← Back to branch summary

~ubuntu-security/ubuntu-cve-tracker/master 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

PublicDateAtUSN: 2014-12-31
Candidate: CVE-2014-8127
PublicDate: 2017-06-26
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127
 http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.txt
 http://www.ubuntu.com/usn/usn-2553-1
Description:
 LibTIFF 4.0.3 allows remote attackers to cause a denial of service
 (out-of-bounds read and crash) via a crafted TIFF image to the (1)
 checkInkNamesString function in tif_dir.c in the thumbnail tool, (2)
 compresscontig function in tiff2bw.c in the tiff2bw tool, (3)
 putcontig8bitCIELab function in tif_getimage.c in the tiff2rgba tool,
 LZWPreDecode function in tif_lzw.c in the (4) tiff2ps or (5) tiffdither
 tool, (6) NeXTDecode function in tif_next.c in the tiffmedian tool, or (7)
 TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the
 tiffset tool.
Ubuntu-Description:
Notes:
 mdeslaur> usn-2553-1 didn't actually fix the issue in bug #2500 as no
 mdeslaur> patch was available at the time of publication. A future update
 mdeslaur> will include a patch for the issue.
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776185
 http://bugzilla.maptools.org/show_bug.cgi?id=2484 (thumbnail)
 http://bugzilla.maptools.org/show_bug.cgi?id=2485 (tiff2bw)
 http://bugzilla.maptools.org/show_bug.cgi?id=2486 (tiff2rgba)
 http://bugzilla.maptools.org/show_bug.cgi?id=2496 (tiff2ps and tiffdither)
 http://bugzilla.maptools.org/show_bug.cgi?id=2497 (tiffmedian)
 http://bugzilla.maptools.org/show_bug.cgi?id=2500 (tiffset) [not fixed yet in CVS HEAD]
Priority: medium
Discovered-by: William Robinet
Assigned-to: mdeslaur

Patches_tiff:
 upstream: https://github.com/vadz/libtiff/commit/3996fa0f84f4a8b7e65fe4b8f0681711022034ea (2484)
 upstream: https://github.com/vadz/libtiff/commit/0782c759084daaf9e4de7ee6be7543081823455e (2485)
 upstream: https://github.com/vadz/libtiff/commit/662f74445b2fea2eeb759c6524661118aef567ca (2486)
 upstream: https://github.com/vadz/libtiff/commit/1f7359b00663804d96c3a102bcb6ead9812c1509 (2496 and 2497)
upstream_tiff: needs-triage
lucid_tiff: released (3.9.2-2ubuntu0.15)
precise_tiff: released (3.9.5-2ubuntu1.7)
trusty_tiff: released (4.0.3-7ubuntu0.2)
utopic_tiff: released (4.0.3-10ubuntu0.1)
devel_tiff: released (4.0.3-12.3ubuntu1)