75213 2004-12-21 10:42 0000 media-libs/tiff: version 3.7.1 fixes integer overflows 2005-01-12 17:46:57 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED A2 [glsa] koon P2 major --- 75423 1 koon@gentoo.org security@gentoo.org nerdboy@gentoo.org koon@gentoo.org 2004-12-21 10:42:44 0000 Two iDEFENSE advisories should go out soon : - libtiff STRIPOFFSETS Integer Overflow Vulnerability - LibTIFF Directory Entry Count Integer Overflow Vulnerability Both are fixed in upstream release 3.7.1 nerdboy: This is still semi-public, so please don't talk about it (should be public in a few hours) but please submit a new 3.7.1 ebuild silently referencing this bug. koon@gentoo.org 2004-12-21 11:04:05 0000 Note to self, this might also affect : - PDFLib (includes modified libtiff) - kfax (includes libtiff code) - xv (might need to be rebuilt with a new libtiff.a) nerdboy@gentoo.org 2004-12-21 14:41:02 0000 Okay, new ebuild going in portage now. Should I remove the old ones and mark the new 3.7.1 version stable on all arches? I'm about to commit it as ~arch, and I'll be right back after I go turn the grades in... lewk@gentoo.org 2004-12-21 14:51:25 0000 This issue is now public http://www.idefense.com/application/poi/display?id=174 arches, please mark stable. kingtaco@gentoo.org 2004-12-21 16:55:22 0000 stable on amd64 gustavoz@gentoo.org 2004-12-22 05:01:10 0000 sparc stable. koon@gentoo.org 2004-12-22 07:28:11 0000 Hmm I think we'll hold on this one a little. Apparently the 'libtiff STRIPOFFSETS Integer' is a subset of CAN-2004-0886 that has already been fixed by GLSA 200410-11. The other one would not be exploitable except for a crash. However there is another one coming. Removing arches for the time being, as we probably will commit a -r1 with a patch. nerdboy@gentoo.org 2004-12-22 11:12:18 0000 I'm not sure how to link these in bugzilla, but this bug 75316 seems to have been introduced with the new 3.7.1 release. I'm still researching it, so that's all I know so far. koon@gentoo.org 2004-12-23 02:49:06 0000 Test image for the "LibTIFF Directory Entry Count Integer Overflow" Vulnerability ftp://ftp.altlinux.org/pvt/people/ldv/1x1.tiff koon@gentoo.org 2004-12-27 09:10:23 0000 LibTIFF Directory Entry Count Integer Overflow Vulnerability is CAN-2004-1308, see DSA 617-1. If work doesn't progress on the other libtiff-related vuln, we'll probably go on and release an updated tiff with only this one. Steve, you might prefer us to wait so that you get time to sort out bug 75316 before we start asking arches to test again. Keep us posted. koon@gentoo.org 2005-01-01 11:31:52 0000 No progress on the other security issue, better unblocking this one. Calling back arches to test and mark stable. Please pay special attention to possible transparency issues to see if you reproduce bug 75316. nerdboy@gentoo.org 2005-01-01 20:36:09 0000 The transparency bug has bitten at least two windowmaker users (confirmed via independent tools) so if you can, it might be better to wait and get it all sorted out at once. I'm not sure if transparent faxes are a big deal, but there are probably other applications with a bigger need for transparency than security is a risk. Or we can do it piece-meal... corsair@gentoo.org 2005-01-02 06:44:39 0000 stable on ppc64 kloeri@gentoo.org 2005-01-02 08:00:21 0000 Stable on alpha. nerdboy@gentoo.org 2005-01-02 18:21:04 0000 Fixes for both 75316 and 75423 are in -r1. I guess everyone gets to test and mark stable as you can. Thanks in advance. koon@gentoo.org 2005-01-03 00:29:28 0000 Arches: please test and mark 3.7.1-r1 stable. It's just 3.7.1 + a bugfix on the transparency issue and a fix on the tiffdump utility. corsair@gentoo.org 2005-01-03 00:52:49 0000 stable on ppc64 josejx@gentoo.org 2005-01-03 05:08:36 0000 Tested and marked ppc stable. gustavoz@gentoo.org 2005-01-03 06:33:33 0000 sparc stable. tester@gentoo.org 2005-01-03 21:26:30 0000 x86 there hardave@gentoo.org 2005-01-04 01:03:36 0000 Stable on mips. kloeri@gentoo.org 2005-01-04 02:34:05 0000 Stable on alpha. eradicator@gentoo.org 2005-01-04 04:47:58 0000 stable amd64. j4rg0n@gentoo.org 2005-01-04 18:12:28 0000 Stable ppc-macos. koon@gentoo.org 2005-01-05 14:08:42 0000 GLSA 200501-06 arm hppa ia64 s390 : please remember to mark stable to benefit from GLSA.