2010-06-08 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * libtiff/tif_fax3.c (Fax3SetupState): Avoid under-allocation of buffer due to integer overflow in TIFFroundup() and several other potential overflows. In conjunction with the fix to TIFFhowmany(), fixes CVE-2010-1411. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1411 *tiff-3.9.4 (20 Jun 2010) 20 Jun 2010; Samuli Suominen <ssuominen@gentoo.org> +tiff-3.9.4.ebuild: Version bump. Current tiff-4.0_beta5 is ~arch is likely also vulnerable. To be honest, I don't understand why we have experimental beta in ~arch at all. It should at least be package.masked.
test & stabilize: =media-libs/tiff-3.9.4
Stable for HPPA.
x86 stable
amd64 stable
alpha/arm/ia64/m68k/s390/sh/sparc stable
Fixing whiteboard. If you want to, have a look at http://www.gentoo.org/security/en/vulnerability-policy.xml on how to set it.
CVE-2010-1411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1411): Multiple integer overflows in the Fax3SetupState function in tif_fax3.c in the FAX3 decoder in LibTIFF before 3.9.3, as used in ImageIO in Apple Mac OS X 10.5.8 and Mac OS X 10.6 before 10.6.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF file that triggers a heap-based buffer overflow.
ppc64 stable
Marked ppc stable.
Added to glsa for #307001.
CVE-2010-2065 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2065): Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TIFF file that triggers a buffer overflow.
CVE-2010-2067 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2067): Stack-based buffer overflow in the TIFFFetchSubjectDistance function in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long EXIF SubjectDistance field in a TIFF file.
CVE-2010-2233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2233): tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as used in ImageMagick, does not properly perform vertical flips, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TIFF image, related to "downsampled OJPEG input."
CVE-2010-2443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2443): The OJPEGReadBufferFill function in tif_ojpeg.c in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an OJPEG image with undefined strip offsets, related to the TIFFVGetField function.
CVE-2010-2481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2481): The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly handle unknown tag types in TIFF directory entries, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted TIFF file.
CVE-2010-2483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2483): The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a TIFF file with an invalid combination of SamplesPerPixel and Photometric values.
CVE-2010-2631 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2631): LibTIFF 3.9.0 ignores tags in certain situations during the first stage of TIFF file processing and does not properly handle this during the second stage, which allows remote attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2010-2481. CVE-2010-2630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2630): The TIFFReadDirectory function in LibTIFF 3.9.0 does not properly validate the data types of codec-specific tags that have an out-of-order position in a TIFF file, which allows remote attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2010-2481. CVE-2010-2597 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2597): The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2 makes incorrect calls to the TIFFGetField function, which allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image, related to "downsampled OJPEG input" and possibly related to a compiler optimization that triggers a divide-by-zero error. CVE-2010-2596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2596): The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as used in tiff2ps, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF image, related to "downsampled OJPEG input."
This issue was resolved and addressed in GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml by GLSA coordinator Sean Amoss (ackle).