A heap-based buffer overflow flaw was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, when not properly initialized T2P context struct pointer has been provided by tiff2pdf (application requesting the conversion) as one of parameters for the routine performing the write. A remote attacker could provide a specially-crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash or, potentially, arbitrary code execution with the privileges of the user running the tiff2pdf binary. This issue has been assigned CVE-2012-3401. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=837577 The relevant patch for the issue has been applied to upstream libtiff-4.0.2 branch Reproducible: Always
Thanks for the report, taaroa. From oss-sec mailing list thread (http://www.openwall.com/lists/oss-security/2012/07/19/4): "I know that 3.9.x upto the latest 4.0.2 are affected. Older versions may be affected as well, i am not sure about that."
CVE-2012-3401 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3401): The t2p_read_tiff_init function in tiff2pdf (tools/tiff2pdf.c) in LibTIFF 4.0.2 and earlier does not properly initialize the T2P context struct pointer in certain error conditions, which allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers a heap-based buffer overflow.
Fixed by 4.0.2-r1. Please test and stabilize: =media-libs/tiff-4.0.2-r1 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
amd64/ppc/ppc64/x86 stable
(In reply to comment #3) > Fixed by 4.0.2-r1. Thanks, Samuli. Would you be able to provide a patched 3.9.5, also? (Unless we can drop that slot?)
(In reply to comment #5) > (In reply to comment #3) > > Fixed by 4.0.2-r1. > > Thanks, Samuli. Would you be able to provide a patched 3.9.5, also? (Unless > we can drop that slot?) The bug is in tools/tiff2pdf.c and we don't install any tools with the older SLOT which is only for 2 binary-only programs in Portage, one from sci-* and another is net-im/skype with USE=qt-static enabled So I'd say we are good as is
Stable for HPPA.
stable arm
alpha/ia64/m68k/s390/sh/sparc stable
Thanks, everyone. Already on existing GLSA draft. Maintainers, please clean up vulnerable version.
This issue was resolved and addressed in GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml by GLSA coordinator Sean Amoss (ackle).
(In reply to comment #10) > Maintainers, please clean up vulnerable version. Done.