Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#59223 - [libtiff] CVE-2017-18013, CVE-2018-5784, CVE-2018-7456, CVE-2018-8905, CVE-2018-10963

Attached to Project: Arch Linux
Opened by Pascal E. (hardfalcon) - Tuesday, 03 July 2018, 15:02 GMT
Last edited by Antonio Rojas (arojas) - Tuesday, 17 July 2018, 21:50 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Antonio Rojas (arojas)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

There's a bunch of CVEs in libtiff 4.0.9:

https://nvd.nist.gov/vuln/detail/CVE-2017-18013
https://nvd.nist.gov/vuln/detail/CVE-2018-5784
https://nvd.nist.gov/vuln/detail/CVE-2018-7456
https://nvd.nist.gov/vuln/detail/CVE-2018-8905
https://nvd.nist.gov/vuln/detail/CVE-2018-10963

CVE-2018-7456 is a null pointer dereference, 2018-8905 is a heap overflow, and the others are supposedly only DoS vulnerabilities. CVE-2018-8905 has got a CVSS v3.0 base score of 8.8, hence I've set the severity to "high".

All five CVEs have seemingly already been fixed in upstream's git quite some time ago (CVE-2018-8905 and CVE-2018-10963 on 2018-05-12, for example), yet upstream has not cared yet to make a new release version. I suggest to follow upstream's git master until there is an actual release.

Debian has released an advisory on this as well:

https://lists.debian.org/debian-lts-announce/2018/07/msg00002.html
This task depends upon

Closed by  Antonio Rojas (arojas)
Tuesday, 17 July 2018, 21:50 GMT
Reason for closing:  Fixed
Additional comments about closing:  libtiff 4.0.9-2

Loading...