Debian-LTS alert DLA-221-1 (tiff)

From:
    	     
 
Ben Hutchings <benh@debian.org> 
To:
    	     
 
debian-lts-announce@lists.debian.org 
Subject:
    	     
 
[SECURITY] [DLA 221-1] tiff security update 
Date:
    	     
 
Sat, 16 May 2015 02:31:54 +0100
Message-ID:
    	     
 
<1431739914.6315.135.camel@debian.org>
Package        : tiff
Version        : 3.9.4-5+squeeze12
CVE ID         : CVE-2014-8128 CVE-2014-8129 CVE-2014-9330 CVE-2014-9655
Debian Bug     : 773987

Several vulnerabilities have been discovered in the LibTIFF library
and utilities for the Tag Image File Format.  These could lead to a
denial of service, information disclosure or privilege escalation.

CVE-2014-8128

    William Robinet discovered that out-of-bounds writes are triggered
    in several of the LibTIFF utilities when processing crafted TIFF
    files.  Other applications using LibTIFF are also likely to be
    affected in the same way.

CVE-2014-8129

    William Robinet discovered that out-of-bounds reads and writes are
    triggered in tiff2pdf when processing crafted TIFF files.  Other
    applications using LibTIFF are also likely to be affected in the same
    way.

CVE-2014-9330

    Paris Zoumpouloglou discovered that out-of-bounds reads and writes are
    triggered in bmp2tiff when processing crafted BMP files.

CVE-2014-9655

    Michal Zalewski discovered that out-of-bounds reads and writes are
    triggered in LibTIFF when processing crafted TIFF files.

For the oldoldstable distribution (squeeze), these problems have been
fixed in version 3.9.4-5+squeeze12.

For the oldstable distribution (wheezy), these problems will be fixed
soon.

The stable distribution (jessie) was not affected by these problems as
they were fixed before release.

-- 
Ben Hutchings - Debian developer, member of Linux kernel and LTS teams