[Git][security-tracker-team/security-tracker][master] Reserve DSA-5333-1 for tiff

Aron Xu (@aron) aron at debian.org
Sun Jan 29 07:07:21 GMT 2023 


Aron Xu pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d53c7a9f by Aron Xu at 2023-01-29T15:07:04+08:00
Reserve DSA-5333-1 for tiff

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -38247,20 +38247,17 @@ CVE-2022-2870 (A vulnerability was found in laravel 5.1 and classified as proble
 CVE-2022-2869 (libtiff's tiffcrop tool has a uint32_t underflow which leads to out of ...)
 	{DLA-3278-1}
 	- tiff 4.4.0~rc1-1
-	[bullseye] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/352
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c (v4.4.0rc1)
 CVE-2022-2868 (libtiff's tiffcrop utility has a improper input validation flaw that c ...)
 	{DLA-3278-1}
 	- tiff 4.4.0~rc1-1
-	[bullseye] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/335
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/294
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c (v4.4.0rc1)
 CVE-2022-2867 (libtiff's tiffcrop utility has a uint32_t underflow that can lead to o ...)
 	{DLA-3278-1}
 	- tiff 4.4.0~rc1-1
-	[bullseye] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/350
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/351
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c (v4.4.0rc1)
@@ -48831,7 +48828,6 @@ CVE-2022-34527 (D-Link DSL-3782 v1.03 and below was discovered to contain a comm
 CVE-2022-34526 (A stack overflow was discovered in the _TIFFVGetField function of Tiff ...)
 	{DLA-3278-1}
 	- tiff 4.4.0-4
-	[bullseye] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/433
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990
 CVE-2022-34525
@@ -52801,21 +52797,18 @@ CVE-2017-20052 (A vulnerability classified as problematic was found in Python 2.
 CVE-2022-2058 (Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to  ...)
 	{DLA-3278-1}
 	- tiff 4.4.0-3 (bug #1014494)
-	[bullseye] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/428
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/346
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/dd1bcc7abb26094e93636e85520f0d8f81ab0fab
 CVE-2022-2057 (Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to  ...)
 	{DLA-3278-1}
 	- tiff 4.4.0-3 (bug #1014494)
-	[bullseye] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/427
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/346
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/dd1bcc7abb26094e93636e85520f0d8f81ab0fab
 CVE-2022-2056 (Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to  ...)
 	{DLA-3278-1}
 	- tiff 4.4.0-3 (bug #1014494)
-	[bullseye] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/415
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/346
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/dd1bcc7abb26094e93636e85520f0d8f81ab0fab
@@ -60519,14 +60512,12 @@ CVE-2022-26041 (Directory traversal vulnerability in RCCMD 4.26 and earlier allo
 	NOT-FOR-US: RCCMD
 CVE-2022-1623 (LibTIFF master branch has an out-of-bounds read in LZWDecode in libtif ...)
 	- tiff 4.4.0~rc1-1
-	[bullseye] - tiff <no-dsa> (Minor issue)
 	[buster] - tiff <not-affected> (Vulnerable code introduced later, PoCs don't trigger)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a (v4.4.0rc1)
 	NOTE: Introduced by: https://gitlab.com/libtiff/libtiff/-/commit/3079627ea0dee150e6a208cec8381de611bb842b (v4.4.0rc1)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/410
 CVE-2022-1622 (LibTIFF master branch has an out-of-bounds read in LZWDecode in libtif ...)
 	- tiff 4.4.0~rc1-1
-	[bullseye] - tiff <no-dsa> (Minor issue)
 	[buster] - tiff <not-affected> (Vulnerable code introduced later, PoCs don't trigger)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a (v4.4.0rc1)
 	NOTE: Introduced by: https://gitlab.com/libtiff/libtiff/-/commit/3079627ea0dee150e6a208cec8381de611bb842b (v4.4.0rc1)
@@ -63760,14 +63751,12 @@ CVE-2022-1356 (cnMaestro is vulnerable to a local privilege escalation. By defau
 CVE-2022-1355 (A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() ...)
 	{DLA-3278-1}
 	- tiff 4.3.0-8 (bug #1011160)
-	[bullseye] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/400
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/323
 	NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2
 CVE-2022-1354 (A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFR ...)
 	{DLA-3278-1}
 	- tiff 4.3.0-7
-	[bullseye] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/319
 	NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798
 CVE-2022-1353 (A vulnerability was found in the pfkey_register function in net/key/af ...)


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,6 @@
+[29 Jan 2023] DSA-5333-1 tiff - security update
+	{CVE-2022-1354 CVE-2022-1355 CVE-2022-1622 CVE-2022-1623 CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 CVE-2022-2953 CVE-2022-3570 CVE-2022-3597 CVE-2022-3599 CVE-2022-3627 CVE-2022-3636 CVE-2022-34526 CVE-2022-48281}
+	[bullseye] - tiff 4.2.0-1+deb11u3
 [29 Jan 2023] DSA-5332-1 git - security update
 	{CVE-2022-23521 CVE-2022-24765 CVE-2022-29187 CVE-2022-39253 CVE-2022-39260 CVE-2022-41903}
 	[bullseye] - git 1:2.30.2-1+deb11u1


=====================================
data/dsa-needed.txt
=====================================
@@ -59,8 +59,6 @@ sox
 --
 thunderbird (jmm)
 --
-tiff (aron)
---
 varnish (carnil)
 --
 xrdp



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d53c7a9f56a0da7379d352cf1dc0045574f3986b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d53c7a9f56a0da7379d352cf1dc0045574f3986b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230129/11879220/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list