[Secure-testing-commits] r44557 - data/CVE
Raphaël Hertzog
hertzog at moszumanska.debian.org
Tue Sep 13 16:08:48 UTC 2016
Author: hertzog
Date: 2016-09-13 16:08:48 +0000 (Tue, 13 Sep 2016)
New Revision: 44557
Modified:
data/CVE/list
Log:
Mark CVE-2015-8668/tiff3 as no-dsa on wheezy
I'm not marking this as not-affected because there's a possibility
that we could improve libtiff to avoid the issue at the library level.
But without a file to reproduce the issue it's hard to figure it
out.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-09-13 16:08:33 UTC (rev 44556)
+++ data/CVE/list 2016-09-13 16:08:48 UTC (rev 44557)
@@ -22839,11 +22839,14 @@
CVE-2015-8668 (Heap-based buffer overflow in the PackBitsPreEncode function in ...)
- tiff <unfixed>
- tiff3 <removed>
+ [wheezy] - tiff3 <no-dsa> (Issue is in bmp2tiff but we don't ship tools, tools are shipped by "tiff")
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2563
NOTE: Red Hat say it's only OOB read: https://bugzilla.redhat.com/show_bug.cgi?id=1294425#c1
NOTE: Red Hat's patch is partially incorrect according to upstream
NOTE: Issue was also marked as wontfix, because bmp2tiff utility has been removed
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2563#c4
+ NOTE: No reproducer file seems to be publicly available.
+
CVE-2015-8683 (The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 ...)
{DSA-3467-1 DLA-610-1 DLA-402-1}
- tiff 4.0.6-1 (bug #809021)
More information about the Secure-testing-commits
mailing list