LibTIFF is prone to a heap-based buffer-overflow vulnerability. An attacker can exploit this issue to cause a denial-of-service condition. Due to the nature of this issue, code execution may be possible but this has not been confirmed. LibTIFF 4.0.9 is vulnerable; other versions may also be affected. @maintainer(s): currently, bug is not reproducible by upstream. See $URL for more details. Gentoo Security Padawan (domhnall)
Correction, the actual text is: "The remote attackers can still cause a denial of service via various buffer-overflow. Fortunately, we cannot reproduce this bug _after_: commit 3dd8f6a357981a4090f126ab9025056c938b6940." my mistake. @maintainer(s): this patch is in current 4.0.9-r4 via https://gitlab.com/libtiff/libtiff/tree/3dd8f6a357981a4090f126ab9025056c938b6940, that fixes CVE-2017-9935 with the -fix-incorrect-type patch. This issue can be closed. @security, ping. free CVE here for tracking. Gentoo Security Padawan (domhnall/mbailey_j)
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
@graphics - this is an A3 vulnerability (10 days to fix), can you please take a look at this, as all of this has been in Neverland for a while.
Code is present in 3.x release. So it is vulnerable.
Tree is clean
