Your message dated Sun, 28 Oct 2018 15:19:51 +0000
with message-id <[email protected]>
and subject line Bug#911635: fixed in tiff 4.0.9+git181026-1
has caused the Debian Bug report #911635,
regarding tiff: CVE-2018-18557: JBIG: fix potential out-of-bounds write in
JBIGDecode()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
911635: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911635
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tiff
Version: 4.0.9-6
Severity: important
Tags: patch security upstream
Forwarded: https://gitlab.com/libtiff/libtiff/merge_requests/38
Hi,
The following vulnerability was published for tiff.
CVE-2018-18557[0]:
| LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a
| buffer, ignoring the buffer size, which leads to a tif_jbig.c
| JBIGDecode out-of-bounds write.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-18557
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18557
[1] https://gitlab.com/libtiff/libtiff/merge_requests/38
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tiff
Source-Version: 4.0.9+git181026-1
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 28 Oct 2018 11:04:14 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-dev libtiff-tools
libtiff-opengl libtiff-doc
Architecture: source amd64 all
Version: 4.0.9+git181026-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Description:
libtiff-dev - Tag Image File Format library (TIFF), development files, current
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff5 - Tag Image File Format (TIFF) library
libtiff5-dev - Tag Image File Format library (TIFF), development files
libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 909037 909038 911635
Changes:
tiff (4.0.9+git181026-1) unstable; urgency=high
.
* Git snapshot, fixing the following security issues:
- CVE-2018-17100, int32 overflow in multiply_ms() which can cause a DoS
or possibly have unspecified other impact via a crafted image file
(closes: #909038),
- CVE-2018-17101, two out-of-bounds writes in cpTags() which can cause a
DoS or possibly have unspecified other impact via a crafted image file
(closes: #909037),
- CVE-2018-18557, out-of-bounds write in JBIGDecode() (closes: #911635).
* Remove previously backported security patches.
* Build with Zstandard, a fast lossless compression algorithm.
* Build with WebP, the modern VP8 compression format.
* Update libtiff5 symbols.
Checksums-Sha1:
380331dc7c95e5f551c0f17eecc72b8f77f38893 2280 tiff_4.0.9+git181026-1.dsc
67067989a96fc57c54b385ca377913300c5009fc 1520264
tiff_4.0.9+git181026.orig.tar.xz
adafb1972bd365a209cd23850db7faf67ce856a0 17408
tiff_4.0.9+git181026-1.debian.tar.xz
6343e5029fe66f38d725b282e071bf9ed87be6ad 96628
libtiff-dev_4.0.9+git181026-1_amd64.deb
a95fdb60d2ebbb30b23e956d987bcd21475d161a 403488
libtiff-doc_4.0.9+git181026-1_all.deb
ea3f97fa6434616f40f1ccb7cd4ede2e363525fb 14900
libtiff-opengl-dbgsym_4.0.9+git181026-1_amd64.deb
cd7cf5ee3894e019294e2fcf79f57ed0e16c62a4 105148
libtiff-opengl_4.0.9+git181026-1_amd64.deb
9ad2c69f89cf45cb5621e9b39315f6f1b2d6f9d3 421444
libtiff-tools-dbgsym_4.0.9+git181026-1_amd64.deb
ad3afdd2c760f3ac35ce8b79b3d958413f8345d3 287912
libtiff-tools_4.0.9+git181026-1_amd64.deb
4a9728366327b24524ebaa79e9878e39be851752 479808
libtiff5-dbgsym_4.0.9+git181026-1_amd64.deb
65f7f41f1773757ffd06d149e09cbbee444b03e9 371556
libtiff5-dev_4.0.9+git181026-1_amd64.deb
22f9b362bdf660d464aef06659b603824f79d9d6 249928
libtiff5_4.0.9+git181026-1_amd64.deb
545435e33051a6f00e3e0b048f8c9ad2de1ecf56 23368
libtiffxx5-dbgsym_4.0.9+git181026-1_amd64.deb
d5e15ced9dfb90e91688bee65f5dafdb0c72356f 100376
libtiffxx5_4.0.9+git181026-1_amd64.deb
9b618ef33c7996acc5e5fe2bab6654aa02d65896 12790
tiff_4.0.9+git181026-1_amd64.buildinfo
Checksums-Sha256:
c62af309cc73df28ace1fcf7d7fa1c4f09f96150d093562347aa711e7d76b08e 2280
