FS#59223 - [libtiff] CVE-2017-18013, CVE-2018-5784, CVE-2018-7456, CVE-2018-8905, CVE-2018-10963
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 03 July 2018, 15:02 GMT
Last edited by Antonio Rojas (arojas) - Tuesday, 17 July 2018, 21:50 GMT
Opened by Pascal Ernster (hardfalcon) - Tuesday, 03 July 2018, 15:02 GMT
Last edited by Antonio Rojas (arojas) - Tuesday, 17 July 2018, 21:50 GMT
|
Details
There's a bunch of CVEs in libtiff 4.0.9:
https://nvd.nist.gov/vuln/detail/CVE-2017-18013 https://nvd.nist.gov/vuln/detail/CVE-2018-5784 https://nvd.nist.gov/vuln/detail/CVE-2018-7456 https://nvd.nist.gov/vuln/detail/CVE-2018-8905 https://nvd.nist.gov/vuln/detail/CVE-2018-10963 CVE-2018-7456 is a null pointer dereference, 2018-8905 is a heap overflow, and the others are supposedly only DoS vulnerabilities. CVE-2018-8905 has got a CVSS v3.0 base score of 8.8, hence I've set the severity to "high". All five CVEs have seemingly already been fixed in upstream's git quite some time ago (CVE-2018-8905 and CVE-2018-10963 on 2018-05-12, for example), yet upstream has not cared yet to make a new release version. I suggest to follow upstream's git master until there is an actual release. Debian has released an advisory on this as well: https://lists.debian.org/debian-lts-announce/2018/07/msg00002.html |
This task depends upon
Closed by Antonio Rojas (arojas)
Tuesday, 17 July 2018, 21:50 GMT
Reason for closing: Fixed
Additional comments about closing: libtiff 4.0.9-2
Tuesday, 17 July 2018, 21:50 GMT
Reason for closing: Fixed
Additional comments about closing: libtiff 4.0.9-2