Your message dated Sun, 25 Oct 2015 17:00:51 +0000 with message-id <e1zqof5-0005hc...@franck.debian.org> and subject line Bug#684233: fixed in gdal 2.0.1+dfsg-1~exp1 has caused the Debian Bug report #684233, regarding tiff code embedded in gdal and possibly may be out of date and vulnerable to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 684233: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684233 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: gdal Severity: important Tags: security I have been working on a tool called Clonewise to automatically identify embedded code copies in Debian packages and determine if they are out of date and vulnerable. Ideally, embedding code and libraries should be avoided and a system wide library should be used instead. I recently ran the tool on Debian 6 stable. The results are here at http://www.foocodechu.com/downloads/Clonewise-report.txt* *The gdal package reported potential issues appended to this message. Apologies if these are false positives. Your help in advising me on whether these issues are real will help me improve the analysis for the future. -- Silvio Cesare Deakin University ### Summary: ### tiff CLONED_IN_SOURCE gdal <unfixed> CVE-2010-2443 tiff CLONED_IN_SOURCE gdal <unfixed> CVE-2010-2596 tiff CLONED_IN_SOURCE gdal <unfixed> CVE-2010-2597 tiff CLONED_IN_SOURCE gdal <unfixed> CVE-2011-1167 ### Reports by package: ### # Package gdal may be vulnerable to the following issues: # CVE-2010-2443 CVE-2010-2596 CVE-2010-2597 CVE-2011-1167 # SUMMARY: The OJPEGReadBufferFill function in tif_ojpeg.c in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an OJPEG image with undefined strip offsets, related to the TIFFVGetField function. # # CVE-2010-2443 relates to a vulnerability in package tiff. # The following source filenames are likely responsible: # tifojpeg.c # # The following package clones are tracked in the embedded-code-copies # database. They have not been fixed. # tiff CLONED_IN_SOURCE gdal <unfixed> CVE-2010-2443 # SUMMARY: The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as used in tiff2ps, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF image, related to "downsampled OJPEG input." # # CVE-2010-2596 relates to a vulnerability in package tiff. # The following source filenames are likely responsible: # tifojpeg.c # # The following package clones are tracked in the embedded-code-copies # database. They have not been fixed. # tiff CLONED_IN_SOURCE gdal <unfixed> CVE-2010-2596 # SUMMARY: The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2 makes incorrect calls to the TIFFGetField function, which allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image, related to "downsampled OJPEG input" and possibly related to a compiler optimization that triggers a divide-by-zero error. # # CVE-2010-2597 relates to a vulnerability in package tiff. # The following source filenames are likely responsible: # tifstrip.c # # The following package clones are tracked in the embedded-code-copies # database. They have not been fixed. # tiff CLONED_IN_SOURCE gdal <unfixed> CVE-2010-2597 # SUMMARY: Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value. # # CVE-2011-1167 relates to a vulnerability in package tiff. # The following source filenames are likely responsible: # tifthunder.c # # The following package clones are tracked in the embedded-code-copies # database. They have not been fixed. # tiff CLONED_IN_SOURCE gdal <unfixed> CVE-2011-1167
