Debian Bug report logs - #706674
libtiff-tools: CVE-2013-1961: Stack-based buffer overflow with malformed image-length and resolution

version graph

Package: libtiff-tools; Maintainer for libtiff-tools is Jay Berkenbilt <qjb@debian.org>; Source for libtiff-tools is src:tiff.

Reported by: Henri Salo <henri@nerv.fi>

Date: Fri, 3 May 2013 08:48:01 UTC

Severity: important

Tags: security

Found in versions tiff/4.0.2-6, tiff/3.9.4-5+squeeze8

Fixed in versions tiff/4.0.2-6+nmu1, tiff/3.9.4-5+squeeze9, tiff/4.0.2-6+deb7u1

Done: Michael Gilbert <mgilbert@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#706674; Package libtiff-tools. (Fri, 03 May 2013 08:48:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Jay Berkenbilt <qjb@debian.org>. (Fri, 03 May 2013 08:48:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: libtiff-tools: CVE-2013-1961: Stack-based buffer overflow with malformed image-length and resolution
Date: Fri, 3 May 2013 11:45:14 +0300
[Message part 1 (text/plain, inline)]
Package: libtiff-tools
Version: 4.0.2-6
Severity: important
Tags: security

Please see: http://www.openwall.com/lists/oss-security/2013/05/02/4

---
Henri Salo
[signature.asc (application/pgp-signature, inline)]

Marked as found in versions tiff/3.9.4-5+squeeze8. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Fri, 03 May 2013 08:51:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#706674; Package libtiff-tools. (Mon, 17 Jun 2013 02:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>. (Mon, 17 Jun 2013 02:12:04 GMT) Full text and rfc822 format available.

Message #12 received at 706674@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 706674@bugs.debian.org, 706675@bugs.debian.org
Subject: Security nmu
Date: Sun, 16 Jun 2013 22:08:15 -0400
[Message part 1 (text/plain, inline)]
Hi,

I've uploaded an nmu fixing the open security issues.  Please see
attached patch.

Best wishes,
Mike
[tiff.patch (application/octet-stream, attachment)]

Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Mon, 17 Jun 2013 03:54:05 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Mon, 17 Jun 2013 03:54:05 GMT) Full text and rfc822 format available.

Message #17 received at 706674-close@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 706674-close@bugs.debian.org
Subject: Bug#706674: fixed in tiff 4.0.2-6+nmu1
Date: Mon, 17 Jun 2013 03:51:13 +0000
Source: tiff
Source-Version: 4.0.2-6+nmu1

