FS#59223 : [libtiff] CVE-2017-18013, CVE-2018-5784, CVE-2018-7456, CVE-2018-8905, CVE-2018-10963

FS#59223 - [libtiff] CVE-2017-18013, CVE-2018-5784, CVE-2018-7456, CVE-2018-8905, CVE-2018-10963

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 03 July 2018, 15:02 GMT
Last edited by Antonio Rojas (arojas) - Tuesday, 17 July 2018, 21:50 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Antonio Rojas (arojas) Levente Polyak (anthraxx)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

There's a bunch of CVEs in libtiff 4.0.9:

https://nvd.nist.gov/vuln/detail/CVE-2017-18013
https://nvd.nist.gov/vuln/detail/CVE-2018-5784
https://nvd.nist.gov/vuln/detail/CVE-2018-7456
https://nvd.nist.gov/vuln/detail/CVE-2018-8905
https://nvd.nist.gov/vuln/detail/CVE-2018-10963

CVE-2018-7456 is a null pointer dereference, 2018-8905 is a heap overflow, and the others are supposedly only DoS vulnerabilities. CVE-2018-8905 has got a CVSS v3.0 base score of 8.8, hence I've set the severity to "high".

All five CVEs have seemingly already been fixed in upstream's git quite some time ago (CVE-2018-8905 and CVE-2018-10963 on 2018-05-12, for example), yet upstream has not cared yet to make a new release version. I suggest to follow upstream's git master until there is an actual release.

Debian has released an advisory on this as well:

https://lists.debian.org/debian-lts-announce/2018/07/msg00002.html

This task depends upon

Closed by Antonio Rojas (arojas)
Tuesday, 17 July 2018, 21:50 GMT
Reason for closing: Fixed
Additional comments about closing: libtiff 4.0.9-2

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#59223 - [libtiff] CVE-2017-18013, CVE-2018-5784, CVE-2018-7456, CVE-2018-8905, CVE-2018-10963

Details

Loading...