--- End Message ---
--- Begin Message ---Source: gdal Source-Version: 2.0.1+dfsg-1~exp1 We believe that the bug you reported is fixed in the latest version of gdal, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 684...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bas Couwenberg <sebas...@debian.org> (supplier of updated gdal package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 23 Oct 2015 17:01:12 +0200 Source: gdal Binary: libgdal20 libgdal-dev libgdal-doc gdal-bin python-gdal python3-gdal libgdal-perl libgdal-java Architecture: source amd64 all Version: 2.0.1+dfsg-1~exp1 Distribution: experimental Urgency: medium Maintainer: Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org> Changed-By: Bas Couwenberg <sebas...@debian.org> Description: gdal-bin - Geospatial Data Abstraction Library - Utility programs libgdal-dev - Geospatial Data Abstraction Library - Development files libgdal-doc - Documentation for the Geospatial Data Abstraction Library libgdal-java - Java bindings to the Geospatial Data Abstraction Library libgdal-perl - Perl bindings to the Geospatial Data Abstraction Library libgdal20 - Geospatial Data Abstraction Library python-gdal - Python bindings to the Geospatial Data Abstraction Library python3-gdal - Python 3 bindings to the Geospatial Data Abstraction Library Closes: 684233 Changes: gdal (2.0.1+dfsg-1~exp1) experimental; urgency=medium . * New upstream release. * Update copyright file, changes: - Update copyright years & holders - Drop files section for gcore/gdal_rpcimdio.cpp, removed upstream - Drop .0 from GPL license shortnames - Strip trailing whitespace - Use range notation for copyright years - Add sbnsearch.c to MIT or LGPL-2+ section * Drop patches applied upstream, refresh remaining patches. * Rename libgdal1i to libgdal20 to match SONAME. * Use packaged libgeotiff & libtiff instead of internal copies. (closes: #684233) * Drop libgdal1-dev transitional package, and obsolete Breaks/Replaces. * Change virtual package from libgdal.so.1-<major>.<minor>.<patch> format to gdal-abi-<major>-<minor>-<patch> format. * Drop custom symbol version script, never updated after 1.8. * Include Geo::GDAL manpage in libgdal-perl. Checksums-Sha1: 05f19cbaa5748de25efb36d5290824f4b6f424b9 3196 gdal_2.0.1+dfsg-1~exp1.dsc 6fb603b4901885086c4a7b821d0a039321e1fcc5 11726997 gdal_2.0.1+dfsg.orig.tar.gz 227c988dc4b946585f096922445264dfb8ba66aa 134360 gdal_2.0.1+dfsg-1~exp1.debian.tar.xz bf0069b6db32fa9a476d89f167209c74f1faed58 401620 gdal-bin_2.0.1+dfsg-1~exp1_amd64.deb 0cac8200bac15dc623f257513a24f240521fe85c 5173058 libgdal-dev_2.0.1+dfsg-1~exp1_amd64.deb 46b145cad0de216112b66717f84e710e60f2c793 1852178 libgdal-doc_2.0.1+dfsg-1~exp1_all.deb e1b233e31e87b568867c087620adcd4f474fce13 367528 libgdal-java_2.0.1+dfsg-1~exp1_amd64.deb e515c2e24a63250b03a3080c186fee062c4fd5d4 424156 libgdal-perl_2.0.1+dfsg-1~exp1_amd64.deb 266e1f1f9e88d4849148b7eda54a664df89ed45e 4460492 libgdal20_2.0.1+dfsg-1~exp1_amd64.deb