Accepted tiff 4.0.3-12.3+deb8u6 (source all amd64) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Jul 2018 13:04:59 +0200
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.3-12.3+deb8u6
Distribution: jessie-security
Urgency: high
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff5 - Tag Image File Format (TIFF) library
libtiff5-dev - Tag Image File Format library (TIFF), development files
libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 869823 890441 891288 893806 898348
Changes:
tiff (4.0.3-12.3+deb8u6) jessie-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2017-11613: DoS vulnerability
A crafted input will lead to a denial of service attack. During the
TIFFOpen process, td_imagelength is not checked. The value of
td_imagelength can be directly controlled by an input file. In the
ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is
called based on td_imagelength. If the value of td_imagelength is set close
to the amount of system memory, it will hang the system or trigger the OOM
killer. (Closes: #869823)
* Fix CVE-2018-10963: DoS vulnerability
The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF allows
remote attackers to cause a denial of service (assertion failure and
application crash) via a crafted file, a different vulnerability than
CVE-2017-13726. (Closes: #898348)
* Fix CVE-2018-5784: DoS vulnerability
In LibTIFF, there is an uncontrolled resource consumption in the
TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage
this vulnerability to cause a denial of service via a crafted tif file.
This occurs because the declared number of directory entries is not
validated against the actual number of directory entries. (Closes: #890441)
* Fix CVE-2018-7456: NULL Pointer Dereference
A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in
tif_print.c in LibTIFF when using the tiffinfo tool to print crafted
TIFF information, a different vulnerability than CVE-2017-18013. (This
affects an earlier part of the TIFFPrintDirectory function that was not
addressed by the CVE-2017-18013 patch.) (Closes: #891288)
* Fix CVE-2018-8905: Heap-based buffer overflow
In LibTIFF, a heap-based buffer overflow occurs in the function
LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by
tiff2ps. (Closes: #893806)
Checksums-Sha1:
e0a8e621ae55bf11135ed1c2e6a45de86bba5e6b 2391 tiff_4.0.3-12.3+deb8u6.dsc
8ff96f1066909d5404fe721d7c4412251d9ed80b 66520 tiff_4.0.3-12.3+deb8u6.debian.tar.xz
97501fc71de05a9368a82d72ce6b51b8c74c7a10 371922 libtiff-doc_4.0.3-12.3+deb8u6_all.deb
ec7929fbffbe2733c6f19f791e7400a6410b2a98 222376 libtiff5_4.0.3-12.3+deb8u6_amd64.deb
3d2f98811542d8ec86875357e8f83086c3902260 81506 libtiffxx5_4.0.3-12.3+deb8u6_amd64.deb
a21101e97e5e58d8d31221f1244cffdee223352f 345024 libtiff5-dev_4.0.3-12.3+deb8u6_amd64.deb
0226f0ce1c1d0b45f043482ae5a55539a618b57e 274868 libtiff-tools_4.0.3-12.3+deb8u6_amd64.deb
a94eca3410cba6e9a0e678c05891b4d1f31dfee2 86424 libtiff-opengl_4.0.3-12.3+deb8u6_amd64.deb
Checksums-Sha256:
783258d2abdba051b0732d4b36baf3b2f2c7f52c9d02b9fde3ff2c8377270300 2391 tiff_4.0.3-12.3+deb8u6.dsc
87c0d9e7fcba9c7ada1542574bacc01dc7dca6665692ba42d02eb550a9b24562 66520 tiff_4.0.3-12.3+deb8u6.debian.tar.xz
14a2a39d2af358cefa070eb05b4c640ddf14d3f99130b10a74b2868eda651938 371922 libtiff-doc_4.0.3-12.3+deb8u6_all.deb
73f4e28cd270d59698feb45564fb73329eef645c645218420d600d7e13115b84 222376 libtiff5_4.0.3-12.3+deb8u6_amd64.deb
225c18f676677d79b245c9a26c7f378d36cf38da9e983ed79e2adaf512d04bb3 81506 libtiffxx5_4.0.3-12.3+deb8u6_amd64.deb
a090d9599ab2fea931e2f6777540e54096a8feef7d1fd93e84046d3616972451 345024 libtiff5-dev_4.0.3-12.3+deb8u6_amd64.deb
265e2f23aa7b672953844157de8856408b016b52ccd47dc3048015b8b875778e 274868 libtiff-tools_4.0.3-12.3+deb8u6_amd64.deb
daf6c5498f6cbfd31cd7e8d8768b16a531f6ac49d325d53fcb42dd8247ac4c13 86424 libtiff-opengl_4.0.3-12.3+deb8u6_amd64.deb
Files:
e6801144bae10cc1cefb92919ccec4c5 2391 libs optional tiff_4.0.3-12.3+deb8u6.dsc
f7e24d3f47cdd532eadaa530acd3de74 66520 libs optional tiff_4.0.3-12.3+deb8u6.debian.tar.xz
33c6529df8c1b2d1674bfd1907af1d2e 371922 doc optional libtiff-doc_4.0.3-12.3+deb8u6_all.deb
f0093fbf11b9a38e7260d336ec9b5ae8 222376 libs optional libtiff5_4.0.3-12.3+deb8u6_amd64.deb
ce64e4682b8e1e11919ba828e4480c95 81506 libs optional libtiffxx5_4.0.3-12.3+deb8u6_amd64.deb
1ffee62946fd25680683929babcbee52 345024 libdevel optional libtiff5-dev_4.0.3-12.3+deb8u6_amd64.deb
0f821d737cce7d40fe06cd3da62d8d3a 274868 graphics optional libtiff-tools_4.0.3-12.3+deb8u6_amd64.deb
112572172172146a747e6be70964d8ef 86424 graphics optional libtiff-opengl_4.0.3-12.3+deb8u6_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAls6Cq5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkP0EQAMyugv187BJyrbCqiTp7+OzomVECBYNlhhf/
ZwkComvnSkuPKyT0T4pwurTGyn0CmCdSiHRHoV+6iSn2e4XJfG97k1R9Zm/6VnY6
VJpQeOywvXcFTQ1Whufn8LmncsWzXq0CvQw8YPmqGHWt9k6Qkr7TcG8MUW1l/6Gk
TMzlL9jUdO6VBCp5ZM/nuC9bVfmjbjLGsalLf8q5zLLO4F3l2rBovesWUZ29eikx
ctNhUA6yfWfD3Bcd9TKXZc+D1m+ghmRfYXHx/sU0fwqwOvGTyhR9uv/BsoZzgI/q
RZXuxGJ9vDfaKbDqbm6OVTG9CsuaR5pYP5+G3uaxjM97fKMNNrOP9awfBAPgJn7Z
GqQa9NfUCdOkvD99I74YkNWecLUPhLzUYz6o/dmX42mk4YkiQv1tGYqptWOEXV1g
uN2EuAPuGcD7++WkoSQ9AsdjirdUGU15U+H2rTvFYatqR6XNJH7dWCWcKsSYgddH
asRnvUuOACAlXvs2m+C3eoIVo5QEStLz6XA1Y1aJ9hwnFXfIzDxyFhWK/F+sJiEV
0b88nQw1gu5y1oaxYVqD24suS3cdNJsG++YMmWFnLtoESBpon0P6miXux20Vj4tN
l2oMCbkCAl6O9itOpwRkEKLinX3kFIQjundRDu5l0plFf80oGfHCl8o3KldF6/Zl
syX9jbbD
=Cm3i
-----END PGP SIGNATURE-----
Reply to: