CVE-2018-5784 (https://nvd.nist.gov/vuln/detail/CVE-2018-5784): In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries.
Upstream fix: https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef PR: https://github.com/gentoo/gentoo/pull/7237
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5f874c2b8cbbdb0eb013c1543ef3aaddbe67903 commit b5f874c2b8cbbdb0eb013c1543ef3aaddbe67903 Author: Michael Vetter <jubalh@iodoru.org> AuthorDate: 2018-02-20 14:18:53 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2018-02-20 14:29:48 +0000 media-libs/tiff: Fix CVE-2018-5784 Patch is upstream commit: https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef Bug: https://bugs.gentoo.org/645730 Package-Manager: Portage-2.3.19, Repoman-2.3.6 Closes: https://github.com/gentoo/gentoo/pull/7237 .../tiff/files/tiff-4.0.9-CVE-2018-5784.patch | 128 +++++++++++++++++++++ media-libs/tiff/tiff-4.0.9-r3.ebuild | 84 ++++++++++++++ 2 files changed, 212 insertions(+)}
GLSA Vote: No tree is clean