-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 02 Jul 2018 13:04:59 +0200 Source: tiff Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc Architecture: source all amd64 Version: 4.0.3-12.3+deb8u6 Distribution: jessie-security Urgency: high Maintainer: Ondřej Surý <ondrej@debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libtiff-doc - TIFF manipulation and conversion documentation libtiff-opengl - TIFF manipulation and conversion tools libtiff-tools - TIFF manipulation and conversion tools libtiff5 - Tag Image File Format (TIFF) library libtiff5-dev - Tag Image File Format library (TIFF), development files libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface Closes: 869823 890441 891288 893806 898348 Changes: tiff (4.0.3-12.3+deb8u6) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2017-11613: DoS vulnerability A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer. (Closes: #869823) * Fix CVE-2018-10963: DoS vulnerability The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (Closes: #898348) * Fix CVE-2018-5784: DoS vulnerability In LibTIFF, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries. (Closes: #890441) * Fix CVE-2018-7456: NULL Pointer Dereference A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.) (Closes: #891288) * Fix CVE-2018-8905: Heap-based buffer overflow In LibTIFF, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps. (Closes: #893806) Checksums-Sha1: e0a8e621ae55bf11135ed1c2e6a45de86bba5e6b 2391 tiff_4.0.3-12.3+deb8u6.dsc 8ff96f1066909d5404fe721d7c4412251d9ed80b 66520 tiff_4.0.3-12.3+deb8u6.debian.tar.xz 97501fc71de05a9368a82d72ce6b51b8c74c7a10 371922 libtiff-doc_4.0.3-12.3+deb8u6_all.deb ec7929fbffbe2733c6f19f791e7400a6410b2a98 222376 libtiff5_4.0.3-12.3+deb8u6_amd64.deb 3d2f98811542d8ec86875357e8f83086c3902260 81506 libtiffxx5_4.0.3-12.3+deb8u6_amd64.deb a21101e97e5e58d8d31221f1244cffdee223352f 345024 libtiff5-dev_4.0.3-12.3+deb8u6_amd64.deb 0226f0ce1c1d0b45f043482ae5a55539a618b57e 274868 libtiff-tools_4.0.3-12.3+deb8u6_amd64.deb a94eca3410cba6e9a0e678c05891b4d1f31dfee2 86424 libtiff-opengl_4.0.3-12.3+deb8u6_amd64.deb Checksums-Sha256: 783258d2abdba051b0732d4b36baf3b2f2c7f52c9d02b9fde3ff2c8377270300 2391 tiff_4.0.3-12.3+deb8u6.dsc 87c0d9e7fcba9c7ada1542574bacc01dc7dca6665692ba42d02eb550a9b24562 66520 tiff_4.0.3-12.3+deb8u6.debian.tar.xz 14a2a39d2af358cefa070eb05b4c640ddf14d3f99130b10a74b2868eda651938 371922 libtiff-doc_4.0.3-12.3+deb8u6_all.deb 73f4e28cd270d59698feb45564fb73329eef645c645218420d600d7e13115b84 222376 libtiff5_4.0.3-12.3+deb8u6_amd64.deb 225c18f676677d79b245c9a26c7f378d36cf38da9e983ed79e2adaf512d04bb3 81506 libtiffxx5_4.0.3-12.3+deb8u6_amd64.deb a090d9599ab2fea931e2f6777540e54096a8feef7d1fd93e84046d3616972451 345024 libtiff5-dev_4.0.3-12.3+deb8u6_amd64.deb 265e2f23aa7b672953844157de8856408b016b52ccd47dc3048015b8b875778e 274868 libtiff-tools_4.0.3-12.3+deb8u6_amd64.deb daf6c5498f6cbfd31cd7e8d8768b16a531f6ac49d325d53fcb42dd8247ac4c13 86424 libtiff-opengl_4.0.3-12.3+deb8u6_amd64.deb Files: e6801144bae10cc1cefb92919ccec4c5 2391 libs optional tiff_4.0.3-12.3+deb8u6.dsc f7e24d3f47cdd532eadaa530acd3de74 66520 libs optional tiff_4.0.3-12.3+deb8u6.debian.tar.xz 33c6529df8c1b2d1674bfd1907af1d2e 371922 doc optional libtiff-doc_4.0.3-12.3+deb8u6_all.deb f0093fbf11b9a38e7260d336ec9b5ae8 222376 libs optional libtiff5_4.0.3-12.3+deb8u6_amd64.deb ce64e4682b8e1e11919ba828e4480c95 81506 libs optional libtiffxx5_4.0.3-12.3+deb8u6_amd64.deb 1ffee62946fd25680683929babcbee52 345024 libdevel optional libtiff5-dev_4.0.3-12.3+deb8u6_amd64.deb 0f821d737cce7d40fe06cd3da62d8d3a 274868 graphics optional libtiff-tools_4.0.3-12.3+deb8u6_amd64.deb 112572172172146a747e6be70964d8ef 86424 graphics optional libtiff-opengl_4.0.3-12.3+deb8u6_amd64.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAls6Cq5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkP0EQAMyugv187BJyrbCqiTp7+OzomVECBYNlhhf/ ZwkComvnSkuPKyT0T4pwurTGyn0CmCdSiHRHoV+6iSn2e4XJfG97k1R9Zm/6VnY6 VJpQeOywvXcFTQ1Whufn8LmncsWzXq0CvQw8YPmqGHWt9k6Qkr7TcG8MUW1l/6Gk TMzlL9jUdO6VBCp5ZM/nuC9bVfmjbjLGsalLf8q5zLLO4F3l2rBovesWUZ29eikx ctNhUA6yfWfD3Bcd9TKXZc+D1m+ghmRfYXHx/sU0fwqwOvGTyhR9uv/BsoZzgI/q RZXuxGJ9vDfaKbDqbm6OVTG9CsuaR5pYP5+G3uaxjM97fKMNNrOP9awfBAPgJn7Z GqQa9NfUCdOkvD99I74YkNWecLUPhLzUYz6o/dmX42mk4YkiQv1tGYqptWOEXV1g uN2EuAPuGcD7++WkoSQ9AsdjirdUGU15U+H2rTvFYatqR6XNJH7dWCWcKsSYgddH asRnvUuOACAlXvs2m+C3eoIVo5QEStLz6XA1Y1aJ9hwnFXfIzDxyFhWK/F+sJiEV 0b88nQw1gu5y1oaxYVqD24suS3cdNJsG++YMmWFnLtoESBpon0P6miXux20Vj4tN l2oMCbkCAl6O9itOpwRkEKLinX3kFIQjundRDu5l0plFf80oGfHCl8o3KldF6/Zl syX9jbbD =Cm3i -----END PGP SIGNATURE-----
