Details at $URL. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE ID: CVE-2016-10095 Summary: Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file. Published: 2017-03-01T15:59:00.000Z
pulled in 4.0.7-r1 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f61e94523aef88e99d1140307b83bd518a450a14
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
This bug has _not_ been fixed by upstream. There are no patches.
From Debian: > This is a duplicate of CVE-2015-7554, both were reported against tiffsplit > While the _TIFFVGetField function is a generic function, CVE IDs seem to be > assigned per tool using it, so CVE-2015-7554/CVE-2016-10095 refers to the > tiffsplit tool ...and Debian uses https://sources.debian.net/src/tiff/4.0.7-7/debian/patches/28-CVE-2015-7554.patch/ (similar to RH). It is only a partial fix, however Debian and RH consider the vulnerability fixed... @ Vapier: Can you please help to identify which patch from your commit should address the issue?
(In reply to Thomas Deutschmann from comment #5) > From Debian: > > > This is a duplicate of CVE-2015-7554, both were reported against tiffsplit > > While the _TIFFVGetField function is a generic function, CVE IDs seem to be > > assigned per tool using it, so CVE-2015-7554/CVE-2016-10095 refers to the > > tiffsplit tool > > ...and Debian uses > https://sources.debian.net/src/tiff/4.0.7-7/debian/patches/28-CVE-2015-7554. > patch/ (similar to RH). It is only a partial fix, however Debian and RH > consider the vulnerability fixed... > > > @ Vapier: Can you please help to identify which patch from your commit > should address the issue? The patch he used is from here: http://bugzilla.maptools.org/show_bug.cgi?id=2599 +From 9bbbe303c8e5db20d7f687ee1ca19c98fb852044 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sat, 3 Dec 2016 15:30:31 +0000 +Subject: [PATCH] * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, + ) is called, limit the return number of inks to SamplesPerPixel, so that code + that parses ink names doesn't go past the end of the buffer. Reported by + Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 It is applied as Vapier said. I see nothing indicating this is a partial fix. This is also a DoS.
@maintainers, please clean the vulnerable versions. <media-libs/tiff-4.0.8:0