Your message dated Sun, 19 Feb 2023 20:56:52 +0100 with message-id <Y/J/bpnf4tl4z...@eldamar.lan> and subject line Accepted tiff 4.5.0-5 (source) into unstable has caused the Debian Bug report #1031632, regarding tiff: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1031632: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031632 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tiff Version: 4.5.0-4 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi Laszlo, The following vulnerabilities were published for tiff. Strictly speaking it might be disputed to fill this as RC level, though would be good to have those as well addressed before the bookworm release. CVE-2023-0795[0]: | LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in | tools/tiffcrop.c:3488, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit afaabc3e. CVE-2023-0796[1]: | LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in | tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit afaabc3e. CVE-2023-0797[2]: | LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in | libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and | tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit afaabc3e. CVE-2023-0798[3]: | LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in | tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit afaabc3e. CVE-2023-0799[4]: | LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in | tools/tiffcrop.c:3701, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit afaabc3e. CVE-2023-0800[5]: | LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in | tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit 33aee127. CVE-2023-0801[6]: | LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in | libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and | tools/tiffcrop.c:6778, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit 33aee127. CVE-2023-0802[7]: | LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in | tools/tiffcrop.c:3724, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit 33aee127. CVE-2023-0803[8]: | LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in | tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit 33aee127. CVE-2023-0804[9]: | LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in | tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit 33aee127. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-0795 https://www.cve.org/CVERecord?id=CVE-2023-0795 [1] https://security-tracker.debian.org/tracker/CVE-2023-0796 https://www.cve.org/CVERecord?id=CVE-2023-0796 [2] https://security-tracker.debian.org/tracker/CVE-2023-0797 https://www.cve.org/CVERecord?id=CVE-2023-0797 [3] https://security-tracker.debian.org/tracker/CVE-2023-0798 https://www.cve.org/CVERecord?id=CVE-2023-0798 [4] https://security-tracker.debian.org/tracker/CVE-2023-0799 https://www.cve.org/CVERecord?id=CVE-2023-0799 [5] https://security-tracker.debian.org/tracker/CVE-2023-0800 https://www.cve.org/CVERecord?id=CVE-2023-0800 [6] https://security-tracker.debian.org/tracker/CVE-2023-0801 https://www.cve.org/CVERecord?id=CVE-2023-0801 [7] https://security-tracker.debian.org/tracker/CVE-2023-0802 https://www.cve.org/CVERecord?id=CVE-2023-0802 [8] https://security-tracker.debian.org/tracker/CVE-2023-0803 https://www.cve.org/CVERecord?id=CVE-2023-0803 [9] https://security-tracker.debian.org/tracker/CVE-2023-0804 https://www.cve.org/CVERecord?id=CVE-2023-0804 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: tiff Source-Version: 4.5.0-5 ----- Forwarded message from Debian FTP Masters <ftpmas...@ftp-master.debian.org> ----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 19 Feb 2023 08:46:38 +0100 Source: tiff Architecture: source Version: 4.5.0-5 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Changes: tiff (4.5.0-5) unstable; urgency=high . * Backport fix for tiffcrop correctly update buffersize after rotateImage() . * Backport fix for TIFFClose() avoid NULL pointer dereferencing. * Backport security fix for CVE-2023-0800, CVE-2023-0801, CVE-2023-0802, CVE-2023-0803 and CVE-2023-0804, an out-of-bounds write in tiffcrop allows attackers to cause a denial-of-service via a crafted tiff file. * Backport security fix for CVE-2023-0795, CVE-2023-0796, CVE-2023-0797, CVE-2023-0798 and CVE-2023-0799, an out-of-bounds read in tiffcrop allows attackers to cause a denial-of-service via a crafted tiff file. Checksums-Sha1: b3b1716db9aa82f059c572ea11e54e6295bdc7b0 2255 tiff_4.5.0-5.dsc fac9b0cb1427ae690291dae6a77abdd595077ef6 26516 tiff_4.5.0-5.debian.tar.xz Checksums-Sha256: cec33019d88624f8ad8a771c8a4cac4b0d07f18e69171c997dab87e7c69c1914 2255 tiff_4.5.0-5.dsc 3fc31dfe0aef671343b84ce23e7baf64789e306838fb176819c18d0754b3811f 26516 tiff_4.5.0-5.debian.tar.xz Files: 24b0187bac2b137cbf18c2a43cb338aa 2255 libs optional tiff_4.5.0-5.dsc 483a8232d27d40b821f14d2b636ebcad 26516 libs optional tiff_4.5.0-5.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmPx/+cACgkQ3OMQ54ZM yL+DPA//bn3vZkvsO3yvF3m8boBSFQXFypfXV4QGw+54f1cFUchSQR2J1ebb8LSG kWIpDTgltZ9Ba32f0JdkWcXfHPgh2fNIg0spYM6S8Gd4dsZ6SE4kJS0/UfrJfRS1 6WbIYFjtj9lZdtPNcQPYYUm3wn2H81LxpLgx+rlAk5txJWeZ0VAaPjrJNi6/sPIZ W4EADbyLcYawUrgS/mTAJUtfNX6yXgQSyZhaMGrTmyLdIPe0ehR+wQVSaLAnqmAD r1MIaBeTta8sm0osf0PY+xs7ZJoi3duS3GCDvw8goOqDIBplyIl3G1Qs+UncTUPB b55MGMLcDBHsH3F3iBNe0xns8EEalwIouIVelfI2SeKO3z6+bOl2+PKdvS7G8ITn eDhYd7ikcRS5gzQYzhscSYcII0Oqdtmfk53tSaE8xJknwLw+UnkunhidumMVBztK moPlcSe316U/ce9w9tfLO2Em2FMQUxxhDd1NpzMci7vpBJu0jhqx1WDiupVCdE86 j4iJcitZ0abt9Rr8pUUNtm/LSFZ9Iv7ssnav2YwubRYu9UicUaWvEoMPd6H8of+6 +h/EOXGkkA4jB03zxpyDZSysBQvWzmisk+rj3M5sBNvLmoqINL3DT8FZwOM1V43t sApK97FjGvaibooNyOyCOLPXCZo7VuEJGTkILTxWph3Es7awXn8= =pCRD -----END PGP SIGNATURE----- ----- End forwarded message -----
--- End Message ---
