Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 427166 (CVE-2012-3401) - <media-libs/tiff-4.0.2-r1: Heap-based buffer overflow due to improper initialization of T2P context struct pointer (CVE-2012-3401)
Summary: <media-libs/tiff-4.0.2-r1: Heap-based buffer overflow due to improper initial...
Status: RESOLVED FIXED
Alias: CVE-2012-3401
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-19 03:54 UTC by taaroa
Modified: 2012-09-24 06:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description taaroa 2012-07-19 03:54:47 UTC
A heap-based buffer overflow flaw was found in the way tiff2pdf, a TIFF
image to a PDF document conversion tool, of libtiff, a library of
functions for manipulating TIFF (Tagged Image File Format) image format
files, performed write of TIFF image content into particular PDF
document file, when not properly initialized T2P context struct pointer
has been provided by tiff2pdf (application requesting the conversion)
as one of parameters for the routine performing the write. A remote
attacker could provide a specially-crafted TIFF image format file, that
when processed by tiff2pdf would lead to tiff2pdf executable crash or,
potentially, arbitrary code execution with the privileges of the user
running the tiff2pdf binary.

This issue has been assigned CVE-2012-3401.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=837577

The relevant patch for the issue has been applied to upstream
libtiff-4.0.2 branch

Reproducible: Always
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-19 16:23:03 UTC
Thanks for the report, taaroa.

From oss-sec mailing list thread (http://www.openwall.com/lists/oss-security/2012/07/19/4):

"I know that 3.9.x upto the latest 4.0.2 are affected.
Older versions may be affected as well, i am not sure
about that."
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-08-14 11:20:37 UTC
CVE-2012-3401 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3401):
  The t2p_read_tiff_init function in tiff2pdf (tools/tiff2pdf.c) in LibTIFF
  4.0.2 and earlier does not properly initialize the T2P context struct
  pointer in certain error conditions, which allows context-dependent
  attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a crafted TIFF image that triggers a heap-based buffer
  overflow.
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2012-09-16 17:24:02 UTC
Fixed by 4.0.2-r1. Please test and stabilize:

=media-libs/tiff-4.0.2-r1 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2012-09-16 17:36:43 UTC
amd64/ppc/ppc64/x86 stable
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-16 19:19:30 UTC
(In reply to comment #3)
> Fixed by 4.0.2-r1. 

Thanks, Samuli. Would you be able to provide a patched 3.9.5, also? (Unless we can drop that slot?)
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2012-09-16 19:23:32 UTC
(In reply to comment #5)
> (In reply to comment #3)
> > Fixed by 4.0.2-r1. 
> 
> Thanks, Samuli. Would you be able to provide a patched 3.9.5, also? (Unless
> we can drop that slot?)

The bug is in tools/tiff2pdf.c and we don't install any tools with the older SLOT which is only for 2 binary-only programs in Portage, one from sci-* and another is net-im/skype with USE=qt-static enabled

So I'd say we are good as is
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2012-09-18 13:32:17 UTC
Stable for HPPA.
Comment 8 Anthony Basile gentoo-dev 2012-09-20 15:33:21 UTC
stable arm
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2012-09-23 17:28:13 UTC
alpha/ia64/m68k/s390/sh/sparc stable
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-23 18:35:18 UTC
Thanks, everyone.

Already on existing GLSA draft.

Maintainers, please clean up vulnerable version.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-09-23 18:46:32 UTC
This issue was resolved and addressed in
 GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 12 Samuli Suominen (RETIRED) gentoo-dev 2012-09-24 06:42:40 UTC
(In reply to comment #10)
> Maintainers, please clean up vulnerable version.

Done.