Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618610 (CVE-2017-7592, CVE-2017-7593, CVE-2017-7594) - <media-libs/tiff-4.0.8: Multiple Vulnerabilities (CVE-2017-{7592,7593,7594})
Summary: <media-libs/tiff-4.0.8: Multiple Vulnerabilities (CVE-2017-{7592,7593,7594})
Status: RESOLVED FIXED
Alias: CVE-2017-7592, CVE-2017-7593, CVE-2017-7594
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords: STABLEREQ
Depends on:
Blocks: CVE-2017-5225 CVE-2017-7595 CVE-2017-7596, CVE-2017-7597, CVE-2017-7598, CVE-2017-7599, CVE-2017-7600, CVE-2017-7601, CVE-2017-7602 CVE-2017-9117, CVE-2017-9147, CVE-2017-9815
  Show dependency tree
 
Reported: 2017-05-16 06:19 UTC by GLSAMaker/CVETool Bot
Modified: 2018-07-28 10:36 UTC (History)
1 user (show)

See Also:
Package list:
media-libs/tiff-4.0.8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-05-16 06:19:16 UTC
CVE-2017-7594 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7594):
  The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF
  4.0.7 allows remote attackers to cause a denial of service (memory leak) via
  a crafted image.

CVE-2017-7593 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7593):
  tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly
  initialized, which might allow remote attackers to obtain sensitive
  information from process memory via a crafted image.

CVE-2017-7592 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7592):
  The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a
  left-shift undefined behavior issue, which might allow remote attackers to
  cause a denial of service (application crash) or possibly have unspecified
  other impact via a crafted image.

CVE-2017-5563 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5563):
  LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in
  tif_lzw.c resulting in DoS or code execution via a crafted bmp image to
  tools/bmp2tiff.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-05-22 07:37:34 UTC
commit fc2f6e62d508e8c39bd0de3fec2591394eb7f4a2
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon May 22 09:32:13 2017

    media-libs/tiff: Bump to version 4.0.8
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2


Dunno if this version addresses all known vulnerabilites. 
Also, feel free to handle stabilization as required. All tests succeeded so I don't see any possible big issues arising with this version.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-24 09:06:25 UTC
Removing CVE-2017-5563 from this bug: It isn't clear if this was fixed. However, bmp2tiff utility is already removed, see https://bugs.gentoo.org/show_bug.cgi?id=585508#c1
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-24 09:09:03 UTC
@ Arches,

please test and mark stable: =media-libs/tiff-4.0.8
Comment 4 Agostino Sarubbo gentoo-dev 2017-05-24 13:42:38 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-05-24 13:47:44 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-05-26 14:06:20 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-05-26 15:00:18 UTC
ppc64 stable
Comment 8 Markus Meier gentoo-dev 2017-05-26 18:31:30 UTC
arm stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-05-27 13:24:27 UTC
Stable on alpha.
Comment 10 Agostino Sarubbo gentoo-dev 2017-06-10 13:46:50 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-06-10 15:18:45 UTC
ia64 stable
Comment 12 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-16 02:15:03 UTC
Arches please finish stabilizing hppa.

Gentoo Security Padawan
ChrisADR
Comment 13 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-26 15:03:31 UTC
New GLSA Request filed.

It's been 4 months since stabilization request and there are several reports depending on this stabilization.

@HPPA please finish stabilization.

Gentoo Security Padawan
ChrisADR
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-09-26 22:12:10 UTC
This issue was resolved and addressed in
 GLSA 201709-27 at https://security.gentoo.org/glsa/201709-27
by GLSA coordinator Aaron Bauman (b-man).
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2017-09-26 22:13:24 UTC
@maintainers, re-opened for cleanup and a chance for the remaining arches to catchup.
Comment 16 Rolf Eike Beer archtester 2017-09-27 20:15:59 UTC
Tests passed on hppa.
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-29 00:46:09 UTC
stabled by jer (thanks to Rolf Eike Beer)
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2017-10-20 02:16:39 UTC
@maintainer(s), please cleanup slot 0