[Secure-testing-commits] r47981 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Fri Jan 13 15:53:19 UTC 2017 

Author: jmm
Date: 2017-01-13 15:53:19 +0000 (Fri, 13 Jan 2017)
New Revision: 47981

Modified:
   data/CVE/list
Log:
record fixed versions for tools dropped in jessie
 - technically still somewhat present in the source, but mark as fixed anyway


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-01-13 15:34:09 UTC (rev 47980)
+++ data/CVE/list	2017-01-13 15:53:19 UTC (rev 47981)
@@ -16196,9 +16196,10 @@
 	{DLA-693-1}
 	- tiff 4.0.6-3
 	- tiff3 <removed>
+	[jessie] - tiff 4.0.3-12.3+deb8u2
 	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0190/
-	NOTE: thumbnail(1) removed in 4.0.6-3
+	NOTE: thumbnail(1) was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package
 	NOTE: From the backtrace shared in the report, we can see that the crash is triggered though the thumbnail tool which has been dropped upstream.
 CVE-2016-8330
 	RESERVED
@@ -26647,12 +26648,13 @@
 	{DLA-693-1}
 	- tiff <unfixed> (bug #842046)
 	- tiff3 <removed>
+	[jessie] - tiff 4.0.3-12.3+deb8u2
 	[wheezy] - tiff3 <not-affected> (tools like bmp2tiff not shipped by tiff3 source package)
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2562
 	NOTE: Reproducer http://bugzilla.maptools.org/attachment.cgi?id=652
 	NOTE: Utility bmp2tiff has been removed from upstream LibTIFF
 	NOTE: No patch available. Marked as wontfix by upstream.
-	NOTE: bmp2tiff was removed in 4.0.6-3, but the affected function is still present
+	NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package
 CVE-2016-5318 [libtiff: stack buffer overflow in _TIFFVGetField function]
 	RESERVED
 	{DLA-693-1 DLA-692-1}
@@ -27605,7 +27607,7 @@
 	RESERVED
 	{DLA-693-1}
 	- tiff 4.0.6-3
-	[jessie] - tiff <no-dsa> (Minor issue)
+	[jessie] - tiff 4.0.3-12.3+deb8u2
 	- tiff3 <removed> (unimportant)
 	[wheezy] - tiff3 <not-affected> (Does not ship libtiff-tools)
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2552
@@ -27614,7 +27616,7 @@
 	NOTE: Upstream will remove gif2tiff from 4.0.7 release
 	NOTE: No patch available. Marked as wontfix by upstream
 	NOTE: Reproducer http://bugs.fi/media/afl/libtiff/CVE-2016-5102.gif
-	NOTE: gif2tiff removed in 4.0.6-3
+	NOTE: gif2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package
 CVE-2016-5101 (Unspecified vulnerability in Opera Mail before 2016-02-16 on Windows ...)
 	NOT-FOR-US: Opera
 CVE-2016-5100
@@ -31996,45 +31998,45 @@
 CVE-2016-3634 (The tagCompare function in tif_dirinfo.c in the thumbnail tool in ...)
 	{DLA-693-1}
 	- tiff <unfixed>
-	[jessie] - tiff <no-dsa> (Minor issue)
+	[jessie] - tiff 4.0.3-12.3+deb8u2
 	- tiff3 <removed> (unimportant)
 	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: src:tiff3: built binary packages do not contain the TIFF tools
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2547
 	NOTE: Upstream will remove thumbnail from 4.0.7 release
 	NOTE: No patch available. Issue marked as wontfix by upstream.
-	NOTE: thumbnail(1) removed in 4.0.6-3, but vulnerable library code still present
+	NOTE: thumbnail(1) was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package
 CVE-2016-3633 (The setrow function in the thumbnail tool in LibTIFF 4.0.6 and earlier ...)
 	{DLA-693-1}
 	- tiff 4.0.6-3 (bug #842046)
-	[jessie] - tiff <no-dsa> (Minor issue)
+	[jessie] - tiff 4.0.3-12.3+deb8u2
 	- tiff3 <removed> (unimportant)
 	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: src:tiff3: built binary packages do not contain the TIFF tools
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2548
 	NOTE: Upstream will remove thumbnail from 4.0.7 release
 	NOTE: No patch available. Issue marked as wontfix by upstream.
-	NOTE: thumbnail(1) removed in 4.0.6-3
+	NOTE: thumbnail(1) was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package
 CVE-2016-3632 (The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and ...)
 	{DLA-693-1}
 	- tiff <unfixed>
-	[jessie] - tiff <no-dsa> (Minor issue)
+	[jessie] - tiff 4.0.3-12.3+deb8u2
 	- tiff3 <removed> (unimportant)
 	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: src:tiff3: built binary packages do not contain the TIFF tools
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2549
 	NOTE: Upstream will remove thumbnail from 4.0.7 release
 	NOTE: No patch available. Issue marked as wontfix by upstream.