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 706674@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 17 Jun 2013 01:27:17 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff5-alt-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all i386
Version: 4.0.2-6+nmu1
Distribution: unstable
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-alt-dev - Tag Image File Format library (TIFF), alternative development fil
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 706674 706675
Changes: 
 tiff (4.0.2-6+nmu1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix cve-2013-1960: heap-based buffer overlow in tiff2pdf
     (closes: #706675).
   * Fix cve-2013-1961: stack-based buffer overflow in tiff2pdf
     (closes: #706674).
Checksums-Sha1: 
 d8bf0a66447165f1142e1f6a3924ed45da79301c 2840 tiff_4.0.2-6+nmu1.dsc
 b1d37089aeae80157e79295ac6bf174c6f28ade7 22755 tiff_4.0.2-6+nmu1.debian.tar.gz
 9789118fdedb7be0b58bce28213fb3c54d3e6449 413172 libtiff-doc_4.0.2-6+nmu1_all.deb
 cf8aadb5359e96530bd61fb35d048af2b0e199c3 234274 libtiff5_4.0.2-6+nmu1_i386.deb
 9448499cbb9bc1b51bb733d52e33615a99e6feaf 73582 libtiffxx5_4.0.2-6+nmu1_i386.deb
 a1b8c9b9ff4e7a8db1dc6b74d054b54ae6d92ee5 379284 libtiff5-dev_4.0.2-6+nmu1_i386.deb
 9d5abf2f8d8aaca00063ececfdcfd3b16e38e8e9 299138 libtiff5-alt-dev_4.0.2-6+nmu1_i386.deb
 842eaff634627bc3f9a2d5aaec54e5b5b2cbeb4a 325120 libtiff-tools_4.0.2-6+nmu1_i386.deb
 40a0342608ab40944882676ac1c5dda97f5f175f 78740 libtiff-opengl_4.0.2-6+nmu1_i386.deb
Checksums-Sha256: 
 0b5171008d333d29eca91f42638230cfcb87e0b8e53668a1496d722648fffdee 2840 tiff_4.0.2-6+nmu1.dsc
 90f6fb0bf82da1ee3376d94a7ed08f1b5b30edccfdbe58b7e278d1b3b05c9305 22755 tiff_4.0.2-6+nmu1.debian.tar.gz
 1e66159c3ffa365a771492ca30b3e549b2617f6d936fe4cd86fc3386a0369a82 413172 libtiff-doc_4.0.2-6+nmu1_all.deb
 c9051a6a7a01aaba2ff4c6e749a064b008b08c5c30c0f9757bf89010b1b5d500 234274 libtiff5_4.0.2-6+nmu1_i386.deb
 9835ba718c9088783eff93da883df1dca825f3edfcc472a4f966d3bec2be6dcf 73582 libtiffxx5_4.0.2-6+nmu1_i386.deb
 48125d3220379a7855b8382556d0bdd56b6958a639b243da87dc18161cf5b220 379284 libtiff5-dev_4.0.2-6+nmu1_i386.deb
 98f4fe78a2d4ad64f6d5ce5722696771455746edba3b495628c1e748db687ad0 299138 libtiff5-alt-dev_4.0.2-6+nmu1_i386.deb
 3bd02af840b197665f886c95c823bbcb148bc2875d8a7c8b681d928c58cb17ff 325120 libtiff-tools_4.0.2-6+nmu1_i386.deb
