Bug 129675 - media-libs/tiff: <3.8.1 several vulns: DoS, int. overflow, double-free vuln (CVE-2006-202[456], CVE-2006-2120)
Bug#: 129675 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: falco@gentoo.org
Component: Vulnerabilities
URL:  http://bugzilla.remotesensing.org/show_bug.cgi?id=1102
Summary: media-libs/tiff: <3.8.1 several vulns: DoS, int. overflow, double-free vuln (CVE-2006-202[456], CVE-2006-2120)
Keywords:  
Status Whiteboard: A2 [glsa] Falco
Opened: 2006-04-12 03:59 0000
Description:   Opened: 2006-04-12 03:59 0000 
As said in http://bugzilla.remotesensing.org/show_bug.cgi?id=1102 , tiffinfo
crashes with the proposed files.

My tiff-3.7.3 (last stable, x86) is affected.

kuickshow, and xzgv totally crash.

gv, Gimp and konqueror can't display the picture but they recover the error and
they don't crash.
My Firefox doesn't display the picture at all.

However, it may be possible to send a special .tiff file via a mail or a web
server and to cause the client's application to crash. Since i wasn't able to
find an example of mail-application or web-application crashing, please check
if this is possible.

Thanks to ed who has indicated us the bug.

------- Comment #1 From Raphael Marichez 2006-04-13 06:30:05 0000 ------- 
This seems related with #1029 :
http://bugzilla.remotesensing.org/show_bug.cgi?id=1029
which has a CVE entry :
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0405
Or, at least, it has the same effects (application crash)

Corrected in upstream CVS.

------- Comment #2 From Thierry Carrez (RETIRED) 2006-04-22 03:27:28 0000 ------- 
graphics / taviso: care to patch ?

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-04-25 22:36:07 0000 ------- 
Upstream bug 1102 is CVE-2006-202{4-6}. 

Fixes are here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189933

------- Comment #4 From Thierry Carrez (RETIRED) 2006-04-28 11:05:13 0000 ------- 
Ccing marienz as he did a recent tiff bump.
Marien: Does it include this vulnerability fix ?

------- Comment #5 From Marien Zwart (RETIRED) 2006-04-28 11:14:51 0000 ------- 
A tiff bump? Me? :)

The only thing I committed to tiff was a digest fix for bug 131396. For bumps
you want vapier or before that sekretarz.

------- Comment #6 From Raphael Marichez 2006-05-05 10:03:14 0000 ------- 
Hi;

Other vulns are related to the original one, including possible code execution.
See SA-19838 http://secunia.com/advisories/19838/
It's note a B3 anymore, it's an A2.

it seems hard to "grep" the different patches from the CVS tree.
3.8.1 is out since a while and corrects the vuln.
3.8.2 is in portage and ~arched.

Graphics team, do you want to mark stable 3.8.2 or (introduce in portage and)
mark stable 3.8.1 ?

------- Comment #7 From Raphael Marichez 2006-05-09 10:12:34 0000 ------- 
Hi all, i've merged the diff from debian [1] correcting CVE-2006-202[456], and
the one from Red Hat [2] correcting CVE-2006-2120. Debian hasn't corrected
CVE-2006-2120 issue, don't ask me why.

Please verify this patch and add it to portage, then mark stable either 3.8.1,
or 3.7.3/3.7.4 patched.

adm64, ppc, sparc, x86 : 3.7.4
alpha, hppa, ppc64, sh : 3.7.3

------- Comment #8 From Raphael Marichez 2006-05-09 10:13:11 0000 ------- 
Created an attachment (id=86490) [details]
patch 3.7.4

------- Comment #9 From Raphael Marichez 2006-05-09 10:15:47 0000 ------- 
Created an attachment (id=86492) [details]
patch 3.7.3 (not verified)

------- Comment #10 From Raphael Marichez 2006-05-09 10:21:41 0000 ------- 
references of #7
[1]
http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-3sarge1.diff.gz
[2] https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=128248&action=edit

------- Comment #11 From Stefan Cornelius (RETIRED) 2006-05-27 01:08:36 0000 ------- 
arches, please test and mark 3.8.2 stable, thank you

------- Comment #12 From Fabian Groffen 2006-05-27 01:59:57 0000 ------- 
ppc-macos stable

------- Comment #13 From Jose Luis Rivero (yoswink) 2006-05-27 05:16:17 0000 ------- 
stable on alpha.

------- Comment #14 From Samuli Suominen 2006-05-27 05:22:18 0000 ------- 
I unkeyworded media-libs/tiff-3.8.2 , and emerged it with collision-protect.
Builds fine on x86.

Runtime testcase I made was,

wget ftp://ftp.remotesensing.org/pub/libtiff/pics-3.8.0.tar.gz
tar xfvz pics-3.8.0.tar.gz
cd libtiffpic
tiff2pdf g3test.tif > g3test.pdf

And verified conversion went okay with PDF reader. Good to go stable on x86.

Portage 2.0.54-r2 (default-linux/x86/2006.0, gcc-3.4.5, glibc-2.3.6-r3,
2.6.16-gentoo-r4 i686)
=================================================================
System uname: 2.6.16-gentoo-r4 i686 AMD Athlon(tm) XP 2200+
Gentoo Base System version 1.6.14
dev-lang/python:     2.4.2
dev-python/pycrypto: [Not Present]
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-xp -O2 -pipe -g"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib/X11/xkb"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=athlon-xp -O2 -pipe -g"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo/"
LANG="en_US.utf8"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://trumpetti.atm.tut.fi/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aac alsa apm audiofile avi berkdb bitmap-fonts
bzip2 cli crypt dri emboss encode expat fam ffmpeg flac foomaticdb fortran gdbm
gif gstreamer gtk gtk2 id3 imagemagick imlib ipv6 isdnlog jpeg libg++ libwww
mad mikmod mmx mmxext motif mp3 mp4live mpeg mpeg2 musicbrainz ncurses nptl
nptlonly ogg opengl oss pam pcre pdflib perl pic player png pppd python
quicktime readline reflection sdk sdl session spl sse ssl tcltk tcpd theora
tiff truetype truetype-fonts type1-fonts udev unicode userlocales vorbis
win32codecs xine xml xml2 xorg xv xvid zlib userland_GNU kernel_linux
elibc_glibc"
Unset:  CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, LINGUAS,
PORTAGE_RSYNC_EXTRA_OPTS, PORTAGE_RSYNC_OPTS, PORTDIR_OVERLAY

------- Comment #15 From Thomas Cort (RETIRED) 2006-05-28 08:18:55 0000 ------- 
amd64 stable.

------- Comment #16 From Steve Arnold 2006-05-28 11:20:59 0000 ------- 
Marked stable on x86, and versions prior to 3.7.3 removed.  Still several
arches to go (which I can't test on) for complete stable on 3.8.2...

------- Comment #17 From Mark Loeser 2006-05-28 11:26:04 0000 ------- 
compnerd: pretty pretty please let the x86 team handle our bugs in the future
:)

Thanks

------- Comment #18 From Mark Loeser 2006-05-28 11:35:26 0000 ------- 
Err, and by compnerd, I mean nerdboy...for some reason, I always mix you two
up...

------- Comment #19 From Samuli Suominen 2006-05-28 13:22:55 0000 ------- 
Sorry about bugspam, removing CC..

------- Comment #20 From Tobias Scherbaum 2006-05-28 14:07:08 0000 ------- 
hppa stable

------- Comment #21 From Stefan Cornelius (RETIRED) 2006-05-30 09:51:24 0000 ------- 
GLSA 200605-17

Thanks everybody