Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 572876 (CVE-2015-8784) - <media-libs/tiff-4.0.7: potential out-of-bound write in NeXTDecode() (CVE-2015-8784)
Summary: <media-libs/tiff-4.0.7: potential out-of-bound write in NeXTDecode() (CVE-201...
Alias: CVE-2015-8784
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cve]
Keywords: PATCH
Depends on:
Reported: 2016-01-25 14:33 UTC by Agostino Sarubbo
Modified: 2017-01-09 17:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-01-25 14:33:28 UTC
From ${URL} :

> 2015-12-27  Even Rouault <even.rouault at>
>         * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
>         triggered by
>         (bugzilla #2508)

Fixing commit:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-07-11 05:10:38 UTC
CVE-2015-8784 (
  The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to
  cause a denial of service (out-of-bounds write) via a crafted TIFF image, as
  demonstrated by libtiff5.tif.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-11-20 05:07:45 UTC
Patch is not present in the 4.0.6 sources.

@maintainer(s), please patch as it does not look like upstream is releasing an update anytime soon.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 16:18:21 UTC
Added to existing GLSA request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-09 17:01:10 UTC
This issue was resolved and addressed in
 GLSA 201701-16 at
by GLSA coordinator Thomas Deutschmann (whissi).