Your message dated Thu, 24 Nov 2022 18:21:19 +0000 with message-id <e1oygqd-00ejf1...@fasolo.debian.org> and subject line Bug#1024737: fixed in tiff 4.4.0-6 has caused the Debian Bug report #1024737, regarding tiff: CVE-2022-3970: TIFFReadRGBATileExt(): fix (unsigned) integer overflow on strips/tiles > 2 GB to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1024737: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024737 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tiff Version: 4.4.0-5 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for tiff. CVE-2022-3970[0]: | A vulnerability was found in LibTIFF. It has been classified as | critical. This affects the function TIFFReadRGBATileExt of the file | libtiff/tif_getimage.c. The manipulation leads to integer overflow. It | is possible to initiate the attack remotely. The exploit has been | disclosed to the public and may be used. The name of the patch is | 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a | patch to fix this issue. The identifier VDB-213549 was assigned to | this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-3970 https://www.cve.org/CVERecord?id=CVE-2022-3970 [1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 [2] https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: tiff Source-Version: 4.4.0-6 Done: Laszlo Boszormenyi (GCS) <g...@debian.org> We believe that the bug you reported is fixed in the latest version of tiff, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1024...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated tiff package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 24 Nov 2022 17:54:18 +0100 Source: tiff Architecture: source Version: 4.4.0-6 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Closes: 1024670 1024737 Changes: tiff (4.4.0-6) unstable; urgency=high . * Backport security fix for CVE-2022-2519, double free or corruption in rotateImage() (closes: #1024670). * Backport security fix for CVE-2022-2520, sysmalloc assertion fail in rotateImage(). * Backport security fix for CVE-2022-2521, invalid pointer free operation in TIFFClose(). * Backport security fix for CVE-2022-2953, out-of-bounds read in extractImageSection(). * Backport security fix for CVE-2022-3970, fix (unsigned) integer overflow on strips/tiles > 2 GB in TIFFReadRGBATileExt() (closes: #1024737). Checksums-Sha1: 54526a597709e13559b9e3fb7c7599426f43e44e 2238 tiff_4.4.0-6.dsc ae9dab47d4495cf502b42addbd085885e4319283 33680 tiff_4.4.0-6.debian.tar.xz Checksums-Sha256: 39f656d60cb0a75ae02fad9c16eb0c275c8a4bcb7efb02898c8c9bcfcf83b5f5 2238 tiff_4.4.0-6.dsc 37c1e4a7151c3790404e94a137825856f4d1f8fe8a8d3253a455ddff648f329b 33680 tiff_4.4.0-6.debian.tar.xz Files: 07f8a7896c660806d4161644e07734c3 2238 libs optional tiff_4.4.0-6.dsc 0fadacf944b89734f191bdd67508c42b 33680 libs optional tiff_4.4.0-6.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmN/sCMACgkQ3OMQ54ZM yL//Tg//alHP1u6T/H4pimYiAQKjFqcnVdPzY2tkwOkQiNJjKPQlD2ICzB35MzjE gbeijGgmh+6m51i0kV2LvpaTsbY7C3i6/soN7nhDo0MxU3k47n0LTZXcFQ3V6OGp THNYGQsfZ9CRFmVMNxF/ZzOs7LOOPsbKnUe92lQAiUWptJubAaZr9Uc/LnBHuv+f iuykwMfs4GWc6mYjjYKYho5sDT76R7O57L2r8PO4NR5rKes6Qg2RKu9upp9kKZjI r2pbrgiSBOg3b5yywU4sT5NVJLvoUJW6Zm4a/QBjzd2tacc5VRb4+igYlhzSsn+J Ov1cOXEcphwn34mOvM5fyS3M32vAX/Hto4NwHZDaN+RjZnlTLMrATb1OJGYzSTww V3xJ/YuJl7m9niMUfZSGR/AUgx+rTKHRqv5umE1GrHlITnn5g7XK0VjMz7Q+Jjya V3aEv93tus/MB+g+REmhgpmXkQAxa67YyHDToeolLeuPPTtDZ+2JxtUsnUOfotWu gfGJPyWGMMWp4SzX2i/XacKt0fcPolDb5JyRjOX2uo1BhVksb2SXyI5U3cckbsnP bLfaRN2EQmK9amT4oN5MjND5z+VP9xSsOS2JkfRy8Nrd7G/R3k0reyGuCC11qNOI 79N/BMR5UnaXb/6QyRzPIr0h5biccEiDSxh4YXtaUEahUQJAy3w= =RXJk -----END PGP SIGNATURE-----
--- End Message ---
