb9u4_all.deb d2290327372aff7292151c46ebbcdff540362b174d20457aae377164da3db5b4 14186 libtiff-opengl-dbgsym_4.0.8-2+deb9u4_amd64.deb 0c23ccd1da69425412789c09605f4adc74f72146f2c33f22b2e8a8a780db0045 100452 libtiff-opengl_4.0.8-2+deb9u4_amd64.deb 18c20c25900b0379b29eb2d06e3d5fc5df9d12acc49dcbd2eefd09284dbea9df 352192 libtiff-tools-dbgsym_4.0.8-2+deb9u4_amd64.deb 216f428e410e42e6e76e0b0deb0a5059f1a7a37b89346df53e176a5d2f104f9f 281526 libtiff-tools_4.0.8-2+deb9u4_amd64.deb b40f06db15fb12c75e42470c9bdf22494722b57ce42f83583934fa79aefd1bd8 372710 libtiff5-dbgsym_4.0.8-2+deb9u4_amd64.deb 210f1381ed49fc416d3924bbabf95f1cd3f23c9cf2a1b125a4daf51b4c23221e 360902 libtiff5-dev_4.0.8-2+deb9u4_amd64.deb 16d5ca9b2c846ed56b141b7cff251abe17183566f55a1f5ef6c9a26ba8ff4bde 238176 libtiff5_4.0.8-2+deb9u4_amd64.deb ce603861e4b922de5ff0d5c4ad6ce1628b866e3572aa10f363032230c4afe92b 21042 libtiffxx5-dbgsym_4.0.8-2+deb9u4_amd64.deb 72ff4f4b006e79737e12df5910c03ea9162668c1da49e56d56b6b325fe98feac 95758 libtiffxx5_4.0.8-2+deb9u4_amd64.deb e12f8e5f16bb4ac5184944c9fbab4505820728038bfee8c5b7315c35a771d9e8 10898 tiff_4.0.8-2+deb9u4_amd64.buildinfo Files: 8e41890b5ff7dfc154393c9d0ca20f9a 2185 libs optional tiff_4.0.8-2+deb9u4.dsc 73282487e795e65e9148f99ae4d3ef5c 32508 libs optional tiff_4.0.8-2+deb9u4.debian.tar.xz 2aa8dc17a5f0ca90de0ed0cd59508355 395966 doc optional libtiff-doc_4.0.8-2+deb9u4_all.deb 4ad3bc70adccc8cb7b86cbda58431986 14186 debug extra libtiff-opengl-dbgsym_4.0.8-2+deb9u4_amd64.deb b36299f94df8f8dc639b5ceba3172b40 100452 graphics optional libtiff-opengl_4.0.8-2+deb9u4_amd64.deb 0ec5ec7081b19090d833f66721840dcc 352192 debug extra libtiff-tools-dbgsym_4.0.8-2+deb9u4_amd64.deb 63e675588c9db18ccf2e3ea0c5565c2f 281526 graphics optional libtiff-tools_4.0.8-2+deb9u4_amd64.deb f0bac1e24b21a669d6124bc761e1d5b9 372710 debug extra libtiff5-dbgsym_4.0.8-2+deb9u4_amd64.deb ab2b6522f674902da6b3322612311ec2 360902 libdevel optional libtiff5-dev_4.0.8-2+deb9u4_amd64.deb 5a71ebab612fc28a4aa5d16367cdc156 238176 libs optional libtiff5_4.0.8-2+deb9u4_amd64.deb 17b9c393a4b22ba1363c02e080026619 21042 debug extra libtiffxx5-dbgsym_4.0.8-2+deb9u4_amd64.deb 21c461d08a8486c4bf5e437b4447c026 95758 libs optional libtiffxx5_4.0.8-2+deb9u4_amd64.deb 888fd447d687b2a55dd2cd6ce3f5fbb3 10898 libs optional tiff_4.0.8-2+deb9u4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlwBVCgACgkQEMKTtsN8 TjYEPxAAnxOzF3GlbAenjaushsH/CaHw1vIeiAAieq2/vnhMPWkE/OIfCOrGJRYw 3GKEnucwUzkuro41gRXW2qHHcHjKkM2zNKEc72paKI1YdpQURVXXY2V4l0JwTh4P ihvnNa649LYEEP2sHuRztju3PvQjXq7CFZZOUCMrMP1HRtjtCB8lzUtqSdbw6k/o QkjmZaxDLZVCaPeBHckA++dGnhrd1SjlBDy8qYwkleHPZXYuiFOp8d0tmaRqEaAl +ADnfXeEvbsLm1TpIrSRiqfddpsPfV8/E8nElFU+ATW/oUO4Qkf4DCuoXCO/eXUz Dfne/469yAlqoav5t47ODk0akkkbS+IRvFQFyUqz4+wr8HzlBtQ/1+DBTbE56Qvk RmE5s7DxB8FPChLAE/NTiC01ta4ZX0iEqABBLZmfM1RJF70NPa6Y7sxvtF0nPHBk yTP5f1V3oBEDJwPNQK+ssomcHnrVr8XWJ344PeL6CZt1vd8nH4/kyce4rh2kfhZ1 r3rggZbI2BJ5fQnK4qV3hL/ZPTUhO2HAomYic5UF+Gja12fTIljQaJ+mT1BkGWON rzcOGWZO3M9ao7duj84gT4ew6yziO+uHaSGRAUTQfeefrDMs3F/XPv69mDf8aklU OrWBxF0ZDMBZIV0L7j7lMvuUaoVMmmMKa9195Utl8sLudIEVSSs= =f4Lp -----END PGP SIGNATURE-----
--- End Message ---
