Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 276339 (CVE-2009-2285)

Summary: <media-libs/tiff-3.8.2-r7 LZWDecodeCompat() Buffer underflow (CVE-2009-2285)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graphics+disabled, nerdboy
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/380149
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
libtiff-CVE-2009-2285.patch none

Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-03 08:54:33 UTC 
CVE-2009-2285 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2285):
  Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2
  allows context-dependent attackers to cause a denial of service
  (crash) via a crafted TIFF image, a different vulnerability than
  CVE-2008-2327.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-07-03 08:55:52 UTC 
Created attachment 196475 [details, diff]
libtiff-CVE-2009-2285.patch

Patch as applied in upstream HEAD, refreshed to 3.8.2 release. Note that another patch has been applied to 3.9 branch but upstream considers this a cleaner patch.
Comment 2 Markus Meier gentoo-dev 2009-07-04 19:27:31 UTC 
bumped in cvs.

*tiff-3.8.2-r7 (04 Jul 2009)

  04 Jul 2009; Markus Meier <maekke@gentoo.org> +tiff-3.8.2-r7.ebuild,
  +files/tiff-3.8.2-CVE-2009-2285.patch:
  version bump wrt security bug #276339. this ebuild is based on
  tiff-3.8.2-r5.ebuild as opengl-support is currently broken in -r6.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-04 20:54:56 UTC 
Arches, please test and mark stable:
=media-libs/tiff-3.8.2-r7
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-06 03:03:20 UTC 
Stable for HPPA.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-06 18:05:56 UTC 
x86 stable
Comment 6 Brent Baude (RETIRED) gentoo-dev 2009-07-06 18:21:18 UTC 
ppc64 done
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-07-06 18:21:25 UTC 
ppc done
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2009-07-08 14:18:56 UTC 
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 9 Markus Meier gentoo-dev 2009-07-08 20:30:57 UTC 
amd64 stable, all arches done.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-08-07 11:49:34 UTC 
GLSA 200908-03