CVE-2018-18557(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18557): LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write. @maintainer(s): see upstream commit SHA: 681748ec for details. Gentoo Security Padawan (domhnall)
Fix is present in 4.0.10 git tag --contains 681748ec
@arches, please stabilize.
An automated check of this bug failed - repoman reported dependency errors (197 lines truncated): > dependency.bad media-libs/tiff/tiff-4.0.10.ebuild: DEPEND: alpha(default/linux/alpha/17.0) ['>=app-arch/zstd-1.3.7-r1:=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]'] > dependency.bad media-libs/tiff/tiff-4.0.10.ebuild: RDEPEND: alpha(default/linux/alpha/17.0) ['>=app-arch/zstd-1.3.7-r1:=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]'] > dependency.bad media-libs/tiff/tiff-4.0.10.ebuild: DEPEND: alpha(default/linux/alpha/17.0/desktop) ['>=app-arch/zstd-1.3.7-r1:=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
amd64 stable
x86 stable
ppc/ppc64 stable
hppa stable
ia64 stable
arm64 stable
arm stable
*** Bug 681532 has been marked as a duplicate of this bug. ***
sparc stable
This issue was resolved and addressed in GLSA 201904-15 at https://security.gentoo.org/glsa/201904-15 by GLSA coordinator Aaron Bauman (b-man).
re-opened for final arches and cleanup.
s390 stable
sh stable
m68k stable
oh alpha was forgitten, sorry
alpha stable