-	NOTE: thumbnail(1) removed in 4.0.6-3, but vulnerable library code still present
+	NOTE: thumbnail(1) was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package
 CVE-2016-3631 (The (1) cpStrips and (2) cpTiles functions in the thumbnail tool in ...)
 	{DLA-693-1}
 	- tiff 4.0.6-3 (bug #820366)
-	[jessie] - tiff <no-dsa> (Minor issue)
+	[jessie] - tiff 4.0.3-12.3+deb8u2
 	- tiff3 <removed> (unimportant)
 	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: src:tiff3: built binary packages do not contain the TIFF tools
 	NOTE: No patch available. Issue marked as wontfix by upstream.
-	NOTE: thumbnail(1) removed in 4.0.6-3
+	NOTE: thumbnail(1) was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package
 CVE-2016-3630 (The binary delta decoder in Mercurial before 3.7.3 allows remote ...)
 	{DSA-3542-1}
 	- mercurial 3.7.3-1 (bug #819504)
@@ -32077,30 +32079,30 @@
 CVE-2016-3621 (The LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF ...)
 	{DLA-693-1}
 	- tiff <unfixed> (low; bug #820364)
-	[jessie] - tiff <no-dsa> (Minor issue)
+	[jessie] - tiff 4.0.3-12.3+deb8u2
 	- tiff3 <not-affected> (tiff tools not built)
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2565
 	NOTE: http://www.openwall.com/lists/oss-security/2016/04/07/3
 	NOTE: Utility bmp2tiff has been removed from upstream LibTIFF
-	NOTE: bmp2tiff was removed in 4.0.6-3, but the affected function is still present
+	NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package
 CVE-2016-3620 (The ZIPEncode function in tif_zip.c in the bmp2tiff tool in LibTIFF ...)
 	{DLA-693-1}
 	- tiff <unfixed> (low; bug #820363)
-	[jessie] - tiff <no-dsa> (Minor issue)
+	[jessie] - tiff 4.0.3-12.3+deb8u2
 	- tiff3 <not-affected> (tiff tools not built)
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2570
 	NOTE: http://www.openwall.com/lists/oss-security/2016/04/07/2
 	NOTE: Utility bmp2tiff has been removed from upstream LibTIFF
-	NOTE: bmp2tiff was removed in 4.0.6-3, but the affected function is still present
+	NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package
 CVE-2016-3619 (The DumpModeEncode function in tif_dumpmode.c in the bmp2tiff tool in ...)
 	{DLA-693-1}
 	- tiff <unfixed> (low; bug #820362)
-	[jessie] - tiff <no-dsa> (Minor issue)
+	[jessie] - tiff 4.0.3-12.3+deb8u2
 	- tiff3 <not-affected> (tiff tools not built)
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2567
 	NOTE: http://www.openwall.com/lists/oss-security/2016/04/07/1
 	NOTE: Utility bmp2tiff has been removed from upstream LibTIFF
-	NOTE: bmp2tiff was removed in 4.0.6-3, but the affected function is still present
+	NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package
 CVE-2016-3618
 	RESERVED
 CVE-2016-3617
@@ -33090,13 +33092,13 @@
 CVE-2016-3186 (Buffer overflow in the readextension function in gif2tiff.c in LibTIFF ...)
 	{DLA-693-1 DLA-610-1}
 	- tiff 4.0.6-3 (bug #819972)
-	[jessie] - tiff <no-dsa> (Minor issue)
+	[jessie] - tiff 4.0.3-12.3+deb8u2
 	- tiff3 <removed> (unimportant)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1319666
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1319503
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2536
 	NOTE: Proposed patch from Red Hat: https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff
-	NOTE: gif2tiff removed in 4.6.0-3
+	NOTE: gif2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package
 CVE-2016-3185 (The make_http_soap_request function in ext/soap/php_http.c in PHP ...)
 	- php7.0 7.0.4-1
 	NOTE: https://bugs.php.net/bug.php?id=71610
@@ -40653,6 +40655,7 @@
 	NOTE: non-issue for Debian-packaged version
 CVE-2015-8668 (Heap-based buffer overflow in the PackBitsPreEncode function in ...)
 	{DLA-693-1}
+	[jessie] - tiff 4.0.3-12.3+deb8u2
 	- tiff 4.0.6-3 (bug #842046)
 	- tiff3 <removed>
 	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
@@ -40662,7 +40665,7 @@
 	NOTE: Issue was also marked as wontfix, because bmp2tiff utility has been removed
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2563#c4
 	NOTE: Reproducer file here: http://bugzilla.maptools.org/attachment.cgi?id=677
-	NOTE: bmp2tiff was removed in 4.0.6-3
+	NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package
 CVE-2015-8683 (The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 ...)
 	{DSA-3467-1 DLA-610-1 DLA-402-1}
 	- tiff 4.0.6-1 (bug #809021)

More information about the Secure-testing-commits mailing list