From https://bugzilla.redhat.com/show_bug.cgi?id=1344068: A stack-based buffer overflow vulnerability was reported in thumbnail's _TIFFVGetField() function. Memory corruption can be triggered when handling maliciously crafted tiff file causing application to crash. CVE assignment: http://seclists.org/oss-sec/2016/q2/486 From https://bugzilla.redhat.com/show_bug.cgi?id=1344069: Heap-based buffer overflow vulnerability was found in tif_packbits.c in PackBitsEncode function. Memory corruption can be triggered when bmp2tiff is handling maliciously crafted bmp file causing application to crash. CVE assignment: http://seclists.org/oss-sec/2016/q2/486 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Vulnerabilities were found in bmp2tiff and thumbnail utility. Upstream decided to remove both tools with v4.0.7. Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201701-16 at https://security.gentoo.org/glsa/201701-16 by GLSA coordinator Thomas Deutschmann (whissi).
