Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 357271 (CVE-2011-0192)

Summary: <media-libs/tiff-3.9.4-r1: Heap-based buffer overflow in Fax4Decode (CVE-2011-0192)
Product: Gentoo Security Reporter: Matthew Marlowe <mattm>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: alexanderyt, boss.gentoo, graphics+disabled, nerdboy
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugzilla.maptools.org/show_bug.cgi?id=2297
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 359871    
Attachments:
Description Flags
Upstream patch for 3.9 none

Description Matthew Marlowe gentoo-dev 2011-03-03 21:25:51 UTC
Redhat released patches for a new vulnerability in libtiff today that apparently impacts RHEL 4,5,6, including tiff-3.9.4 which is currently the latest stable in the gentoo portage tree.

I'm not sure if we're impacted, but since the description of the vulnerability mentions that it could be remotely exploitable for webapps that allow visitors to upload images, it would seem to be something worth investigating and patching quickly if needed.

I search gentoo bugzilla for any reference of the vulnerability or patches and couldn't find it, so I'm opening up a new one and cc'ing security and the package maintainer.

Here is some info:
https://bugzilla.redhat.com/show_bug.cgi?id=678635
https://rhn.redhat.com/errata/RHSA-2011-0318.html

RedHat has the vulnerability listed as priority "important" which is relatively high as far as their announcements normally go.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-03-05 21:43:59 UTC
Thank you for the report.
Comment 2 Matthew Marlowe gentoo-dev 2011-03-17 05:59:56 UTC
Ubuntu also just released an update today for this vulnerability:

Ubuntu Security Notice USN-1085-2            March 15, 2011
tiff regression
https://launchpad.net/bugs/731540

Note that when RHEL released their notice, I couldn't actually find a patch or notice on the upstream site.

If we haven't already identified what needs to be updated, perhaps the ubuntu vulnerability will have more info.

Anyhow, it's been 13 days since this was reported and it might be remotely exploitable, so it would be nice to get fixed.
Comment 3 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-17 10:30:58 UTC
I think there are some patches in http://bugzilla.maptools.org/show_bug.cgi?id=2297
Comment 4 Steve Arnold gentoo-dev 2011-03-21 06:17:24 UTC
Created attachment 266681 [details, diff]
Upstream patch for 3.9

merged patch suitable to apply in 3.9. (571 bytes, patch)
2011-03-16 12:05, Frank Warmerdam
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-04-13 04:33:55 UTC
@graphics, Steve, just a friendly ping on this one. 

Looks like upstream's 3.9.5 release will take care of a couple of issues for us... Renaming the existing ebuild correctly downloads and build 3.9.5 here, fwiw (hardened amd64). 

Thank you.
Comment 6 Steve Arnold gentoo-dev 2011-04-16 21:29:12 UTC
Done in 3.9.4-r1 (patched), 3.9.5 and 4.0 fixed upstream.
Comment 7 Steve Arnold gentoo-dev 2011-04-16 21:29:37 UTC
Sorry, habit...
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-04-16 21:49:13 UTC
(In reply to comment #7)
> Sorry, habit...

No prob, thanks for the bump.

Arches, please test and mark stable:
=media-libs/tiff-3.9.4-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-04-16 22:55:39 UTC
(In reply to comment #8)
> (In reply to comment #7)
> > Sorry, habit...
> 
> No prob, thanks for the bump.
> 
> Arches, please test and mark stable:
> =media-libs/tiff-3.9.4-r1
> Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Looks like =media-libs/tiff-3.9.4-r1 went straight to stable. Was that intentional?
Comment 10 Alex Buell 2011-04-17 23:53:56 UTC
Already stable on SPARC, not proceeding any further. :)
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-04-26 03:39:40 UTC
Thanks, folks. GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-09-23 18:46:19 UTC
This issue was resolved and addressed in
 GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml
by GLSA coordinator Sean Amoss (ackle).