tiff_4.0.9+git181026-1.dsc
a08f8f156d67d0b9504ff01a1456af975a72f51577d52e39b57847201c6bb6ae 1520264
tiff_4.0.9+git181026.orig.tar.xz
fd02f97164b6768c1e775ce965a69937bd56e4210bdcca8f4d78e4a88d4583cc 17408
tiff_4.0.9+git181026-1.debian.tar.xz
cd51b100e378cbf40e7c839a1467c87625b21c4c1aae0a7b590ef50f7f46450c 96628
libtiff-dev_4.0.9+git181026-1_amd64.deb
1b82f2896ec19b855d11f93854adc942cd0b21a8db3c52251578a19b010ca315 403488
libtiff-doc_4.0.9+git181026-1_all.deb
fa7567f7d73efd38a0bd9692feb857cf399ac2208ac2a9ebb9fcf1f06d386aaf 14900
libtiff-opengl-dbgsym_4.0.9+git181026-1_amd64.deb
ca01044ea608343370253287d3991b82ce2d55cf4812e3b872d19adf17010d6a 105148
libtiff-opengl_4.0.9+git181026-1_amd64.deb
eba2054eec6c861b0b5a1135aabe41102ad99e3827ec75bcdbde148e6a04e14a 421444
libtiff-tools-dbgsym_4.0.9+git181026-1_amd64.deb
463461d86d9f6c4d0fd1e0f412810c3c156dd81162a26f0fdb15677226f7b900 287912
libtiff-tools_4.0.9+git181026-1_amd64.deb
866cbe2a509d8b794888d227eb2334c787e8ce36a16c5a69382094dd8581d5c1 479808
libtiff5-dbgsym_4.0.9+git181026-1_amd64.deb
8d6bdc5e138a35200234679e54cdd5d81be0f085aedded90e17b1749971e383c 371556
libtiff5-dev_4.0.9+git181026-1_amd64.deb
c6dd341b1b157f4aafcec920b69df5e0e4eb269ac5a71f483f0c7843ebf415fb 249928
libtiff5_4.0.9+git181026-1_amd64.deb
bd048a8742fb8621af94583f20afe7a58aeca16e24fe952ba58a3b0c6b707741 23368
libtiffxx5-dbgsym_4.0.9+git181026-1_amd64.deb
2f92a6b450f112eca95a8281f7746d8eeda60707f131b37200c023195ade9ae9 100376
libtiffxx5_4.0.9+git181026-1_amd64.deb
a989ec34304df87e1d0a1f7d2a4becdd107ea368ff9b67ff038238958e333fac 12790
tiff_4.0.9+git181026-1_amd64.buildinfo
Files:
ab107454751718ff0a1972dbd0e33710 2280 libs optional tiff_4.0.9+git181026-1.dsc
76cea43835c4e40e3360fb0377277dbc 1520264 libs optional
tiff_4.0.9+git181026.orig.tar.xz
6e092ac0ab0f56caa9711c4c44210ee4 17408 libs optional
tiff_4.0.9+git181026-1.debian.tar.xz
63ad5e1c6f038cb80422a7232e98d00b 96628 oldlibs optional
libtiff-dev_4.0.9+git181026-1_amd64.deb
80ebec254ee919d86316903a926c8531 403488 doc optional
libtiff-doc_4.0.9+git181026-1_all.deb
dab79ea23e848f162f53e65403973210 14900 debug optional
libtiff-opengl-dbgsym_4.0.9+git181026-1_amd64.deb
99f4acc22c951d0f551df966fb2e1eaa 105148 graphics optional
libtiff-opengl_4.0.9+git181026-1_amd64.deb
e34fd464f894d8931c764ebc9bd0d21c 421444 debug optional
libtiff-tools-dbgsym_4.0.9+git181026-1_amd64.deb
554eb78abd2e25497bbc35aa40a9d324 287912 graphics optional
libtiff-tools_4.0.9+git181026-1_amd64.deb
4335c3347cef24963f450be106ab05fc 479808 debug optional
libtiff5-dbgsym_4.0.9+git181026-1_amd64.deb
45c6cd16354e9bbe852d1c70450ca346 371556 libdevel optional
libtiff5-dev_4.0.9+git181026-1_amd64.deb
2a93c016626b8dd9625cc51bacddfc3a 249928 libs optional
libtiff5_4.0.9+git181026-1_amd64.deb
558490734f0e939f9536c684608fea95 23368 debug optional
libtiffxx5-dbgsym_4.0.9+git181026-1_amd64.deb
7d9ad636ce338f856eba15c6e50e72be 100376 libs optional
libtiffxx5_4.0.9+git181026-1_amd64.deb
b8ac4eb53758bbada8a2c1f190b7f9df 12790 libs optional
tiff_4.0.9+git181026-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlvVzksACgkQ3OMQ54ZM
yL9/Xw//XrjN/e1eBuBSbnL3XVvWGIcwH03KtyXIfZ5yg6VZJu48NrUeEjcj1uBp
yQOpJMbTdXDKNsXv0s8wGTSLQAAj4EUYEGGQ1Ln0DymndZUb4VL87vRTEStCBiMS
YxBoqZKN+qMSOY689ckBXnwa2PGp2VQb8TCcCDexGzV+KmJ8J0CiGlfHfGez+Iuf
U0AoZleuwH8QhdmPTfrxiwXVTOA/3+HPcNaqKwNo7fuMzOSnYUKVZHwNuzlSUn7L
2Eyppr6qPy4t9Qhfdu7mKqdrGmWYgI4gj0lAPUDnYAUsk//fY/jZJSNWHtea0dWV
BU433ub1U5eLK5WD4kagjRo0xb6m0F9z58IAhpptzsinXycouZEW1ZB6hfdLwO/Q
DbqIxHRstn0wni2ezKB+K5lAYExoXjnbssXZaXJ5DpKJJOc85ZEsL8RLT+X0qu3X
dvjKvSVct9umrMkZgC2OOGbM9/SjKLU2lg0g/iLdUiQoDmKbR7FXtVJCSWy/SQAt
5UOSq1NAJhST+dORN6AZcYE3+NKbkVPUAb0fXPq24gl8Tgz4PmEB9ZaJm/8vS0pc
ucMVIdYqZN1lfgr4LJuxdNPXL+kdf0JwDO7uCXUoQXglwpRuTivaUXRRwFT61HyW
hLcztccgFr7bNFItpQqvLTuocLFLT6lbg3D9U6PUYRDhgsX4PJw=
=ZObV
-----END PGP SIGNATURE-----
--- End Message ---
