Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
OpenPKG found those packages containing a vulnerable libtiff. We *might* be affected as well : pdflib 6.0.0p1 (http://www.pdflib.com/) contains an embedded libtiff version 3.6.1, but unfortunately a rather heavy adjusted one. So, large parts of the existing patches do not apply. wxGTK 2.4.2 (http://www.wxwidgets.org/) contains libtiff version 3.5.201 Povray 3.6.1 (http://www.povray.org/) contains libtiff version 3.6.1
Preanalysis for povray : povray-3.5 (stable) is not vulnerable [linked dynamically to libtiff] checking for TIFFSetWarningHandler in -ltiff... yes # ldd /usr/bin/povray | grep tiff libtiff.so.3 => /usr/lib/libtiff.so.3 (0x40096000) povray-3.6.1 (~) is vulnerable if built while an old libtiff was installed [builds its own libtiff and statically links to it] : checking for library containing TIFFGetVersion... -ltiff checking tiffio.h usability... yes checking tiffio.h presence... yes checking for tiffio.h... yes checking for libtiff version >= 3.6.1... 3.5.7, bad configure: libtiff will be built and statically linked to POV-Ray
Preanalysis for wxGTK : Looks dynamically linked to me : # ldd /usr/lib/libwx_gtk2* | grep libtiff libtiff.so.3 => /usr/lib/libtiff.so.3 (0x409a8000) libtiff.so.3 => /usr/lib/libtiff.so.3 (0x409a8000) libtiff.so.3 => /usr/lib/libtiff.so.3 (0x409a8000) libtiff.so.3 => /usr/lib/libtiff.so.3 (0x404d2000) libtiff.so.3 => /usr/lib/libtiff.so.3 (0x404d2000) libtiff.so.3 => /usr/lib/libtiff.so.3 (0x404d2000)
Preanalysis for pdflib: Current version doesn't depend on tiff... and includes libtiff files. So it's probably vulnerable. If it's as adjusted as the OpenPKG guy says, we might have difficulties patching this.
Pulling in morfic to fix povray : povray-3.6.1 includes a vulnerable libtiff, and it compiles it statically in povray if the shared tiff library at compile time is <3.6.1. So I think we need to force a tiff>=3.6.1 dep on povray-3.6.1 (+ revbump to force upgrade) so as to to be sure it won't contain a vulnerable tiff library in any case. Please note this is still confidential, pending OpenPKG advisory release.
About pdflib, could klieber or solar ask on vendor-sec if OpenPKG has already reported the issue upstream ? Given the customized nature of their libtiff it's quite dangerous to try to apply libtiff patches directly, and I think they should know. They will probably only patch pdflib6, but hopefully their patches could be applied to pdflib5 too.
wxGTK is public, created another bug to fix/dismiss it.
morfic: please fix povray as per comment #4 Created bug 69043 to track pdflib specifically.
povray-3.6.1-r1 is in portage, povray-3.6.1 is removed
Affected version is in ~ so no GLSA issued
