From ${URL} : In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution. Upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2704 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
upstream fix is here: https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb1365ccd7332af4595538bc6b2244058db7b79b commit eb1365ccd7332af4595538bc6b2244058db7b79b Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2018-01-26 03:54:26 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2018-01-26 22:25:18 +0000 media-libs/tiff: add upstream fix for CVE-2017-9935 #624696 Also drop some pdfium patches that they dropped when moving to 4.0.8. Bug: https://bugs.gentoo.org/624696 .../tiff/files/tiff-4.0.9-CVE-2017-9935.patch | 153 +++++++++++++++++++++ media-libs/tiff/tiff-4.0.9-r1.ebuild | 79 +++++++++++ 2 files changed, 232 insertions(+)}
AFAIK this is only partly the fix. Upstream https://gitlab.com/libtiff/libtiff/commit/d4f213636b6f950498a1386083199bd7f65676b9 is also needed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88961c859ba1efbe6e3555246444dc0456bddcb8 commit 88961c859ba1efbe6e3555246444dc0456bddcb8 Author: Michael Vetter <jubalh@iodoru.org> AuthorDate: 2018-02-16 15:04:47 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2018-02-16 15:21:33 +0000 media-libs/tiff: Patch to fix type (CVE-2017-9935) CVE-2017-9935 has a second commit with ID d4f213636b6f950498a1386083199bd7f65676b9 to fix the type of the table. Bug: https://bugs.gentoo.org/624696 Package-Manager: Portage-2.3.19, Repoman-2.3.6 Closes: https://github.com/gentoo/gentoo/pull/7204 ...ff-4.0.9-CVE-2017-9935-fix-incorrect-type.patch | 58 ++++++++++++++++ media-libs/tiff/tiff-4.0.9-r2.ebuild | 80 ++++++++++++++++++++++ 2 files changed, 138 insertions(+)}
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37595745cfaca05f187eba0f3b9a392a79510393 commit 37595745cfaca05f187eba0f3b9a392a79510393 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-06-11 15:15:09 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-06-11 15:15:09 +0000 media-libs/tiff: drop vulnerable Bug: https://bugs.gentoo.org/624696 Package-Manager: Portage-2.3.40, Repoman-2.3.9 media-libs/tiff/Manifest | 1 - media-libs/tiff/tiff-4.0.8.ebuild | 80 ------------------------------------ media-libs/tiff/tiff-4.0.9-r1.ebuild | 75 --------------------------------- media-libs/tiff/tiff-4.0.9-r2.ebuild | 79 ----------------------------------- 4 files changed, 235 deletions(-)
Downgraded. GLSA Vote: No Tree is clean
