Comment 1 Raphael Marichez (Falco) (RETIRED) 2006-06-07 03:02:33 UTC

waiting for 3.8.3 or vendor patch

Comment 2 Raphael Marichez (Falco) (RETIRED) 2006-06-08 02:32:24 UTC

another one, same version

CVE-2006-2193 == SA20488 http://secunia.com/advisories/20488/

Description:
gpe92 has discovered a vulnerability in LibTIFF, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system.

The vulnerability is caused due to a boundary error within tiff2pdf when handling a TIFF file with a "DocumentName" tag that contains UTF-8 characters. This can be exploited to cause a stack-based buffer overflow and may allow arbitrary code execution.

The vulnerability has been confirmed in version 3.8.2. Other versions may also be affected.

Comment 3 Raphael Marichez (Falco) (RETIRED) 2006-06-08 03:48:04 UTC

sorry for the mistake

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) 2006-06-08 21:10:55 UTC

Debian apparently fixed this with DSA-1091-1.

Comment 5 Steve Arnold 2006-06-09 16:54:37 UTC

Created attachment 88805 [details, diff]
tiffsplit patch yanked from debian

Comment 6 Steve Arnold 2006-06-09 16:59:54 UTC

I also have a rather large patch for tiff2pdf (from upstream CVS v. 1.35, where current tiff2pdf.c from 3.8.2 corresponds to CVS v. 1.30).  It fixes bug #135021, along with several other issues, some of them security-related, eg:

revision 1.35
date: 2006/06/08 11:27:11;  author: dron;  state: Exp;  lines: +226 -155
More fixes for character type safety.
----------------------------
revision 1.34
date: 2006/06/08 10:45:35;  author: dron;  state: Exp;  lines: +8 -7
Fixed buffer overflow condition in t2p_write_pdf_string() as per bug
http://bugzilla.remotesensing.org/show_bug.cgi?id=1196
----------------------------
revision 1.33
date: 2006/04/21 15:09:34;  author: dron;  state: Exp;  lines: +92 -92
Unified line ending characters (always use '\n') as per bug
http://bugzilla.remotesensing.org/show_bug.cgi?id=1163
----------------------------
revision 1.32
date: 2006/04/20 12:36:23;  author: dron;  state: Exp;  lines: +12 -1
Properly set the binary mode for stdin stream as per bug
http://bugzilla.remotesensing.org/show_bug.cgi?id=1141

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) 2006-06-09 23:39:04 UTC

*** Bug 135021 has been marked as a duplicate of this bug. ***

Comment 8 Raphael Marichez (Falco) (RETIRED) 2006-06-18 03:25:32 UTC

Most distros have already issued advisories. We're late.
Is someone of graphic team able to patch or bump ?

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) 2006-06-30 08:50:36 UTC

Graphics please provide an updated ebuild.

Comment 10 Steve Arnold 2006-07-05 00:22:48 UTC

Sorry, I already fixed it (and even asked about it at the time).  There were several other bugs waiting...

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) 2006-07-05 02:34:56 UTC

Thx Steve.

Comment 12 Fabian Groffen 2006-07-05 09:33:40 UTC

ppc-macos stable

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) 2006-07-09 09:38:34 UTC

GLSA 200607-03