 7a2010541e02a0bbd8d4f57d8cba64acc1ae7784c3ea7695a1f24dfc209b8a11 78740 libtiff-opengl_4.0.2-6+nmu1_i386.deb
Files: 
 cc6954bec49ad62142f78e9ca542ff4f 2840 libs optional tiff_4.0.2-6+nmu1.dsc
 af5e57faa974c77b5e4ab54db64c9549 22755 libs optional tiff_4.0.2-6+nmu1.debian.tar.gz
 4c6976d9e392ce3391bcd1fd5a69a16e 413172 doc optional libtiff-doc_4.0.2-6+nmu1_all.deb
 2c7a103f87cd312fb9afc209e954338c 234274 libs optional libtiff5_4.0.2-6+nmu1_i386.deb
 e1dec047b184db62e743dbec1e47012c 73582 libs optional libtiffxx5_4.0.2-6+nmu1_i386.deb
 4e641c0751d7c22a66f72de55b5935e8 379284 libdevel optional libtiff5-dev_4.0.2-6+nmu1_i386.deb
 4f9972c64d941198bc12bbe1c6e6da45 299138 libdevel optional libtiff5-alt-dev_4.0.2-6+nmu1_i386.deb
 a3e9fbc0354c24ff3276d396f406e7d4 325120 graphics optional libtiff-tools_4.0.2-6+nmu1_i386.deb
 b1b9a4f700bd1fd5b2a85e5ec95a7ae8 78740 graphics optional libtiff-opengl_4.0.2-6+nmu1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCAAGBQJRvm9rAAoJELjWss0C1vRzc/0f/jQ2dIqukv57mdL/yLO80Hf6
0fSvzxzwvpwwpOp3zEp2EeqMd+ILPNtIn/8UhIb55pSEQlJPGw9V6Z4TF4t8Fean
HiuLn3dzPw7nj3H5nCp3N8QA/vAVD36qcLbyJchNdpHeCulm7c4h/4WSeWQ/Z/AP
Er9+ut9jBuu8n/x9l7Dg8lfz1fC44VvhciWyebKhdJtcmPVPJDoDGkMLA7NX404p
yBAHylwM7tABoiDm++Dp09A0E2ggDdAKNmpTPqbQVzFf7GQ9+LBdOGCCETDWnyp0
19x4uy8myqklskhXQ/vntuEgxllByKDxoMTxhDG4fgcr34PjkJYdLnKAVNHK5iQc
FC9e0ilkxWddshPT7OPXewrfM9xZP1YJNdeLgxa0uNa5rNwlf+nZX5ZY7gDSFtvX
9Qr6anFC+f1mWZfMJ+PxFbefxosnsRfRAQiNmUFJblbHc7aFvAiqsLkUWPivHCEF
kewjE2yyB0003cecGAUV6Nwld5JW6OtkP0SEAyDY5wayMtYPPdA4n90ZQmVe6XNx
3nd3AHhckOY8fktxPzxTNb8Mc+Wy5Oc0ENyLnm3u38HQnDWQKzvAklZv8Gb44CC9
5tTWs3fUrrORb3UCzRphrU5/5thT4fp6NHUBDV//IjR5xQm6q28apg1WWyagEvUn
XnDXX+ZKtYRLfRaHB2zLWSYDbjwOwdwSh9l/TR1Af6JZ5aZTWgkTE/zgLnDtnzWr
rLIHcV9H+v4OiZMXYd2Egj9qFJUgO+rspAYoUSzhG/lvuc1uiR+C71IWLIXRxTnE
WduNtO/WyES4pp3KF6BaYvx4b8H2cObDQE8+o+v8l7iuB9PlF4rWRG6QdWsZ6uCH
iQE2lrCbDizE9yD7mBXTzASG49IDlL47TVD0tKB435wbZkkfkXNIjjDNEd0ulW6X
uoV43lFpbTv2c/ckl6hE+9c4WMpJHRADAtrC1c321zrjc03xtpvzXkxaLZc1gZbx
J+pMEXMVyeg5x1qsd8HJphp8ef05ZVN/epjYhQZ0UlD+I7t7RWUzQieOZKPhIzCJ
prdEczF+YtuV0hkcHdpF5xQ9qw6qp7yQGn1puF7tZEJ80mtZpPUIz3r4fL3Q8igy
EqZrg2mp8/Tjo96WTpQ1wET1DzKvRXOkfl8k4oMApqAzIP4qdFhJULNYBYliKDvT
3zY00QP3wDqRzw677bik3wbpaZ2f77LWRRheE7Yv+osWGamqGQNQYJNI9aQEMk56
2dTA/6K03gXJqIV9iLM2rXwLYZhbZZF1FKtqiS6Nuvzoati6J4h9rMg3WocZx6sZ
c6W2WTvk+cKQ/h4UdhYUiIBJOVP3QSJ3DEzdZCgcunGSslvpOsnG9rvZkiK5+hM=
=8M9v
-----END PGP SIGNATURE-----




Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Thu, 20 Jun 2013 22:21:12 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Thu, 20 Jun 2013 22:21:12 GMT) Full text and rfc822 format available.

Message #22 received at 706674-close@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 706674-close@bugs.debian.org
Subject: Bug#706674: fixed in tiff 3.9.4-5+squeeze9
Date: Thu, 20 Jun 2013 22:18:44 +0000
Source: tiff
Source-Version: 3.9.4-5+squeeze9

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 706674@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 17 Jun 2013 01:41:22 +0000
Source: tiff
Binary: libtiff4 libtiffxx0c2 libtiff4-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 3.9.4-5+squeeze9
Distribution: oldstable-security
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff4   - Tag Image File Format (TIFF) library
 libtiff4-dev - Tag Image File Format library (TIFF), development files
 libtiffxx0c2 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 706674 706675
Changes: 
 tiff (3.9.4-5+squeeze9) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix cve-2013-1960: heap-based buffer overlow in tiff2pdf
     (closes: #706675).
   * Fix cve-2013-1961: stack-based buffer overflow in tiff2pdf
     (closes: #706674).
Checksums-Sha1: 
 658a8373603ab65d46c1111d3038defb20c77d24 2568 tiff_3.9.4-5+squeeze9.dsc
 a4e32d55afbbcabd0391a9c89995e8e8a19961de 1436968 tiff_3.9.4.orig.tar.gz
 efeecd0915a0c0852eb6cb0478fb81f18f7bfc87 32817 tiff_3.9.4-5+squeeze9.debian.tar.gz
 f03bcfb8ae90371d568776ca40b4b473635b5fa2 403970 libtiff-doc_3.9.4-5+squeeze9_all.deb
 4f80bc75b78f8fc4fd32c77bd4eef28a67fca8ce 195416 libtiff4_3.9.4-5+squeeze9_amd64.deb
 e521c8d44c5dc8a979865919e660aa3829bee7d2 59414 libtiffxx0c2_3.9.4-5+squeeze9_amd64.deb
 a6efc7377a08e43c3f82bc7d3b7679fa107fa203 323014 libtiff4-dev_3.9.4-5+squeeze9_amd64.deb
 0f73570be1565535b1449fbfee70d45e16ce5c93 302376 libtiff-tools_3.9.4-5+squeeze9_amd64.deb
 dced618bb9f78165b3be20b5ee03268a5157322f 64746 libtiff-opengl_3.9.4-5+squeeze9_amd64.deb
Checksums-Sha256: 
 dc7c9a5ffc7a9342c18dad9ff3159e8c12e077f2eae3c33d6188822f159de15f 2568 tiff_3.9.4-5+squeeze9.dsc
 67b76d075fb74f7cb32e7e4b217701674755fe6cee0f463b259a753fce691da6 1436968 tiff_3.9.4.orig.tar.gz
 05acd02234bb335e832bbed739609e46cd2f6dd0338e4c2e198de37190f06699 32817 tiff_3.9.4-5+squeeze9.debian.tar.gz
 009d87ba24962282a7bede2a560d777411a9649e5d2a0f560f0dfc36bde724ff 403970 libtiff-doc_3.9.4-5+squeeze9_all.deb
 54d087cf38dfe437b34e3f457ec7ed1b266c54cf1dfd7af024a9f368e7ba51c2 195416 libtiff4_3.9.4-5+squeeze9_amd64.deb
 37d941a3cb33d4a2a97ffce97bd2d8fa28f7439e6f33991a051b0f3783209d90 59414 libtiffxx0c2_3.9.4-5+squeeze9_amd64.deb
 7f050b1f590e7e28e1fe8c7c777a420b897b689b787c7a0183851c591710faa0 323014 libtiff4-dev_3.9.4-5+squeeze9_amd64.deb
