From ${URL} : Pedro Ribeiro has recently reported the following five security flaws being present in the tools of TIFF library: [1] http://www.asmail.be/msg0055359936.html While they are present in the tools (=> not that urgent like they would be in the library itself), there's been CVE ids assigned in the past for TIFF library tools issues too. To mention some examples: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1961 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4564 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3401 Since there doesn't seem to be CVE identifiers assigned for these [1] issues yet, could you allocate them? FWIW regarding the patches and upstream bugs - if my information is up2date, there aren't upstream bugs and patches for these issues yet. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
in tree: +*tiff-4.0.3-r4 (23 Aug 2013) +*tiff-4.0.3-r5 (23 Aug 2013) + + 23 Aug 2013; Samuli Suominen <ssuominen@gentoo.org> + +files/tiff-4.0.3-CVE-2013-4231.patch, +files/tiff-4.0.3-CVE-2013-4232.patch, + +tiff-4.0.3-r4.ebuild, +tiff-4.0.3-r5.ebuild: + Fix for CVE-2013-4231 (and CVE-2013-4232) from upstream. See security bug + #480466. The -r4 is for stabilization without multilib-minimal.eclass usage.
Arch's, please test and stabilize: =media-libs/tiff-4.0.3-r4 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Stable for HPPA.
amd64 stable
x86 stable
ppc64 stable
arm stable
ppc stable
alpha stable
ia64 stable
s390 stable
sh stable
sparc stable
Thanks for your work GLSA request filed
CVE-2013-4232 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4232): Use-after-free vulnerability in the t2p_readwrite_pdf_image function in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) or possible execute arbitrary code via a crafted TIFF image.
M68K is not anymore a stable arch, removing it from the cc list
CVE-2013-4231 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4231): Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) extension block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3) a long filename for a TIFF image to tools/rgb2ycbcr.c. NOTE: vectors 1 and 3 are disputed by Red Hat, which states that the input cannot exceed the allocated buffer size.
This issue was resolved and addressed in GLSA 201402-21 at http://security.gentoo.org/glsa/glsa-201402-21.xml by GLSA coordinator Chris Reffett (creffett).