Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 410931 (CVE-2012-1173) - <media-libs/tiff-{3.9.5-r2,4.0.1-r1}: "gtTileSeparate()" Integer Overflow Vulnerability (CVE-2012-1173)
Summary: <media-libs/tiff-{3.9.5-r2,4.0.1-r1}: "gtTileSeparate()" Integer Overflow Vul...
Status: RESOLVED FIXED
Alias: CVE-2012-1173
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/48684/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-05 19:26 UTC by Agostino Sarubbo
Modified: 2012-09-23 18:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-04-05 19:26:57 UTC
From secunia security advisory at $URL:

Description
A vulnerability has been reported in LibTIFF, which can be exploited by malicious people to compromise an application using the library.

The vulnerability is caused due to an integer overflow error in the "gtTileSeparate()" function (libtiff/tif_getimage.c) when parsing images. This can be exploited to cause a heap-based buffer overflow via a specially crafted image.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 3.9.4. Other versions may also be affected.


Solution
Unpatched



This vulnerability is confirmed too in latest upstream stable version (4.0.1)
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2012-04-06 17:16:37 UTC
@security: Notice that tiff also has now 2 SLOTs from which the old one is binary-only like libpng. So we need to patch 2 SLOTs. This is for 3.9.5 from Fedora:

http://pkgs.fedoraproject.org/gitweb/?p=libtiff.git;a=blob_plain;f=libtiff-CVE-2012-1173.patch;hb=HEAD
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2012-04-06 17:42:40 UTC
Test & stabilize:

=media-libs/tiff-3.9.5-r2 "amd64 x86" (special binary only slot, with only 1 depend in tree, only amd64 and x86 need this)

=media-libs/tiff-4.0.1-r1 "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-04-06 19:30:58 UTC
amd64 stable
Comment 4 Dan Dexter 2012-04-07 00:01:28 UTC
Archtested on x86: Everything OK.

For both media-libs/tiff-3.9.5-r2 and media-libs/tiff-4.0.1-r1:
- Both compile successfully.
- Rdeps successfully compile and test phases pass.
- Performed manual runtime testing of several applications that link against media-libs/tiff, all function appropriately.
Comment 5 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-04-07 04:59:01 UTC
x86 stable, thanks Dan
Comment 6 Markus Meier gentoo-dev 2012-04-07 15:02:38 UTC
arm stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-08 16:59:17 UTC
Stable for HPPA.
Comment 8 Brent Baude (RETIRED) gentoo-dev 2012-04-16 17:06:46 UTC
ppc done
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-04-17 21:20:12 UTC
ppc64 done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-04-21 16:57:18 UTC
alpha/ia64/m68k/s390/sh/sparc stable
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2012-04-21 19:46:07 UTC
Thanks, everyone. Already on existing GLSA request which is ready for review.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 19:13:22 UTC
CVE-2012-1173 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1173):
  Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote
  attackers to execute arbitrary code via a crafted tile size in a TIFF file,
  which is not properly handled by the (1) gtTileSeparate or (2)
  gtStripSeparate function, leading to a heap-based buffer overflow.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-09-23 18:46:27 UTC
This issue was resolved and addressed in
 GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml
by GLSA coordinator Sean Amoss (ackle).