Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 480466 (CVE-2013-4231)

Summary: <media-libs/tiff-4.0.3-r4: Multiple vulnerabilities (CVE-2013-{4231,4232})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: graphics+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-08-10 09:45:25 UTC
From ${URL} :

  Pedro Ribeiro has recently reported the following five security
flaws being present in the tools of TIFF library:

While they are present in the tools (=> not that urgent like they
would be in the library itself), there's been CVE ids assigned
in the past for TIFF library tools issues too. To mention some examples:

Since there doesn't seem to be CVE identifiers assigned for these
[1] issues yet, could you allocate them?

FWIW regarding the patches and upstream bugs - if my information
is up2date, there aren't upstream bugs and patches for these issues

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Samuli Suominen gentoo-dev 2013-08-23 14:55:08 UTC
in tree:

+*tiff-4.0.3-r4 (23 Aug 2013)
+*tiff-4.0.3-r5 (23 Aug 2013)
+  23 Aug 2013; Samuli Suominen <>
+  +files/tiff-4.0.3-CVE-2013-4231.patch, +files/tiff-4.0.3-CVE-2013-4232.patch,
+  +tiff-4.0.3-r4.ebuild, +tiff-4.0.3-r5.ebuild:
+  Fix for CVE-2013-4231 (and CVE-2013-4232) from upstream. See security bug
+  #480466. The -r4 is for stabilization without multilib-minimal.eclass usage.
Comment 2 Samuli Suominen gentoo-dev 2013-08-23 14:57:13 UTC
Arch's, please test and stabilize:

=media-libs/tiff-4.0.3-r4 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 3 Jeroen Roovers gentoo-dev 2013-08-23 15:37:48 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2013-08-23 19:25:25 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-08-23 19:25:53 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-08-24 12:35:16 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-08-24 15:54:46 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-08-26 16:57:20 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-08-28 12:07:07 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-08-28 12:07:41 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-08-28 12:08:17 UTC
s390 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-08-28 12:09:06 UTC
sh stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-08-28 12:10:12 UTC
sparc stable
Comment 14 Sergey Popov gentoo-dev 2013-09-02 10:34:16 UTC
Thanks for your work

GLSA request filed
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-09-11 01:52:14 UTC
CVE-2013-4232 (
  Use-after-free vulnerability in the t2p_readwrite_pdf_image function in
  tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause a denial
  of service (crash) or possible execute arbitrary code via a crafted TIFF
Comment 16 Agostino Sarubbo gentoo-dev 2013-09-28 20:56:26 UTC
M68K is not anymore a stable arch, removing it from the cc list
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-02-04 14:07:03 UTC
CVE-2013-4231 (
  Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to
  cause a denial of service (out-of-bounds write) via a crafted (1) extension
  block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3) a
  long filename for a TIFF image to tools/rgb2ycbcr.c.  NOTE: vectors 1 and 3
  are disputed by Red Hat, which states that the input cannot exceed the
  allocated buffer size.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 15:41:04 UTC
This issue was resolved and addressed in
 GLSA 201402-21 at
by GLSA coordinator Chris Reffett (creffett).