Summary: | <media-libs/tiff-{3.9.7,4.0.3-r2} : two vulnerabilities (CVE-2013-{1960,1961}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | graphics+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/05/02/4 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 440154, 440944 |
Description
Agostino Sarubbo
2013-05-02 21:31:55 UTC
Fixed in 4.0.3-r2. Marking bug 440944 and 440154 blockers and handle stabilization here. Please test and mark stable: =media-libs/tiff-3.9.7 amd64 x86 =media-libs/tiff-4.0.3-r2 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 amd64 stable x86 stable ppc ppc64 : stable It fails 2 tests, the same on both arches, but is not a regresion. (In reply to comment #4) > ppc ppc64 : stable > > It fails 2 tests, the same on both arches, but is not a regresion. I removed the stable keywords on the 3.* branch again, since PPC and PPC64 do not require them. Stable for HPPA. file.size 1 (31 KiB) media-libs/tiff/files/tiff-4.0.3-CVE-2013-1961.patch arm stable alpha stable ia64 stable sparc stable sh stable s390 stable CVE-2013-1961 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1961): Stack-based buffer overflow in the t2p_write_pdf_page function in tiff2pdf in libtiff before 4.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted image length and resolution in a TIFF image file. CVE-2013-1960 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1960): Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image file. Added to existing GLSA draft M68K is not anymore a stable arch, removing it from the cc list This issue was resolved and addressed in GLSA 201402-21 at http://security.gentoo.org/glsa/glsa-201402-21.xml by GLSA coordinator Chris Reffett (creffett). |