Register | Log in

tiff

Choose email to subscribe with

general

source: tiff (main)
version: 4.0.9-5
maintainer: Laszlo Boszormenyi (GCS) [DMD]
uploaders: Ondřej Surý [DMD]
arch: all any
std-ver: 4.1.4
VCS: unknown

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.0.2-6+deb7u5
o-o-sec: 4.0.2-6+deb7u21
oldstable: 4.0.3-12.3+deb8u5
old-sec: 4.0.3-12.3+deb8u5
stable: 4.0.8-2+deb9u2
stable-sec: 4.0.8-2+deb9u2
testing: 4.0.9-5
unstable: 4.0.9-5

versioned links

4.0.2-6+deb7u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.2-6+deb7u21: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.3-12.3+deb8u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.8-2+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.9-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libtiff-dev
libtiff-doc
libtiff-opengl
libtiff-tools
libtiff5
libtiff5-dev
libtiffxx5

action needed

4 security issues in buster high

There are 4 open security issues in buster.

4 important issues:

CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.
CVE-2018-8905: In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.
CVE-2017-17942: In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c.
CVE-2018-5360: LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27.

Please fix them.

Created: 2017-06-23 Last update: 2018-06-23 14:22

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.
CVE-2018-8905: In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.
CVE-2017-17942: In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c.
CVE-2018-5360: LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27.

Please fix them.

Created: 2017-06-23 Last update: 2018-06-23 14:22

Multiarch hinter reports 2 issue(s) normal

There are issues with the multiarch metadata for this package.

libtiff-doc could be marked Multi-Arch: foreign
libtiff-dev could be marked Multi-Arch: same

Created: 2016-09-14 Last update: 2018-06-23 14:35

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2017-11-21 Last update: 2018-06-23 13:59

9 ignored security issues in jessie low

There are 9 open security issues in jessie.

9 issues skipped by the security teams:

CVE-2017-17942: In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c.
CVE-2018-8905: In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.
CVE-2018-5784: In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries.
CVE-2017-9815: In LibTIFF 4.0.7, the TIFFReadDirEntryLong8Array function in libtiff/tif_dirread.c mishandles a malloc operation, which allows attackers to cause a denial of service (memory leak within the function _TIFFmalloc in tif_unix.c) via a crafted file.
CVE-2015-7313: LibTIFF allows remote attackers to cause a denial of service (memory consumption and crash) via a crafted tiff file.
CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.
CVE-2018-7456: A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)
CVE-2017-11613: In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer.
CVE-2018-5360: LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27.

Please fix them.

Created: 2015-09-23 Last update: 2018-06-23 14:22

7 ignored security issues in stretch low

There are 7 open security issues in stretch.

7 issues skipped by the security teams:

CVE-2018-7456: A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)
CVE-2018-8905: In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.
CVE-2018-5784: In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries.
CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.
CVE-2017-17942: In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c.
CVE-2017-11613: In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer.
CVE-2018-5360: LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27.

Please fix them.

Created: 2017-06-23 Last update: 2018-06-23 14:22

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2017-10-26 Last update: 2017-10-26 07:23

news

[2018-05-31] Accepted tiff 4.0.2-6+deb7u21 (source all amd64) into oldoldstable (Holger Levsen)
[2018-05-13] Accepted tiff 4.0.2-6+deb7u20 (source all amd64) into oldoldstable (Hugo Lefeuvre)
[2018-04-18] tiff 4.0.9-5 MIGRATED to testing (Debian testing watch)
[2018-04-16] Accepted tiff 4.0.2-6+deb7u19 (source all amd64) into oldoldstable (Hugo Lefeuvre)
[2018-04-15] Accepted tiff 4.0.9-5 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2018-02-17] tiff 4.0.9-4 MIGRATED to testing (Debian testing watch)
[2018-02-14] Accepted tiff 4.0.9-4 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2018-02-10] Accepted tiff 4.0.3-12.3+deb8u5 (source all amd64) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Moritz Muehlenhoff) (signed by: Moritz Mühlenhoff)
[2018-02-09] Accepted tiff 4.0.8-2+deb9u2 (source all amd64) into proposed-updates->stable-new, proposed-updates (Laszlo Boszormenyi (GCS)) (signed by: Moritz Mühlenhoff)
[2018-01-27] Accepted tiff 4.0.2-6+deb7u18 (source all amd64) into oldoldstable (Roberto C. Sanchez)
[2018-01-04] tiff 4.0.9-3 MIGRATED to testing (Debian testing watch)
[2018-01-01] Accepted tiff 4.0.9-3 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-12-24] tiff 4.0.9-2 MIGRATED to testing (Debian testing watch)
[2017-12-21] Accepted tiff 4.0.9-2 (source amd64 all) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-12-15] tiff 4.0.9-1 MIGRATED to testing (Debian testing watch)
[2017-12-12] Accepted tiff 4.0.2-6+deb7u17 (source all amd64) into oldoldstable (Brian May)
[2017-12-09] Accepted tiff 4.0.9-1 (source amd64 all) into unstable, unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-11-01] tiff 4.0.8-6 MIGRATED to testing (Debian testing watch)
[2017-10-29] Accepted tiff 4.0.8-6 (source all amd64) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-09-10] Accepted tiff 4.0.2-6+deb7u16 (source all amd64) into oldoldstable (Roberto C. Sanchez)
[2017-09-03] tiff 4.0.8-5 MIGRATED to testing (Debian testing watch)
[2017-08-31] Accepted tiff 4.0.8-5 (source all amd64) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-07-18] tiff 4.0.8-4 MIGRATED to testing (Debian testing watch)
[2017-07-16] Accepted tiff 4.0.8-4 (source all amd64) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-07-15] Accepted tiff 4.0.8-2+deb9u1 (source all amd64) into proposed-updates->stable-new, proposed-updates (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-07-15] Accepted tiff 4.0.3-12.3+deb8u4 (source all amd64) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-07-11] Accepted tiff 4.0.2-6+deb7u15 (source all amd64) into oldoldstable (Roberto C. Sanchez)
[2017-07-04] tiff 4.0.8-3 MIGRATED to testing (Debian testing watch)
[2017-07-01] Accepted tiff 4.0.8-3 (source all amd64) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2017-06-13] Accepted tiff 4.0.2-6+deb7u14 (source all amd64) into oldstable (Raphaël Hertzog)

1
2

bugs [bug history graph]

all: 26
RC: 0
I&N: 20
M&W: 4
F&P: 2

links

homepage
lintian
buildd: logs, checks, clang, reproducibility
popcon
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.0.9-5
22 bugs

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing