Summary: | <media-libs/tiff-3.8.2-r8 tools heap-based buffer overflow (CVE-2009-2347) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | normal | CC: | graphics+disabled, nerdboy | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | B2 [glsa] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Robert Buchholz (RETIRED)
2009-07-07 23:46:49 UTC
I know we are stabling another version of tiff in bug 276339, but let's get the prestabling of another new version going on here. Please attach an ebuild applying the patch. Thanks! Created attachment 197131 [details, diff]
tiff-3.8.2-CVE-2009-2347.patch
Patch by Andrey Kiselev.
Created attachment 197267 [details]
tiff-3.8.2-r8.tar.bz2
here's a tarball with all the patches and -r8 ebuild, which applies tiff-3.8.2-CVE-2009-2347.patch (only difference to -r7).
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug: =media-libs/tiff-3.8.2-r8 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, tester hppa : jer ppc : josejx, ranger ppc64 : josejx, ranger sparc : fmccor x86 : fauli, maekke Looks good on sparc. x86 ok. Hey, there was just a stabilisation, that's 70 packages to recompile. Don't forget to add the changes done in the main tree when importing the final -r8 revision. HPPA is OK. Created attachment 197767 [details, diff]
tiff-3.8.2-CVE-2009-2347.patch
Tom Lane did additional analysis on the issue and sent in a revised patch:
The original patch missed two out of three places with the same bug in
tiff2rgba. (I looked around for additional occurrences and didn't find any,
though I can't swear there are none.) Also, I checked with Frank Warmerdam who
disapproved of letting the tools/ files use tiffiop.h, so the revised patch
does not use _TIFFCheckMalloc. Some other cleanup too, mostly around being
careful if size_t is wider than 32 bits and not claiming that
possibly-perfectly-legal files are "malformed".
given that only few arches responded and that disclosure is later today, let's stable this in-tree. Also, upstream has yet to approve the revised patch. public via https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2347 please bump in the tree, and we'll do stabling there. On behalf of maekke I bumped the ebuild with the updated patch. Stable for x86 and ccing other arches. Stable for HPPA. alpha/arm/ia64/m68k/s390/sh/sparc stable CVE-2009-2347 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2347): Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr. ppc stable ppc64 done amd64 stable, all arches done. sorry about closing the bug... GLSA with bug 276339. GLSA 200908-03 |