Register | Log in

tiff

Choose email to subscribe with

general

source: tiff (main)
version: 4.0.9-6
maintainer: Laszlo Boszormenyi (GCS) [DMD]
uploaders: Ondřej Surý [DMD]
arch: all any
std-ver: 4.1.4
VCS: unknown

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.0.2-6+deb7u5
o-o-sec: 4.0.2-6+deb7u21
oldstable: 4.0.3-12.3+deb8u5
old-sec: 4.0.3-12.3+deb8u6
stable: 4.0.8-2+deb9u2
stable-sec: 4.0.8-2+deb9u2
testing: 4.0.9-6
unstable: 4.0.9-6

versioned links

4.0.2-6+deb7u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.2-6+deb7u21: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.3-12.3+deb8u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.3-12.3+deb8u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.8-2+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.9-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libtiff-dev
libtiff-doc
libtiff-opengl
libtiff-tools
libtiff5
libtiff5-dev
libtiffxx5

action needed

9 security issues in sid high

There are 9 open security issues in sid.

9 important issues:

CVE-2018-17100: An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.
CVE-2018-17000: A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) in LibTIFF 4.0.9 allows an attacker to cause a denial-of-service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp.
CVE-2017-17942: In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c.
CVE-2018-12900: Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.
CVE-2018-5360: LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27.
CVE-2018-15209: ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf.
CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209.
CVE-2018-17101: An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.
CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.

Please fix them.

Created: 2017-06-23 Last update: 2018-10-14 21:21

14 security issues in stretch high

There are 14 open security issues in stretch.

4 important issues:

CVE-2018-17100: An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.
CVE-2018-17101: An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.
CVE-2018-17000: A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) in LibTIFF 4.0.9 allows an attacker to cause a denial-of-service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp.
CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.

10 issues skipped by the security teams:

CVE-2017-17942: In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c.
CVE-2017-11613: In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer.
CVE-2018-8905: In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.
CVE-2018-5784: In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries.
CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.
CVE-2018-7456: A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)
CVE-2018-5360: LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27.
CVE-2018-15209: ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf.
CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209.
CVE-2018-12900: Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.

Please fix them.

Created: 2017-06-23 Last update: 2018-10-14 21:21

9 security issues in buster high

There are 9 open security issues in buster.

9 important issues:

CVE-2018-17100: An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.
CVE-2018-17000: A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) in LibTIFF 4.0.9 allows an attacker to cause a denial-of-service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp.
CVE-2017-17942: In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c.
CVE-2018-12900: Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.
CVE-2018-5360: LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27.
CVE-2018-15209: ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf.
CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209.
CVE-2018-17101: An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.
CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.

Please fix them.

Created: 2017-06-23 Last update: 2018-10-14 21:21

4 bugs tagged patch in the BTS normal

The BTS contains patches fixing 4 bugs, consider including or untagging them.

Created: 2018-10-01 Last update: 2018-10-15 15:38

Multiarch hinter reports 2 issue(s) normal

There are issues with the multiarch metadata for this package.

libtiff-doc could be marked Multi-Arch: foreign
libtiff-dev could be marked Multi-Arch: same

Created: 2016-09-14 Last update: 2018-10-15 15:20

9 ignored security issues in jessie low

There are 9 open security issues in jessie.

9 issues skipped by the security teams:

CVE-2018-17100: An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.
CVE-2018-17000: A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) in LibTIFF 4.0.9 allows an attacker to cause a denial-of-service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp.
CVE-2017-17942: In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c.
CVE-2018-12900: Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.
CVE-2018-5360: LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27.
CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209.
CVE-2015-7313: LibTIFF allows remote attackers to cause a denial of service (memory consumption and crash) via a crafted tiff file.
CVE-2018-17101: An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.
CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.

Please fix them.

Created: 2015-09-23 Last update: 2018-10-14 21:21

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2017-10-26 Last update: 2017-10-26 07:23

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.2.1 instead of 4.1.4).

Created: 2018-08-20 Last update: 2018-08-26 08:17

news

[2018-07-04] tiff 4.0.9-6 MIGRATED to testing (Debian testing watch)
[2018-07-02] Accepted tiff 4.0.3-12.3+deb8u6 (source all amd64) into oldstable (Markus Koschany)
[2018-07-01] Accepted tiff 4.0.9-6 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2018-05-31] Accepted tiff 4.0.2-6+deb7u21 (source all amd64) into oldoldstable (Holger Levsen)
[2018-05-13] Accepted tiff 4.0.2-6+deb7u20 (source all amd64) into oldoldstable (Hugo Lefeuvre)
[2018-04-18] tiff 4.0.9-5 MIGRATED to testing (Debian testing watch)
[2018-04-16] Accepted tiff 4.0.2-6+deb7u19 (source all amd64) into oldoldstable (Hugo Lefeuvre)
[2018-04-15] Accepted tiff 4.0.9-5 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2018-02-17] tiff 4.0.9-4 MIGRATED to testing (Debian testing watch)
[2018-02-14] Accepted tiff 4.0.9-4 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2018-02-10] Accepted tiff 4.0.3-12.3+deb8u5 (source all amd64) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2018-02-09] Accepted tiff 4.0.8-2+deb9u2 (source all amd64) into proposed-updates->stable-new, proposed-updates (Laszlo Boszormenyi (GCS)) (signed by: Moritz Mühlenhoff)
[2018-01-27] Accepted tiff 4.0.2-6+deb7u18 (source all amd64) into oldoldstable (Roberto C. Sanchez)
[2018-01-04] tiff 4.0.9-3 MIGRATED to testing (Debian testing watch)
[2018-01-01] Accepted tiff 4.0.9-3 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-12-24] tiff 4.0.9-2 MIGRATED to testing (Debian testing watch)
[2017-12-21] Accepted tiff 4.0.9-2 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-12-15] tiff 4.0.9-1 MIGRATED to testing (Debian testing watch)
[2017-12-12] Accepted tiff 4.0.2-6+deb7u17 (source all amd64) into oldoldstable (Brian May)
[2017-12-09] Accepted tiff 4.0.9-1 (source amd64 all) into unstable, unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-11-01] tiff 4.0.8-6 MIGRATED to testing (Debian testing watch)
[2017-10-29] Accepted tiff 4.0.8-6 (source all amd64) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-09-10] Accepted tiff 4.0.2-6+deb7u16 (source all amd64) into oldoldstable (Roberto C. Sanchez)
[2017-09-03] tiff 4.0.8-5 MIGRATED to testing (Debian testing watch)
[2017-08-31] Accepted tiff 4.0.8-5 (source all amd64) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-07-18] tiff 4.0.8-4 MIGRATED to testing (Debian testing watch)
[2017-07-16] Accepted tiff 4.0.8-4 (source all amd64) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-07-15] Accepted tiff 4.0.8-2+deb9u1 (source all amd64) into proposed-updates->stable-new, proposed-updates (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-07-15] Accepted tiff 4.0.3-12.3+deb8u4 (source all amd64) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-07-11] Accepted tiff 4.0.2-6+deb7u15 (source all amd64) into oldoldstable (Roberto C. Sanchez)

1
2

bugs [bug history graph]

all: 32
RC: 0
I&N: 24
M&W: 6
F&P: 2
patch: 4

links

homepage
lintian
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.0.9-6
22 bugs

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing