[Secure-testing-commits] r45931 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Thu Nov 3 14:18:43 UTC 2016 

Author: jmm
Date: 2016-11-03 14:18:43 +0000 (Thu, 03 Nov 2016)
New Revision: 45931

Modified:
   data/CVE/list
Log:
more tiff fixes


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-11-03 14:17:03 UTC (rev 45930)
+++ data/CVE/list	2016-11-03 14:18:43 UTC (rev 45931)
@@ -2250,10 +2250,11 @@
 	NOTE: https://github.com/uclouvain/openjpeg/pull/820
 CVE-2016-8331 (An exploitable remote code execution vulnerability exists in the ...)
 	{DLA-693-1}
-	- tiff <unfixed>
+	- tiff 4.0.6-3
 	- tiff3 <removed>
 	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0190/
+	NOTE: thumbnail(1) removed in 4.0.6-3
 	NOTE: From the backtrace shared in the report, we can see that the crash is triggered though the thumbnail tool which has been dropped upstream.
 CVE-2016-8330
 	RESERVED
@@ -10927,7 +10928,7 @@
 CVE-2016-5652 [heap based buffer overflow in LibTIFFs TIFF2PDF tool]
 	RESERVED
 	{DLA-693-1}
-	- tiff <unfixed> (bug #842361)
+	- tiff 4.0.6-3 (bug #842361)
 	- tiff3 <removed>
 	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0187/
@@ -17686,7 +17687,7 @@
 CVE-2016-3636
 	RESERVED
 CVE-2016-3635 (SAP Netweaver 7.4 allows remote authenticated users to bypass an ...)
-	TODO: check
+	NOT-FOR-US: SAP Netweaver
 CVE-2016-3634 (The tagCompare function in tif_dirinfo.c in the thumbnail tool in ...)
 	{DLA-693-1}
 	- tiff <unfixed>
@@ -17697,6 +17698,7 @@
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2547
 	NOTE: Upstream will remove thumbnail from 4.0.7 release
 	NOTE: No patch available. Issue marked as wontfix by upstream.
+	NOTE: thumbnail(1) removed in 4.0.6-3, but vulnerable library code still present
 CVE-2016-3633 (The setrow function in the thumbnail tool in LibTIFF 4.0.6 and earlier ...)
 	{DLA-693-1}
 	- tiff 4.0.6-3 (bug #842046)
@@ -17748,7 +17750,7 @@
 	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2566
 CVE-2016-3624 (The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and ...)
-	- tiff <unfixed>
+	- tiff 4.0.6-3
 	[jessie] - tiff <no-dsa> (Minor issue)
 	[wheezy] - tiff <no-dsa> (Minor issue)
 	- tiff3 <not-affected> (tiff tools not built)
@@ -17756,8 +17758,7 @@
 	NOTE: Upstream marked this duplicate of bug 2569
 CVE-2016-3623 (The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote ...)
 	{DLA-610-1}
-	- tiff <unfixed>
-	[jessie] - tiff <no-dsa> (Minor issue)
+	- tiff 4.0.6-3
 	[wheezy] - tiff <no-dsa> (Minor issue)
 	- tiff3 <removed>
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2569

More information about the Secure-testing-commits mailing list