Gentoo Bug 135881 - media-libs/tiff: <=3.8.2 : buffer overflows in tiff2pdf and in tiffsplit (CVE-2006-2193, CVE-2006-2656)

Description:

Opened: 2006-06-07 03:01 0000

Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and
earlier might might allow attackers to execute arbitrary code via a long
filename.

------- Comment #2 From Raphael Marichez 2006-06-08 02:32:24 0000 -------

another one, same version

CVE-2006-2193 == SA20488 http://secunia.com/advisories/20488/

Description:
gpe92 has discovered a vulnerability in LibTIFF, which can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially compromise
a user's system.

The vulnerability is caused due to a boundary error within tiff2pdf when
handling a TIFF file with a "DocumentName" tag that contains UTF-8 characters.
This can be exploited to cause a stack-based buffer overflow and may allow
arbitrary code execution.

The vulnerability has been confirmed in version 3.8.2. Other versions may also
be affected.

------- Comment #5 From Steve Arnold 2006-06-09 16:54:37 0000 -------

Created an attachment (id=88805) [details]
tiffsplit patch yanked from debian

------- Comment #6 From Steve Arnold 2006-06-09 16:59:54 0000 -------

I also have a rather large patch for tiff2pdf (from upstream CVS v. 1.35, where
current tiff2pdf.c from 3.8.2 corresponds to CVS v. 1.30).  It fixes bug
#135021, along with several other issues, some of them security-related, eg:

revision 1.35
date: 2006/06/08 11:27:11;  author: dron;  state: Exp;  lines: +226 -155
More fixes for character type safety.
----------------------------
revision 1.34
date: 2006/06/08 10:45:35;  author: dron;  state: Exp;  lines: +8 -7
Fixed buffer overflow condition in t2p_write_pdf_string() as per bug
http://bugzilla.remotesensing.org/show_bug.cgi?id=1196
----------------------------
revision 1.33
date: 2006/04/21 15:09:34;  author: dron;  state: Exp;  lines: +92 -92
Unified line ending characters (always use '\n') as per bug
http://bugzilla.remotesensing.org/show_bug.cgi?id=1163
----------------------------
revision 1.32
date: 2006/04/20 12:36:23;  author: dron;  state: Exp;  lines: +12 -1
Properly set the binary mode for stdin stream as per bug
http://bugzilla.remotesensing.org/show_bug.cgi?id=1141

------- Comment #7 From Sune Kloppenborg Jeppesen 2006-06-09 23:39:04 0000 -------

*** Bug 135021 has been marked as a duplicate of this bug. ***

------- Comment #8 From Raphael Marichez 2006-06-18 03:25:32 0000 -------

Most distros have already issued advisories. We're late.
Is someone of graphic team able to patch or bump ?

------- Comment #10 From Steve Arnold 2006-07-05 00:22:48 0000 -------

Sorry, I already fixed it (and even asked about it at the time).  There were
several other bugs waiting...

Filename	Description	Type	Creator	Created	Size	Actions
tiff-3.8.2-tiffsplit.patch	tiffsplit patch yanked from debian	patch	Steve Arnold	2006-06-09 16:54 0000	646 bytes	Details \| Diff
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 135881 depends on:	135021		Show dependency tree
Bug 135881 blocks:			Show dependency tree

Bugzilla Bug 135881

media-libs/tiff: <=3.8.2 : buffer overflows in tiff2pdf and in tiffsplit (CVE-2006-2193, CVE-2006-2656)

Last modified: 2006-07-09 09:38:34 0000