[Secure-testing-commits] r52251 - data/CVE

Fri, 02 Jun 2017 21:21:44 -0700 

Author: carnil
Date: 2017-06-03 04:21:15 +0000 (Sat, 03 Jun 2017)
New Revision: 52251

Modified:
   data/CVE/list
Log:
Add more or less extensive note for CVE-2017-9404

Note for reviewers, remove the TODO if you agree with the NOTE analysis
(which might be reduced to not clutter the security tracker).

Modified: data/CVE/list
===================================================================
--- data/CVE/list       2017-06-03 03:23:09 UTC (rev 52250)
+++ data/CVE/list       2017-06-03 04:21:15 UTC (rev 52251)
@@ -25,7 +25,18 @@
        - tiff 4.0.8-1
        - tiff3 <removed>
        NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2688
-       TODO: check, possibly fixed with the 2017-04-27 commit to 
libtiff/tif_ojpeg.c
+       NOTE: Fixed by: 
https://github.com/vadz/libtiff/commit/2ea32f7372b65c24b2816f11c04bf59b5090d05b
+       NOTE: Possibly sensible to add the other memory leaks fixes in 
OJPEGReadHeaderInfoSecTables
+       NOTE: method from tif_ojpeg.c, i.e.:
+       NOTE: 
https://github.com/vadz/libtiff/commit/e9bd1b06fe25219cf0873fca70e46f01843fd9f4
+       NOTE: 
https://github.com/vadz/libtiff/commit/8283e4d1b7e53340684d12932880cbcbaf23a8c1
+       NOTE: Reproducing the issue itself is "covered" after fixing 
https://github.com/vadz/libtiff/commit/5ed9fea523316c2f5cec4d393e4d5d671c2dbc33
+       NOTE: To verify 2ea32f7372b65c24b2816f11c04bf59b5090d05b fixes the 
issue build src:tiff
+       NOTE: with ASAN with 5ed9fea523316c2f5cec4d393e4d5d671c2dbc33 reverted. 
Before the
+       NOTE: 2ea32f7372b65c24b2816f11c04bf59b5090d05b commit the Direct leak 
of 73 byte
+       NOTE: with backtrace following the methods in 
http://bugzilla.maptools.org/show_bug.cgi?id=2688
+       NOTE: is shown.
+       TODO: check, not able to reproducing the issue does not necessarly mean 
the issue is fixed, but the 'direct leak' via OJPEGReadHeaderInfoSecTables 
should be fixed by the three commits at latest in 4.0.8.
 CVE-2017-9403 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the 
function ...)
        - tiff 4.0.8-1
        - tiff3 <removed>


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to