Your message dated Thu, 24 Nov 2022 18:21:19 +0000 with message-id <e1oygqd-00ejey...@fasolo.debian.org> and subject line Bug#1024670: fixed in tiff 4.4.0-6 has caused the Debian Bug report #1024670, regarding tiff: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1024670: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024670 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tiff Version: 4.4.0-5 Severity: important Tags: security Hello, The following vulnerabilities had been published for tiff: CVE-2022-2519[0]: | There is a double free or corruption in rotateImage() at | tiffcrop.c:8839 found in libtiff 4.4.0rc1 https://gitlab.com/libtiff/libtiff/-/issues/423 https://gitlab.com/libtiff/libtiff/-/merge_requests/378 https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba CVE-2022-2520[1]: | A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion | fail in rotateImage() at tiffcrop.c:8621 that can cause program crash | when reading a crafted input. https://gitlab.com/libtiff/libtiff/-/issues/424 https://gitlab.com/libtiff/libtiff/-/merge_requests/378 https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba CVE-2022-2521[2]: | It was found in libtiff 4.4.0rc1 that there is an invalid pointer free | operation in TIFFClose() at tif_close.c:131 called by tiffcrop.c:2522 | that can cause a program crash and denial of service while processing | crafted input. https://gitlab.com/libtiff/libtiff/-/issues/422 https://gitlab.com/libtiff/libtiff/-/merge_requests/378 https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba CVE-2022-2953[3]: | LibTIFF 4.4.0 has an out-of-bounds read in extractImageSection in | tools/tiffcrop.c:6905, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit 48d6ece8. https://gitlab.com/libtiff/libtiff/-/issues/414 https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba I saw they are marked as "unimportant" in Debian's security tracker, but I thought I would file this bug report anyway. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-2519 https://www.cve.org/CVERecord?id=CVE-2022-2519 [1] https://security-tracker.debian.org/tracker/CVE-2022-2520 https://www.cve.org/CVERecord?id=CVE-2022-2520 [2] https://security-tracker.debian.org/tracker/CVE-2022-2521 https://www.cve.org/CVERecord?id=CVE-2022-2521 [3] https://security-tracker.debian.org/tracker/CVE-2022-2953 https://www.cve.org/CVERecord?id=CVE-2022-2953 Please adjust the affected versions in the BTS as needed. Best, amin
--- End Message ---
--- Begin Message ---Source: tiff Source-Version: 4.4.0-6 Done: Laszlo Boszormenyi (GCS) <g...@debian.org> We believe that the bug you reported is fixed in the latest version of tiff, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1024...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated tiff package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 24 Nov 2022 17:54:18 +0100 Source: tiff Architecture: source Version: 4.4.0-6 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Closes: 1024670 1024737 Changes: tiff (4.4.0-6) unstable; urgency=high . * Backport security fix for CVE-2022-2519, double free or corruption in rotateImage() (closes: #1024670). * Backport security fix for CVE-2022-2520, sysmalloc assertion fail in rotateImage(). * Backport security fix for CVE-2022-2521, invalid pointer free operation in TIFFClose(). * Backport security fix for CVE-2022-2953, out-of-bounds read in extractImageSection(). * Backport security fix for CVE-2022-3970, fix (unsigned) integer overflow on strips/tiles > 2 GB in TIFFReadRGBATileExt() (closes: #1024737). Checksums-Sha1: 54526a597709e13559b9e3fb7c7599426f43e44e 2238 tiff_4.4.0-6.dsc ae9dab47d4495cf502b42addbd085885e4319283 33680 tiff_4.4.0-6.debian.tar.xz Checksums-Sha256: 39f656d60cb0a75ae02fad9c16eb0c275c8a4bcb7efb02898c8c9bcfcf83b5f5 2238 tiff_4.4.0-6.dsc 37c1e4a7151c3790404e94a137825856f4d1f8fe8a8d3253a455ddff648f329b 33680 tiff_4.4.0-6.debian.tar.xz Files: 07f8a7896c660806d4161644e07734c3 2238 libs optional tiff_4.4.0-6.dsc 0fadacf944b89734f191bdd67508c42b 33680 libs optional tiff_4.4.0-6.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmN/sCMACgkQ3OMQ54ZM yL//Tg//alHP1u6T/H4pimYiAQKjFqcnVdPzY2tkwOkQiNJjKPQlD2ICzB35MzjE gbeijGgmh+6m51i0kV2LvpaTsbY7C3i6/soN7nhDo0MxU3k47n0LTZXcFQ3V6OGp THNYGQsfZ9CRFmVMNxF/ZzOs7LOOPsbKnUe92lQAiUWptJubAaZr9Uc/LnBHuv+f iuykwMfs4GWc6mYjjYKYho5sDT76R7O57L2r8PO4NR5rKes6Qg2RKu9upp9kKZjI r2pbrgiSBOg3b5yywU4sT5NVJLvoUJW6Zm4a/QBjzd2tacc5VRb4+igYlhzSsn+J Ov1cOXEcphwn34mOvM5fyS3M32vAX/Hto4NwHZDaN+RjZnlTLMrATb1OJGYzSTww V3xJ/YuJl7m9niMUfZSGR/AUgx+rTKHRqv5umE1GrHlITnn5g7XK0VjMz7Q+Jjya V3aEv93tus/MB+g+REmhgpmXkQAxa67YyHDToeolLeuPPTtDZ+2JxtUsnUOfotWu gfGJPyWGMMWp4SzX2i/XacKt0fcPolDb5JyRjOX2uo1BhVksb2SXyI5U3cckbsnP bLfaRN2EQmK9amT4oN5MjND5z+VP9xSsOS2JkfRy8Nrd7G/R3k0reyGuCC11qNOI 79N/BMR5UnaXb/6QyRzPIr0h5biccEiDSxh4YXtaUEahUQJAy3w= =RXJk -----END PGP SIGNATURE-----
--- End Message ---
