Summary: | <media-libs/tiff-3.9.4-r1: ThunderCode Decoder Remote Code Execution Vulnerability (CVE-2011-1167) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Yury German <blueknight> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | graphics+disabled, nerdboy |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.zerodayinitiative.com/advisories/ZDI-11-107/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 357271 | ||
Bug Blocks: |
Description
Yury German
2011-03-22 04:48:56 UTC
Done in 3.9.4-r1 (patched), 3.9.5 and 4.0 fixed upstream. Added to existing GLSA request. CVE-2011-1167 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1167): Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value. This issue was resolved and addressed in GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml by GLSA coordinator Sean Amoss (ackle). |