bae196b36fd902f1d47a34a331d2238368226d74 610692 python-gdal_2.0.1+dfsg-1~exp1_amd64.deb cd2bc2e0a245e55697054cfa6fd1aec801254801 428114 python3-gdal_2.0.1+dfsg-1~exp1_amd64.deb Checksums-Sha256: 0d7b4eb033389634351d9aa3e0ac6ad5a6c718f1e4391740ee34875a92abfd70 3196 gdal_2.0.1+dfsg-1~exp1.dsc 82eea9f24a70b087931c2b81bcea2a54a98b555cd9ac9139aa667681bc96c575 11726997 gdal_2.0.1+dfsg.orig.tar.gz 06fe6c8a9e593138df54863348809470f5d48b230de110ad24d9dffdb7760738 134360 gdal_2.0.1+dfsg-1~exp1.debian.tar.xz 3f304026c356313536313a1fc456a3414dc94f23e514e98032dfa369f4292aca 401620 gdal-bin_2.0.1+dfsg-1~exp1_amd64.deb 0c0c27141117f4929c0404eae58858a08365a0ab420dff9eb5cf633969316930 5173058 libgdal-dev_2.0.1+dfsg-1~exp1_amd64.deb 356165d7d1280151423bc9983a6a68585b2547912bc20296016842f0f7fd4b84 1852178 libgdal-doc_2.0.1+dfsg-1~exp1_all.deb 9182e3e80bc88e6957505b10c9952510f37478701d9a63ae8d312bca19ac4f2d 367528 libgdal-java_2.0.1+dfsg-1~exp1_amd64.deb 80252acdc7b799b43f634d215c6de410d352660aca98bdba3098ac75404468f3 424156 libgdal-perl_2.0.1+dfsg-1~exp1_amd64.deb 3b7a74aa9c9ece53abfd5f33619787dcfec3368c768d7f8f2c87285b290c9261 4460492 libgdal20_2.0.1+dfsg-1~exp1_amd64.deb 900318f4d1a9cf471aea2335d2c13f2009833b8c10cf40a781dbe1f7ebc2e348 610692 python-gdal_2.0.1+dfsg-1~exp1_amd64.deb be8e6c3b9d8252f4889e91b4b9ed8a7d4af17fcc8e27004a34c084ad6dc87955 428114 python3-gdal_2.0.1+dfsg-1~exp1_amd64.deb Files: b1c831f21aa83e3c4fe6b9f4060e8cdc 3196 science optional gdal_2.0.1+dfsg-1~exp1.dsc 18e207a12f920e2a40405891eb6168ec 11726997 science optional gdal_2.0.1+dfsg.orig.tar.gz 4e8f346e3377e224d749ecdb131d6051 134360 science optional gdal_2.0.1+dfsg-1~exp1.debian.tar.xz c7e6d9ba78f9aec9abd7238da335f732 401620 science optional gdal-bin_2.0.1+dfsg-1~exp1_amd64.deb 89709495c407b34ac50500127792958b 5173058 libdevel optional libgdal-dev_2.0.1+dfsg-1~exp1_amd64.deb e83eee974c9f3da146870f1b18cc2b95 1852178 doc optional libgdal-doc_2.0.1+dfsg-1~exp1_all.deb 5c95807d7ed5ab737186225300e5960b 367528 java optional libgdal-java_2.0.1+dfsg-1~exp1_amd64.deb d41ce98c242c156e7d3f7eb11d77fe0b 424156 perl optional libgdal-perl_2.0.1+dfsg-1~exp1_amd64.deb 3fd02c917943c37071a4b04fd946666e 4460492 libs optional libgdal20_2.0.1+dfsg-1~exp1_amd64.deb 6b401fb33c453bd39ae2f088e13a5a00 610692 python optional python-gdal_2.0.1+dfsg-1~exp1_amd64.deb 752f695f3769be6e1290aacbb77e1001 428114 python optional python3-gdal_2.0.1+dfsg-1~exp1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWKnSAAAoJEGdQ8QrojUrxBDkP/jxIykh1OmIt0w0Nbj58SYAn u7Vg5gqT5hA3VLS0B+k1ESq2xegr8/9XAxuufz03tlt4m9qouOLyUSP7gunlaeTp GXskSCuBVR3Isy9TuxMLejFhQ1fIwdSVQQG5oUkLdx8+WRP01KN/kPxOoPpAc5UH srf90MiWP5/jq9qCIRuwVIPQ/giLNvH6ph2yV0zwwH3zhafxuKZCTLZfQUh97mCd T1JcW/Y3YCf63ZW8ex64RIN6HHXZvQM8st+iysUAuKu409YbHSXv6aGW8fMwkJIU icpCUa684gXl8bixGBYoFl9PlQaTCk2H8LOMncE1+/9XYJfAzUN3HTzDuEBPyM55 gqzS5OCiKZT2WH7tjVfjigMymwzwz1fksnSGuPqiiQNRAIK8qc/5j6ZqPtQYqUDX cngyAp1aJU43i6ItQYwyeun6OhPnM+2rUpGZ2AaJeVcYX80pOpthSxFntuBQxvyh uocmx1qBPKIlDlDBsq0EP2my1op/LOPtzHJ6hqUT1SfX2rgMQNddhZoJIW9HvZmY xz1geXAty45B77AI/QKKxaclH38XqPNSJ8iTJAPjnjnL8+JYPq3ugRlR8l9KOobM lCBl3OAcFvTDU8/y5GidjDlRhZ/JsaNlMqRhSdVjynOzuwont584a/arC/FcCWwY ZGRfQKVZBfJWgJumsjyW =0xMy -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
