Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 276339 (CVE-2009-2285) - <media-libs/tiff-3.8.2-r7 LZWDecodeCompat() Buffer underflow (CVE-2009-2285)
Summary: <media-libs/tiff-3.8.2-r7 LZWDecodeCompat() Buffer underflow (CVE-2009-2285)
Status: RESOLVED FIXED
Alias: CVE-2009-2285
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugs.launchpad.net/ubuntu/+so...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-03 08:54 UTC by Robert Buchholz (RETIRED)
Modified: 2009-08-07 11:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
libtiff-CVE-2009-2285.patch (libtiff-CVE-2009-2285.patch,847 bytes, patch)
2009-07-03 08:55 UTC, Robert Buchholz (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-03 08:54:33 UTC 
CVE-2009-2285 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2285):
  Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2
  allows context-dependent attackers to cause a denial of service
  (crash) via a crafted TIFF image, a different vulnerability than
  CVE-2008-2327.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-07-03 08:55:52 UTC 
Created attachment 196475 [details, diff]
libtiff-CVE-2009-2285.patch

Patch as applied in upstream HEAD, refreshed to 3.8.2 release. Note that another patch has been applied to 3.9 branch but upstream considers this a cleaner patch.
Comment 2 Markus Meier gentoo-dev 2009-07-04 19:27:31 UTC 
bumped in cvs.

*tiff-3.8.2-r7 (04 Jul 2009)

  04 Jul 2009; Markus Meier <maekke@gentoo.org> +tiff-3.8.2-r7.ebuild,
  +files/tiff-3.8.2-CVE-2009-2285.patch:
  version bump wrt security bug #276339. this ebuild is based on
  tiff-3.8.2-r5.ebuild as opengl-support is currently broken in -r6.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-04 20:54:56 UTC 
Arches, please test and mark stable:
=media-libs/tiff-3.8.2-r7
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-06 03:03:20 UTC 
Stable for HPPA.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-06 18:05:56 UTC 
x86 stable
Comment 6 Brent Baude (RETIRED) gentoo-dev 2009-07-06 18:21:18 UTC 
ppc64 done
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-07-06 18:21:25 UTC 
ppc done
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2009-07-08 14:18:56 UTC 
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 9 Markus Meier gentoo-dev 2009-07-08 20:30:57 UTC 
amd64 stable, all arches done.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-08-07 11:49:34 UTC 
GLSA 200908-03