Bug 669948 (CVE-2018-18557)

Summary:	<media-libs/tiff-4.0.10: potential out-of-bounds write in JBIGDecode()
Product:	Gentoo Security	Reporter:	D'juan McDonald (domhnall) <flopwiki>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	graphics+disabled, pacho
Priority:	Normal	Keywords:	STABLEREQ
Version:	unspecified	Flags:	stable-bot: sanity-check+
Hardware:	Other
OS:	Linux
URL:	https://gitlab.com/libtiff/libtiff/merge_requests/38
Whiteboard:	A3 [glsa+ cve stable]
Package list:	=media-libs/tiff-4.0.10 =app-arch/zstd-1.3.7-r1	Runtime testing required:	---

Description D'juan McDonald (domhnall) 2018-10-30 09:45:20 UTC

CVE-2018-18557(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18557):

LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.


@maintainer(s): see upstream commit SHA: 681748ec for details.


Gentoo Security Padawan
(domhnall)

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2019-03-26 19:13:03 UTC

Fix is present in 4.0.10

git tag --contains 681748ec

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2019-03-26 21:45:18 UTC

@arches, please stabilize.

Comment 3 Stabilization helper bot gentoo-dev

2019-03-26 22:01:08 UTC

An automated check of this bug failed - repoman reported dependency errors (197 lines truncated): 

> dependency.bad media-libs/tiff/tiff-4.0.10.ebuild: DEPEND: alpha(default/linux/alpha/17.0) ['>=app-arch/zstd-1.3.7-r1:=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/tiff/tiff-4.0.10.ebuild: RDEPEND: alpha(default/linux/alpha/17.0) ['>=app-arch/zstd-1.3.7-r1:=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/tiff/tiff-4.0.10.ebuild: DEPEND: alpha(default/linux/alpha/17.0/desktop) ['>=app-arch/zstd-1.3.7-r1:=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']

Comment 4 Agostino Sarubbo gentoo-dev

2019-03-27 20:05:07 UTC

amd64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2019-03-27 23:47:02 UTC

x86 stable

Comment 6 Matt Turner gentoo-dev

2019-03-29 04:39:59 UTC

ppc/ppc64 stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-07 21:37:59 UTC

hppa stable

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-07 21:43:19 UTC

ia64 stable

Comment 9 Mart Raudsepp gentoo-dev

2019-04-08 08:40:18 UTC

arm64 stable

Comment 10 Markus Meier gentoo-dev

2019-04-08 18:26:35 UTC

arm stable

Comment 11 Rolf Eike Beer archtester

2019-04-11 05:20:18 UTC

*** Bug 681532 has been marked as a duplicate of this bug. ***

Comment 12 Rolf Eike Beer archtester

2019-04-11 05:20:45 UTC

sparc stable

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2019-04-15 20:51:33 UTC

This issue was resolved and addressed in
 GLSA 201904-15 at https://security.gentoo.org/glsa/201904-15
by GLSA coordinator Aaron Bauman (b-man).

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2019-04-15 20:52:48 UTC

re-opened for final arches and cleanup.

Comment 15 Mikle Kolyada (RETIRED) archtester

2019-04-17 12:25:19 UTC

s390 stable

Comment 16 Mikle Kolyada (RETIRED) archtester

2019-04-17 12:25:43 UTC

sh stable

Comment 17 Mikle Kolyada (RETIRED) archtester

2019-04-17 12:26:12 UTC

m68k stable

Comment 18 Mikle Kolyada (RETIRED) archtester

2019-04-17 13:42:10 UTC

oh alpha was forgitten, sorry

Comment 19 Mikle Kolyada (RETIRED) archtester

2019-04-17 13:42:50 UTC

alpha stable