Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 645730 (CVE-2018-5784) - <media-libs/tiff-4.0.9-r3: uncontrolled resource consumption in TIFFSetDirectory function in tif_dir.c
Summary: <media-libs/tiff-4.0.9-r3: uncontrolled resource consumption in TIFFSetDirect...
Status: RESOLVED FIXED
Alias: CVE-2018-5784
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://bugzilla.maptools.org/show_bug...
Whiteboard: A4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-25 16:19 UTC by GLSAMaker/CVETool Bot
Modified: 2018-06-11 15:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-01-25 16:19:36 UTC
CVE-2018-5784 (https://nvd.nist.gov/vuln/detail/CVE-2018-5784):
  In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the
  TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this
  vulnerability to cause a denial of service via a crafted tif file. This
  occurs because the declared number of directory entries is not validated
  against the actual number of directory entries.
Comment 2 Larry the Git Cow gentoo-dev 2018-02-20 14:29:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5f874c2b8cbbdb0eb013c1543ef3aaddbe67903

commit b5f874c2b8cbbdb0eb013c1543ef3aaddbe67903
Author:     Michael Vetter <jubalh@iodoru.org>
AuthorDate: 2018-02-20 14:18:53 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2018-02-20 14:29:48 +0000

    media-libs/tiff: Fix CVE-2018-5784
    
    Patch is upstream commit:
    https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
    
    Bug: https://bugs.gentoo.org/645730
    
    Package-Manager: Portage-2.3.19, Repoman-2.3.6
    Closes: https://github.com/gentoo/gentoo/pull/7237

 .../tiff/files/tiff-4.0.9-CVE-2018-5784.patch      | 128 +++++++++++++++++++++
 media-libs/tiff/tiff-4.0.9-r3.ebuild               |  84 ++++++++++++++
 2 files changed, 212 insertions(+)}
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-06-11 15:19:44 UTC
GLSA Vote: No

tree is clean