[Git][security-tracker-team/security-tracker][master] Reserve DLA-3513-1 for tiff

Adrian Bunk (@bunk) bunk at debian.org
Tue Aug 1 00:46:30 BST 2023



Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
07695d06 by Adrian Bunk at 2023-07-31T23:46:12+00:00
Reserve DLA-3513-1 for tiff

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4945,7 +4945,6 @@ CVE-2023-3316 (A NULL pointer dereference in TIFFClose() is caused by a failure
 	- tiff 4.5.1~rc3-1
 	[bookworm] - tiff <no-dsa> (Minor issue)
 	[bullseye] - tiff <no-dsa> (Minor issue)
-	[buster] - tiff <postponed> (Minor issue, DoS, PoC doesn't segfault)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/515
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/468
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536 (v4.5.1rc1)
@@ -4996,7 +4995,6 @@ CVE-2023-2908 (A null pointer dereference issue was found in Libtiff's tif_dir.c
 	- tiff 4.5.1~rc3-1
 	[bookworm] - tiff <no-dsa> (Minor issue)
 	[bullseye] - tiff <no-dsa> (Minor issue)
-	[buster] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/479
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f (v4.5.1rc1)
 	NOTE: Introduced by the fix for CVE-2022-3599/CVE-2022-4645/CVE-2023-30086/CVE-2023-30774:


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[31 Jul 2023] DLA-3513-1 tiff - security update
+	{CVE-2023-2908 CVE-2023-3316 CVE-2023-3618 CVE-2023-25433 CVE-2023-26965 CVE-2023-26966 CVE-2023-38288 CVE-2023-38289}
+	[buster] - tiff 4.1.0+git191117-2~deb10u8
 [31 Jul 2023] DLA-3512-1 linux-5.10 - security update
 	{CVE-2023-2156 CVE-2023-3390 CVE-2023-3610 CVE-2023-20593 CVE-2023-31248 CVE-2023-35001}
 	[buster] - linux-5.10 5.10.179-3~deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -198,11 +198,6 @@ suricata (Adrian Bunk)
   NOTE: 20230714: Still reviewing+testing CVEs. (bunk)
   NOTE: 20230731: Still reviewing+testing CVEs. (bunk)
 --
-tiff (Adrian Bunk)
-  NOTE: 20230702: Added by Front-Desk (ta)
-  NOTE: 20230714: Waiting for upstream reaction on CVE-2023-3618. (bunk)
-  NOTE: 20230731: Resumed working on tiff, DLA soon. (bunk)
---
 xqilla (tobi)
   NOTE: 20230706: Added by Front-Desk (gladk)
   NOTE: 20230715: not vulnerable, the embedded yajl is ancient (around 0.2.2), not having the vulnerable code.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07695d0692d7c0f4738a14a4554a2ccaf25b3aeb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07695d0692d7c0f4738a14a4554a2ccaf25b3aeb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230731/6a84035d/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list