Details at $URL.
@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE ID: CVE-2016-10095
Summary: Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file.
pulled in 4.0.7-r1
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
This bug has _not_ been fixed by upstream. There are no patches.
> This is a duplicate of CVE-2015-7554, both were reported against tiffsplit
> While the _TIFFVGetField function is a generic function, CVE IDs seem to be
> assigned per tool using it, so CVE-2015-7554/CVE-2016-10095 refers to the
> tiffsplit tool
...and Debian uses https://sources.debian.net/src/tiff/4.0.7-7/debian/patches/28-CVE-2015-7554.patch/ (similar to RH). It is only a partial fix, however Debian and RH consider the vulnerability fixed...
@ Vapier: Can you please help to identify which patch from your commit should address the issue?
(In reply to Thomas Deutschmann from comment #5)
> From Debian:
> > This is a duplicate of CVE-2015-7554, both were reported against tiffsplit
> > While the _TIFFVGetField function is a generic function, CVE IDs seem to be
> > assigned per tool using it, so CVE-2015-7554/CVE-2016-10095 refers to the
> > tiffsplit tool
> ...and Debian uses
> patch/ (similar to RH). It is only a partial fix, however Debian and RH
> consider the vulnerability fixed...
> @ Vapier: Can you please help to identify which patch from your commit
> should address the issue?
The patch he used is from here:
+From 9bbbe303c8e5db20d7f687ee1ca19c98fb852044 Mon Sep 17 00:00:00 2001
+From: Even Rouault <firstname.lastname@example.org>
+Date: Sat, 3 Dec 2016 15:30:31 +0000
+Subject: [PATCH] * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS,
+ ) is called, limit the return number of inks to SamplesPerPixel, so that code
+ that parses ink names doesn't go past the end of the buffer. Reported by
+ Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
It is applied as Vapier said. I see nothing indicating this is a partial fix.
This is also a DoS.
@maintainers, please clean the vulnerable versions.