Your message dated Sun, 30 Oct 2022 19:08:00 +0000 with message-id <e1opdf6-003jgc...@fasolo.debian.org> and subject line Bug#1022555: fixed in tiff 4.4.0-5 has caused the Debian Bug report #1022555, regarding tiff: CVE-2022-3627 CVE-2022-3626 CVE-2022-3599 CVE-2022-3598 CVE-2022-3597 CVE-2022-3570 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1022555: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022555 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tiff X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for tiff. CVE-2022-3627[0]: | LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in | libtiff/tif_unix.c:346 when called from extractImageSection, | tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit 236b7191. https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 https://gitlab.com/libtiff/libtiff/-/issues/411 CVE-2022-3626[1]: | LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in | libtiff/tif_unix.c:340 when called from processCropSelections, | tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit 236b7191. https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 https://gitlab.com/libtiff/libtiff/-/issues/426 CVE-2022-3599[2]: | LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in | tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit e8131125. https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246 https://gitlab.com/libtiff/libtiff/-/issues/398 CVE-2022-3598[3]: | LibTIFF 4.4.0 has an out-of-bounds write in | extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing | attackers to cause a denial-of-service via a crafted tiff file. For | users that compile libtiff from sources, the fix is available with | commit cfbb883b. https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff https://gitlab.com/libtiff/libtiff/-/issues/435 CVE-2022-3597[4]: | LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in | libtiff/tif_unix.c:346 when called from extractImageSection, | tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit 236b7191. https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 https://gitlab.com/libtiff/libtiff/-/issues/413 CVE-2022-3570[5]: | Multiple heap buffer overflows in tiffcrop.c utility in libtiff | library Version 4.4.0 allows attacker to trigger unsafe or out of | bounds memory access via crafted TIFF image file which could result | into application crash, potential information disclosure or any other | context-dependent impact https://gitlab.com/libtiff/libtiff/-/commit/bd94a9b383d8755a27b5a1bc27660b8ad10b094c https://gitlab.com/libtiff/libtiff/-/issues/381 https://gitlab.com/libtiff/libtiff/-/issues/386 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-3627 https://www.cve.org/CVERecord?id=CVE-2022-3627 [1] https://security-tracker.debian.org/tracker/CVE-2022-3626 https://www.cve.org/CVERecord?id=CVE-2022-3626 [2] https://security-tracker.debian.org/tracker/CVE-2022-3599 https://www.cve.org/CVERecord?id=CVE-2022-3599 [3] https://security-tracker.debian.org/tracker/CVE-2022-3598 https://www.cve.org/CVERecord?id=CVE-2022-3598 [4] https://security-tracker.debian.org/tracker/CVE-2022-3597 https://www.cve.org/CVERecord?id=CVE-2022-3597 [5] https://security-tracker.debian.org/tracker/CVE-2022-3570 https://www.cve.org/CVERecord?id=CVE-2022-3570 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: tiff Source-Version: 4.4.0-5 Done: Laszlo Boszormenyi (GCS) <g...@debian.org> We believe that the bug you reported is fixed in the latest version of tiff, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1022...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated tiff package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 23 Oct 2022 22:38:15 +0200 Source: tiff Architecture: source Version: 4.4.0-5 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Closes: 1022555 Changes: tiff (4.4.0-5) unstable; urgency=high . * Backport security fix for CVE-2022-3597, CVE-2022-3626 and CVE-2022-3627, out of bounds write and denial of service via a crafted TIFF file. * Backport security fix for CVE-2022-3570, multiple heap buffer overflows via crafted TIFF file. * Backport security fix for CVE-2022-3599, denial-of-service via a crafted TIFF file. * Backport security fix for CVE-2022-3598, denial-of-service via a crafted TIFF file (closes: #1022555). Checksums-Sha1: 4cd5799e8728658bf988d3c8ab77674eff97f681 2238 tiff_4.4.0-5.dsc 882c767739a4053025e99f408d5f1cd0f42d3bb4 32312 tiff_4.4.0-5.debian.tar.xz Checksums-Sha256: 7d74d6e94890625d784c589ac8773adbe6e6647411237e05a932456f8cd9985b 2238 tiff_4.4.0-5.dsc f21400783c9c034143111f80eb8136735d99c4ee0ac325f5cc78ef694cccf249 32312 tiff_4.4.0-5.debian.tar.xz Files: ab093eceed0b56038fc6cc95f65dc6ae 2238 libs optional tiff_4.4.0-5.dsc 9b671727f33085a399eae208420f58e9 32312 libs optional tiff_4.4.0-5.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmNexywACgkQ3OMQ54ZM yL8xEA/+K2S6yQ2cJbOctd2UMgJ0im1npIK1uksvjBKfyd7wUTCM6k9aMvsIq2uV B1oG6tIxmaP0Izmb0nTyDts/+YKrivbHHq4BoTwTEp3Z847wH3/D94iQ8XQJ0pW1 GcX+kdPH/T6dn/Aubdcadx1c4ehSO79+k8zxMY4Sc5WynPuAy5A2iRcT7CcIJKo0 o9uzIgFfhKz7uuUhEUShon0yhODESr7YZJ+xzChQxGxo4eRv+Z9TmetlljniAiOT oBFP2mvIkgVOdO6pAVKdB4SFYSCcOv+VNcUjInS+Y0Lv3av3aQQpoRNP98AYHr9J SGbudngUoEmkZpU2V7VFfYNImahyOkEO4XyHDj1LLBC7yA0pSWcC4D46MjAUpHsI cLigZNHAiwzLQE3Yr7x/042hybIkiZ+Q680M6rZGIaW0Zru41mhP6BUZRZSGAj82 fOvRnbGq8U6u3HBSJrUiRlSXgL7knjGkHMKMQAmeHuJSRConNFdoMjouspoYH67P KxJH34WxpGue5gyDI88CRgj7xzYfcCcx6jsdw0ZB0gm9h20DzAPgenPUAwqezeGo IdD/XPCkCj7pts1UiWAIwES5mNfFy4JcVIlDJ+ylkBW6skkNqyXoplw/CXIr/ELL BTXaZ8aeKg3ElI5Rni2m2O+3Vwt4VFlQzRlN8PhUDvFSFdnPdGY= =FPqh -----END PGP SIGNATURE-----
--- End Message ---
