guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Libtiff CVE-2016-5652


From: Leo Famulari
Subject: Libtiff CVE-2016-5652
Date: Sat, 29 Oct 2016 19:41:32 -0400
User-agent: Mutt/1.7.1 (2016-10-04)

I read this 3rd party security advisory about libtiff:

http://blog.talosintel.com/2016/10/LibTIFF-Code-Execution.html

This patch fixes CVE-2016-5652, which is a buffer overflow with
potential for remote code execution.

You can easily view the commit in this unofficial Git mirror of the
libtiff CVS repo:
https://github.com/vadz/libtiff/commit/b5d6803f0898e931cf772d3d0755704ab8488e63

Unfortunately, that's the closest thing to an "official" upstream
reference to the bug that is viewable in a web browser that I can find.

I had to also take the previous change to the affected file, since the
bug fix commit depended on those changes.

This patched libtiff does _seem_ to work properly; I viewed a TIFF file
with it.

One of the bugs in that Talos advisory, CVE-2016-8331, is apparently
still not fixed upstream. And CVE-2016-5875 appears to me to be fixed by
our patch for CVE-2016-5314 [0].

[0]
http://bugzilla.maptools.org/show_bug.cgi?id=2554

Attachment: 0001-gnu-libtiff-Fix-CVE-2016-5652.patch
Description: Text document

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]