Source: tiff Version: 4.0.9-1 Severity: important Tags: security upstream Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2780
Hi, the following vulnerability was published for tiff. CVE-2018-8905[0]: | In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function | LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated | by tiff2ps. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-8905 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905 [1] http://bugzilla.maptools.org/show_bug.cgi?id=2780 Please adjust the affected versions in the BTS as needed. There is a poc file attached to the upstream bug [1] which can be used to verify a fix; the poc might not trigger but still the issue might be present in other versions than 4.0.9. There is not upstream commit yet which might help pinpointing then the issue. Regards, Salvatore