[Secure-testing-commits] r45826 - data/CVE
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Tue Nov 1 12:26:32 UTC 2016
Author: jmm
Date: 2016-11-01 12:26:32 +0000 (Tue, 01 Nov 2016)
New Revision: 45826
Modified:
data/CVE/list
Log:
latest tiff upload dropped a few tools
(only first part of review, second part pending)
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-11-01 12:12:57 UTC (rev 45825)
+++ data/CVE/list 2016-11-01 12:26:32 UTC (rev 45826)
@@ -12309,6 +12309,7 @@
NOTE: Reproducer http://bugzilla.maptools.org/attachment.cgi?id=652
NOTE: Utility bmp2tiff has been removed from upstream LibTIFF
NOTE: No patch available. Marked as wontfix by upstream.
+ NOTE: bmp2tiff was removed in 4.0.6-3, but the affected function is still present
CVE-2016-5318 [libtiff: stack buffer overflow in _TIFFVGetField function]
RESERVED
- tiff <unfixed> (bug #842043)
@@ -13115,7 +13116,7 @@
TODO: probably not affected since orig.tar.gz of src:mplayer does not include libavcodec, ffmpeg/libav affected?
CVE-2016-5102 [gif2tiff: buffer overflow in readgifimage()]
RESERVED
- - tiff <unfixed>
+ - tiff 4.0.6-3
[jessie] - tiff <no-dsa> (Minor issue)
[wheezy] - tiff <no-dsa> (Minor issue)
- tiff3 <removed> (unimportant)
@@ -13126,6 +13127,7 @@
NOTE: Upstream will remove gif2tiff from 4.0.7 release
NOTE: No patch available. Marked as wontfix by upstream
NOTE: Reproducer http://bugs.fi/media/afl/libtiff/CVE-2016-5102.gif
+ NOTE: gif2tiff removed in 4.0.6-3
CVE-2016-5101 (Unspecified vulnerability in Opera Mail before 2016-02-16 on Windows ...)
NOT-FOR-US: Opera
CVE-2016-5100
@@ -17489,7 +17491,7 @@
NOTE: Upstream will remove thumbnail from 4.0.7 release
NOTE: No patch available. Issue marked as wontfix by upstream.
CVE-2016-3633 (The setrow function in the thumbnail tool in LibTIFF 4.0.6 and earlier ...)
- - tiff <unfixed> (bug #842046)
+ - tiff 4.0.6-3 (bug #842046)
[jessie] - tiff <no-dsa> (Minor issue)
[wheezy] - tiff <no-dsa> (Minor issue)
- tiff3 <removed> (unimportant)
@@ -17498,6 +17500,7 @@
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2548
NOTE: Upstream will remove thumbnail from 4.0.7 release
NOTE: No patch available. Issue marked as wontfix by upstream.
+ NOTE: thumbnail(1) removed in 4.0.6-3
CVE-2016-3632 (The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and ...)
- tiff <unfixed>
[jessie] - tiff <no-dsa> (Minor issue)
@@ -17508,14 +17511,16 @@
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2549
NOTE: Upstream will remove thumbnail from 4.0.7 release
NOTE: No patch available. Issue marked as wontfix by upstream.
+ NOTE: thumbnail(1) removed in 4.0.6-3, but vulnerable library code still present
CVE-2016-3631 (The (1) cpStrips and (2) cpTiles functions in the thumbnail tool in ...)
- - tiff <unfixed> (bug #820366)
+ - tiff 4.0.6-3 (bug #820366)
[jessie] - tiff <no-dsa> (Minor issue)
[wheezy] - tiff <no-dsa> (Minor issue)
- tiff3 <removed> (unimportant)
[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
NOTE: src:tiff3: built binary packages do not contain the TIFF tools
NOTE: No patch available. Issue marked as wontfix by upstream.
+ NOTE: thumbnail(1) removed in 4.0.6-3
CVE-2016-3630 (The binary delta decoder in Mercurial before 3.7.3 allows remote ...)
{DSA-3542-1}
- mercurial 3.7.3-1 (bug #819504)
@@ -17563,6 +17568,7 @@
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2565
NOTE: http://www.openwall.com/lists/oss-security/2016/04/07/3
NOTE: Utility bmp2tiff has been removed from upstream LibTIFF
+ NOTE: bmp2tiff was removed in 4.0.6-3, but the affected function is still present
CVE-2016-3620 (The ZIPEncode function in tif_zip.c in the bmp2tiff tool in LibTIFF ...)
- tiff <unfixed> (low; bug #820363)
[jessie] - tiff <no-dsa> (Minor issue)
@@ -17571,6 +17577,7 @@
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2570
NOTE: http://www.openwall.com/lists/oss-security/2016/04/07/2
NOTE: Utility bmp2tiff has been removed from upstream LibTIFF
+ NOTE: bmp2tiff was removed in 4.0.6-3, but the affected function is still present
CVE-2016-3619 (The DumpModeEncode function in tif_dumpmode.c in the bmp2tiff tool in ...)
- tiff <unfixed> (low; bug #820362)
[jessie] - tiff <no-dsa> (Minor issue)
@@ -17579,6 +17586,7 @@
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2567
NOTE: http://www.openwall.com/lists/oss-security/2016/04/07/1
NOTE: Utility bmp2tiff has been removed from upstream LibTIFF
+ NOTE: bmp2tiff was removed in 4.0.6-3, but the affected function is still present
CVE-2016-3618
RESERVED
CVE-2016-3617
@@ -18564,7 +18572,7 @@
NOT-FOR-US: Prepopulate module for Drupal
CVE-2016-3186 (Buffer overflow in the readextension function in gif2tiff.c in LibTIFF ...)
{DLA-610-1}
- - tiff <unfixed> (bug #819972)
+ - tiff 4.0.6-3 (bug #819972)
[jessie] - tiff <no-dsa> (Minor issue)
[wheezy] - tiff <no-dsa> (Minor issue)
- tiff3 <removed> (unimportant)
@@ -18572,6 +18580,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1319503
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2536
NOTE: Proposed patch from Red Hat: https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff
+ NOTE: gif2tiff removed in 4.6.0-3
CVE-2016-3185 (The make_http_soap_request function in ext/soap/php_http.c in PHP ...)
- php7.0 7.0.4-1
NOTE: https://bugs.php.net/bug.php?id=71610
@@ -26131,6 +26140,7 @@
NOTE: Issue was also marked as wontfix, because bmp2tiff utility has been removed
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2563#c4
NOTE: Reproducer file here: http://bugzilla.maptools.org/attachment.cgi?id=677
+ NOTE: bmp2tiff was removed in 4.0.6-3, but the affected function is still present
CVE-2015-8683 (The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 ...)
{DSA-3467-1 DLA-610-1 DLA-402-1}
- tiff 4.0.6-1 (bug #809021)
More information about the Secure-testing-commits
mailing list