 7804aac340cb20e6e0bce87d3c3d02bf1cc689e85bbd80e3716e38cfb0801fed 302376 libtiff-tools_3.9.4-5+squeeze9_amd64.deb
 30030ecd4ea72585c3f0958bd48c44a04ffb96705f130ee780b5bf5ec6c7d954 64746 libtiff-opengl_3.9.4-5+squeeze9_amd64.deb
Files: 
 8bd02077335b7e4897ce5a6b9920b97b 2568 libs optional tiff_3.9.4-5+squeeze9.dsc
 2006c1bdd12644dbf02956955175afd6 1436968 libs optional tiff_3.9.4.orig.tar.gz
 fa41d61dbf889e40acb0a8d9b67b9faf 32817 libs optional tiff_3.9.4-5+squeeze9.debian.tar.gz
 46ffeb1b6fe37d2b0076f7dd1e4c383c 403970 doc optional libtiff-doc_3.9.4-5+squeeze9_all.deb
 4dc640fac92983bf70bd0e8ff4d8afbd 195416 libs optional libtiff4_3.9.4-5+squeeze9_amd64.deb
 6257b39d5c25a1f60652d7681d36fed0 59414 libs optional libtiffxx0c2_3.9.4-5+squeeze9_amd64.deb
 16c6e3edb67da37f99a47c93a234b414 323014 libdevel optional libtiff4-dev_3.9.4-5+squeeze9_amd64.deb
 1500f984fc7ebd4332fbe52436b0d8ee 302376 graphics optional libtiff-tools_3.9.4-5+squeeze9_amd64.deb
 49d97876047d66f6df753b3914ec6d8a 64746 graphics optional libtiff-opengl_3.9.4-5+squeeze9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCAAGBQJRvnCUAAoJELjWss0C1vRzBKUf/RfE4f+SsbRkx3ehTFjAmm0G
wTHQqxmkFe6hJquEGAWhUxamNjKay24d6k+e5NB/9Pw/05VIwmY2lMsqj5RMwK80
kXS2iXb46RH7uS9Wn4OUmjGwCDFd5E7jmRsJ+tLfn6RrLZpKqoWAJeEkq0u/LFaS
wu0HqPs5CYuYskxocAFLqaU5ImAbvI6bCu+U0r0f8aNmoqMCDAV5FGyXyjb3SmjV
zo+n9jBSGIlJGcfEjFCXc5BhWTF0aWoIM9McGGVJ8bZQ+avqtVOcyrXdjldXgzCj
IGzT6YWbtJpAR9zn9A4+8wgYqb1xQqiPg3uvThFJngxG0njVWU0M4E3z/+Sf1rOD
N0w0eSRsZzhytdtqhK9KsYLZ5eHWUuGE7ngCrrLbgKlXabIqT7lw838Q4HNPigBa
XQWP2r0Rs1zj5FVBGOQbCEOVpLW8NV/V+egUeHEr3zckah25tXUSciO0jPEmcgCK
VBJQSp0QXY+Q0eR+BnM8mumXLGhVHqZBUnYumLUThoKoa7xYAXwEtO+FU5IkARTw
LfKFpSmqx0fORgYeKtdDT8qE40X8GDDIOB201RZghClF3UFpSQFSJpXmNHDuGkkr
dEB97/xQVizBj7RDyooytf9ERpQouMFTaNG2m3NVUc5GFdet/4txudrKkb15Ac2O
Nl8YSAyVHE8U5/7NxPfwJ4/P/5wXMIS7lxN+6uokj25DEdqWQijbhPdQ8AsmedYv
JhSUrOHllGP66LdKkI8B7Hm1WwjB4OpZjPaR7jLoQ821QucbjRfyDQ5dMaFA4I7i
L37x/oSjRklGdSF3WPFU+u8vit/9X5DKx7f9yV9ggDqC+2Shso//orY+98i7p/aB
AJCbrdb3xM+Vp5mcgCBqMAJIXXqPn82Zqk62QXVg2e3GQY3oJssJmT0P601Io629
16W23+dicnpjO7Y6HE7O69y+yqhgo1ZH7MAh/lpsBL3ej0y8G/WJZ7i0dWJL2DaA
AcAuU9bIg4Aui5Cs8H+3Sr2C9omikIu2OsTnjhWMF5S/HBEvf7qjPUO7u0tM/bke
/1JYUp9wyjNDpSVmbHQKlOG8b2xVrYUcFkmDE0SmBRdn8PlH+K4HmEOMhfHyQ5sZ
FfssOcZv94C7pZ4vhueLix/VIgVgPd0poCanjNAV6bokhcUhFw65MWw6TYTyenRZ
2NQs3aRXT40ao4pUD9+9PxEkw0N3qgT8zAJOGe9igOsilh+2OdDmUimfIep57uKC
YRb+bsCRyc3NjuRIr7J3OL+6iZpaA4e7egqmkj6VrxWAXGRJHFXJVMOnToN+1g/d
q+ODwZzvDBP7XgI2dpQJDH00wTVwM3aE3uISdHxEV/dikdtSLtBSf/q/IBcteC8=
=JILD
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#706674; Package libtiff-tools. (Sat, 29 Jun 2013 17:45:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ian Zimmerman <itz@buug.org>:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>. (Sat, 29 Jun 2013 17:45:14 GMT) Full text and rfc822 format available.

