|Summary:||<media-libs/tiff-3.9.4-r1: Heap-based buffer overflow in Fax4Decode (CVE-2011-0192)|
|Product:||Gentoo Security||Reporter:||Matthew Marlowe <mattm>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||major||CC:||alexanderyt, boss.gentoo, graphics+disabled, nerdboy|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description Matthew Marlowe 2011-03-03 21:25:51 UTC
Redhat released patches for a new vulnerability in libtiff today that apparently impacts RHEL 4,5,6, including tiff-3.9.4 which is currently the latest stable in the gentoo portage tree. I'm not sure if we're impacted, but since the description of the vulnerability mentions that it could be remotely exploitable for webapps that allow visitors to upload images, it would seem to be something worth investigating and patching quickly if needed. I search gentoo bugzilla for any reference of the vulnerability or patches and couldn't find it, so I'm opening up a new one and cc'ing security and the package maintainer. Here is some info: https://bugzilla.redhat.com/show_bug.cgi?id=678635 https://rhn.redhat.com/errata/RHSA-2011-0318.html RedHat has the vulnerability listed as priority "important" which is relatively high as far as their announcements normally go.
Comment 1 Tim Sammut (RETIRED) 2011-03-05 21:43:59 UTC
Thank you for the report.
Comment 2 Matthew Marlowe 2011-03-17 05:59:56 UTC
Ubuntu also just released an update today for this vulnerability: Ubuntu Security Notice USN-1085-2 March 15, 2011 tiff regression https://launchpad.net/bugs/731540 Note that when RHEL released their notice, I couldn't actually find a patch or notice on the upstream site. If we haven't already identified what needs to be updated, perhaps the ubuntu vulnerability will have more info. Anyhow, it's been 13 days since this was reported and it might be remotely exploitable, so it would be nice to get fixed.
Comment 3 Paweł Hajdan, Jr. (RETIRED) 2011-03-17 10:30:58 UTC
I think there are some patches in http://bugzilla.maptools.org/show_bug.cgi?id=2297
Comment 4 Steve Arnold 2011-03-21 06:17:24 UTC
Created attachment 266681 [details, diff] Upstream patch for 3.9 merged patch suitable to apply in 3.9. (571 bytes, patch) 2011-03-16 12:05, Frank Warmerdam
Comment 5 Tim Sammut (RETIRED) 2011-04-13 04:33:55 UTC
@graphics, Steve, just a friendly ping on this one. Looks like upstream's 3.9.5 release will take care of a couple of issues for us... Renaming the existing ebuild correctly downloads and build 3.9.5 here, fwiw (hardened amd64). Thank you.
Comment 6 Steve Arnold 2011-04-16 21:29:12 UTC
Done in 3.9.4-r1 (patched), 3.9.5 and 4.0 fixed upstream.
Comment 7 Steve Arnold 2011-04-16 21:29:37 UTC
Comment 8 Tim Sammut (RETIRED) 2011-04-16 21:49:13 UTC
(In reply to comment #7) > Sorry, habit... No prob, thanks for the bump. Arches, please test and mark stable: =media-libs/tiff-3.9.4-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 9 Tim Sammut (RETIRED) 2011-04-16 22:55:39 UTC
(In reply to comment #8) > (In reply to comment #7) > > Sorry, habit... > > No prob, thanks for the bump. > > Arches, please test and mark stable: > =media-libs/tiff-3.9.4-r1 > Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Looks like =media-libs/tiff-3.9.4-r1 went straight to stable. Was that intentional?
Comment 10 Alex Buell 2011-04-17 23:53:56 UTC
Already stable on SPARC, not proceeding any further. :)
Comment 11 Tim Sammut (RETIRED) 2011-04-26 03:39:40 UTC
Thanks, folks. GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot 2012-09-23 18:46:19 UTC
This issue was resolved and addressed in GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml by GLSA coordinator Sean Amoss (ackle).