Summary: | <media-libs/tiff-3.9.4-r1: Heap-based buffer overflow in Fax4Decode (CVE-2011-0192) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthew Marlowe (RETIRED) <mattm> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | alexanderyt, boss.gentoo, graphics+disabled, nerdboy | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://bugzilla.maptools.org/show_bug.cgi?id=2297 | ||||||
Whiteboard: | A2 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | |||||||
Bug Blocks: | 359871 | ||||||
Attachments: |
|
Description
Matthew Marlowe (RETIRED)
2011-03-03 21:25:51 UTC
Thank you for the report. Ubuntu also just released an update today for this vulnerability: Ubuntu Security Notice USN-1085-2 March 15, 2011 tiff regression https://launchpad.net/bugs/731540 Note that when RHEL released their notice, I couldn't actually find a patch or notice on the upstream site. If we haven't already identified what needs to be updated, perhaps the ubuntu vulnerability will have more info. Anyhow, it's been 13 days since this was reported and it might be remotely exploitable, so it would be nice to get fixed. I think there are some patches in http://bugzilla.maptools.org/show_bug.cgi?id=2297 Created attachment 266681 [details, diff]
Upstream patch for 3.9
merged patch suitable to apply in 3.9. (571 bytes, patch)
2011-03-16 12:05, Frank Warmerdam
@graphics, Steve, just a friendly ping on this one. Looks like upstream's 3.9.5 release will take care of a couple of issues for us... Renaming the existing ebuild correctly downloads and build 3.9.5 here, fwiw (hardened amd64). Thank you. Done in 3.9.4-r1 (patched), 3.9.5 and 4.0 fixed upstream. Sorry, habit... (In reply to comment #7) > Sorry, habit... No prob, thanks for the bump. Arches, please test and mark stable: =media-libs/tiff-3.9.4-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" (In reply to comment #8) > (In reply to comment #7) > > Sorry, habit... > > No prob, thanks for the bump. > > Arches, please test and mark stable: > =media-libs/tiff-3.9.4-r1 > Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Looks like =media-libs/tiff-3.9.4-r1 went straight to stable. Was that intentional? Already stable on SPARC, not proceeding any further. :) Thanks, folks. GLSA request filed. This issue was resolved and addressed in GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml by GLSA coordinator Sean Amoss (ackle). |