Message #27 received at 706674@bugs.debian.org (full text, mbox):

From: Ian Zimmerman <itz@buug.org>
To: 706674@bugs.debian.org
Subject: Re: libtiff-tools: CVE-2013-1961: Stack-based buffer overflow with malformed image-length and resolution
Date: Sat, 29 Jun 2013 10:44:06 -0700
Is the tiff3 package in wheezy affected (and its derived binary packages
like libtiff4) ?  Should they be fixed?

-- 
Please *no* private copies of mailing list or newsgroup messages.

gpg public key: 1024D/C6FF61AD
fingerprint: 66DC D68F 5C1B 4D71 2EE5  BD03 8A00 786C C6FF 61AD
Funny pic: http://bit.ly/ZNE2MX



Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Tue, 23 Jul 2013 21:03:05 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Tue, 23 Jul 2013 21:03:05 GMT) Full text and rfc822 format available.

Message #32 received at 706674-close@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 706674-close@bugs.debian.org
Subject: Bug#706674: fixed in tiff 4.0.2-6+deb7u1
Date: Tue, 23 Jul 2013 21:02:07 +0000
Source: tiff
Source-Version: 4.0.2-6+deb7u1

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 706674@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 17 Jun 2013 01:27:17 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff5-alt-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.2-6+deb7u1
Distribution: stable-security
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-alt-dev - Tag Image File Format library (TIFF), alternative development fil
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 706674 706675
Changes: 
 tiff (4.0.2-6+deb7u1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix cve-2013-1960: heap-based buffer overlow in tiff2pdf
     (closes: #706675).
   * Fix cve-2013-1961: stack-based buffer overflow in tiff2pdf
     (closes: #706674).
Checksums-Sha1: 
 4d29dfad98b27716bbce4e67c2119c0fb989626d 2848 tiff_4.0.2-6+deb7u1.dsc
 d84b7b33a6cfb3d15ca386c8c16b05047f8b5352 2022814 tiff_4.0.2.orig.tar.gz
 f192e3c558016011caf9ef8602eb889dc0223703 22686 tiff_4.0.2-6+deb7u1.debian.tar.gz
 d7e2ffc416ab2c45e6de40b144a76a97d48b44ea 413228 libtiff-doc_4.0.2-6+deb7u1_all.deb
 faf12592570115587cd8515c04a29ee6648494b8 234394 libtiff5_4.0.2-6+deb7u1_amd64.deb
 384aea24c9cb5902af363e980c3e8eda55752226 73424 libtiffxx5_4.0.2-6+deb7u1_amd64.deb
 d41c6d7f157055a2430087b4ce7efbcbf9c0e7bf 376610 libtiff5-dev_4.0.2-6+deb7u1_amd64.deb
 4f84762f5be6ff84a62522d31211cce271b2cc7c 296552 libtiff5-alt-dev_4.0.2-6+deb7u1_amd64.deb
 4de3f1f18e9e3eb0d0ccd7a6bf250793173aca29 335824 libtiff-tools_4.0.2-6+deb7u1_amd64.deb
 592de6a0b8270efac6915b541bf4c5dda3b47d02 78966 libtiff-opengl_4.0.2-6+deb7u1_amd64.deb
Checksums-Sha256: 
 5f944ef011bb4285934522168e9671503ce173bb2de1edfd718a193ca93679ce 2848 tiff_4.0.2-6+deb7u1.dsc
 aa29f1f5bfe3f443c3eb4dac472ebde15adc8ff0464b83376f35e3b2fef935da 2022814 tiff_4.0.2.orig.tar.gz
 6f4be45ef68b5edc157f3f233611bb76cd5de773943b993ec56f1f32a4d216bc 22686 tiff_4.0.2-6+deb7u1.debian.tar.gz
 bab53d8f655d39b9f8dc78edbfe3c2e4f3f353a5325370e2397ffd2ab0de75ad 413228 libtiff-doc_4.0.2-6+deb7u1_all.deb
 80322fdb880b72f44ddb254455a10befdfcdb57973c1d0d63e7d9812c1392ad2 234394 libtiff5_4.0.2-6+deb7u1_amd64.deb
 1bbdb8cbfe4f4655fea4d53b70101d05e9415ee3998ecad519a434b94c86fff6 73424 libtiffxx5_4.0.2-6+deb7u1_amd64.deb
 48e500813972ef7741cef689fa61b6d6e5e7cb11698da68cbc71e51cfb86be0b 376610 libtiff5-dev_4.0.2-6+deb7u1_amd64.deb
 ed9148e0707306fae2956c71e5c80b657b739de41953c0aec54b503a278c86c0 296552 libtiff5-alt-dev_4.0.2-6+deb7u1_amd64.deb
 d7fa359c01ad30f42a3b044cac8ccadc7b598a68a9ae9e16c29b327a779729a7 335824 libtiff-tools_4.0.2-6+deb7u1_amd64.deb
 7c0a677bea9e6cc439ee69090ae5131edadebf98cd0c00a112f2a7b079ff83ce 78966 libtiff-opengl_4.0.2-6+deb7u1_amd64.deb
Files: 
 3ec4f3046789270c0cb1a52efb0bb1b4 2848 libs optional tiff_4.0.2-6+deb7u1.dsc
 04a08fa1e07e696e820a0c3f32465a13 2022814 libs optional tiff_4.0.2.orig.tar.gz
 f40ec185909fd358065e666162117a77 22686 libs optional tiff_4.0.2-6+deb7u1.debian.tar.gz
 c162b64c9ff7b4a541cd8373b6331730 413228 doc optional libtiff-doc_4.0.2-6+deb7u1_all.deb
 4bdb741aa420e195582f3700d13eb77a 234394 libs optional libtiff5_4.0.2-6+deb7u1_amd64.deb
 9a79be0c6c98fb9c4cc97c3ac8208362 73424 libs optional libtiffxx5_4.0.2-6+deb7u1_amd64.deb
 3bb94165a2f6fa954db322885ebcad85 376610 libdevel optional libtiff5-dev_4.0.2-6+deb7u1_amd64.deb
 c7934928d8f736303a78910a2695c6ba 296552 libdevel optional libtiff5-alt-dev_4.0.2-6+deb7u1_amd64.deb
 e562b655c637699f53c4c5b85db720c8 335824 graphics optional libtiff-tools_4.0.2-6+deb7u1_amd64.deb
 7cb559e48cd258fe993609d7ed8173e9 78966 graphics optional libtiff-opengl_4.0.2-6+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCAAGBQJRvnBxAAoJELjWss0C1vRzL9If/jJH40qCbVcpf0DhZSm0zRkt
OeyFfnBi3ArjoMscWTSxZAHNTULzXsjhnqAzcCOZiEOn08bsmpndo7rHp2vAME3F
u5iAgs+aOgD4bvzgyO8gz4bBQgaKHqiKS24PZ7v33cko4QQJwzMdxVfLuCzyDgYo
uAgo41Ydk23U9fxns4k39Sgh7G0fDqZh5Gckmh3RnqYizj1a/wXPcj1NHEDqr/2/
mjuWlm7navxcNeVVCEd8HAvjb6WLg8V3cmSRUOPKf0jVWWAsLEFsFXadVuKuRs8k
PS9E76E4z7bAKhniJHLc9sh7QxRlKLzOJ2LYEtM1iQ2BiF6ta6Bt+tOxg3yrvYjt
BY9DMne67UvKzctTcT/B59SLXSqYRYAQcdliXqFsXP1jH1U+Vf0Q/HMvxRU1neDZ
9cbEZtT/MHBKv+/ywJOVqJxjwDh6TlkkIeoIgC3s332IXCPtGAuBZSjw7jzlsFZO
s6ixM0x2reJOeRrnz9UKI6JYf+Adj5Mlkq8Ek6qRSu+kJDcpGm4sbpIdIn2C+6Xg
/KANRwur0HVNj0m4cj+eO+lSUVINRHJ3v+vKLuqrFbgWGKpf/t1+Td2QQaD0TDue
HYWahNiRd0ZueIqbuOe+8eHd2Hl+Fm8T8IigOLyhgq+q3qvXiJVNzapCROg4dr3b
htSSihBgzx+PgI67k4kKWSVrA9H0dg2Dzg/g4LhMcG0jHtTF+GlHfUYcfkOmn4AX
9bI3WvmSyp5pEcytCfeXbTRrcojYOx9TUR8fxjak82X5o0cBtyvq3Iy08fBvUO1+
6yZ2zIMpik1qGXa/wv+H+sUq68C5hu3+vAnApiqKi/dexwVs5nc+erJAgmsXrx1J
hEbGaoZjlligp+AFKRr19IBZuPEX6iy+Pg/Rc2eUmeFwVG8Cr81rmpagLsLFco71
v4dHPTEG6qHI4+PRXskPrGLgHhpN0driMmS0TwSKwTr5IDYTnbxRwDBu5sLKxgtA
kAwLSaFDGoVVW1ST6GqUOwWb11pp/JPI9Yqj6OOuRltyDe4q7KEHnnGtzs72e2Jt
E9rLjGKQX/55VRXeiQwobLmkEMKr2v1Vn3fUqCvnEya8H9dXQUPsOKDSTjM3LQSI
kKnbuCbGNmYQ68YnEvGmQq8vEMQLZDYr2r7CrvfPG052FnYJ87eEY0yC3AvcBZyj
ytyusha2W6E2zgALKh/vgUT8NqkTF9RF6t3pdw9SsObeEePaA6xNNeGUPrSDgjiC
VVSrTwPCzWQxqHBo+u4QeA1bM20cDyeOxakTwF/bN3JJ9d7nMpGLWcYiV8MTJNpI
/e0NsggbyP23NTQTlXUX8+ieIqSdiBq6D434r3Wx72fKEjbrJkyLXcdZ2jxQpSA=
=hgub
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 21 Aug 2013 07:30:55 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 13:26:23 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.