Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 484542 (CVE-2013-4243)

Summary: <media-libs/tiff-4.0.6: Buffer overflow (CVE-2013-4243)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.asmail.be/msg0055359936.html
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2013-09-11 01:52:53 UTC 
CVE-2013-4243 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4243):
  Heap-based buffer overflow in the readgifimage function in the gif2tiff tool
  in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
  service (crash) and possibly execute arbitrary code via a crafted height and
  width values in a GIF image.


Upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2451
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2013-10-03 05:10:38 UTC 
Potential patch available from Open Suse:
http://lwn.net/Articles/568120/

Patch also fixes following CVE's:
 This tiff security update fixes several buffer overflow
   issues and a out-of-bounds wirte problem.

   * tiff: buffer overflows/use after free problem
   [CVE-2013-4231][CVE-2013-4232][bnc#834477]
   * libtiff (gif2tiff): OOB Write in LZW decompressor
   [CVE-2013-4244][bnc#834788]
   * libtiff (gif2tiff): heap-based buffer overflow in
   readgifimage() [CVE-2013-4243][bnc#834779]


Upstream please confirm and Ebuild.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2014-02-04 16:14:04 UTC 
(In reply to Yury German from comment #1)
> Potential patch available from Open Suse:
> http://lwn.net/Articles/568120/
> 
> Patch also fixes following CVE's:
>  This tiff security update fixes several buffer overflow
>    issues and a out-of-bounds wirte problem.
> 
>    * tiff: buffer overflows/use after free problem
>    [CVE-2013-4231][CVE-2013-4232][bnc#834477]

this one seems to be covered already.

*tiff-4.0.3-r4 (23 Aug 2013)
*tiff-4.0.3-r5 (23 Aug 2013)

  23 Aug 2013; Samuli Suominen <ssuominen@gentoo.org>
  +files/tiff-4.0.3-CVE-2013-4231.patch, +files/tiff-4.0.3-CVE-2013-4232.patch,
  +tiff-4.0.3-r4.ebuild, +tiff-4.0.3-r5.ebuild:
  Fix for CVE-2013-4231 (and CVE-2013-4232) from upstream. See security bug
  #480466. The -r4 is for stabilization without multilib-minimal.eclass usage.
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2014-02-04 16:18:50 UTC 
(In reply to Yury German from comment #1)
> Potential patch available from Open Suse:
> http://lwn.net/Articles/568120/
> 
> Patch also fixes following CVE's:
>  This tiff security update fixes several buffer overflow
>    issues and a out-of-bounds wirte problem.
> 
>    * tiff: buffer overflows/use after free problem
>    [CVE-2013-4231][CVE-2013-4232][bnc#834477]
>    * libtiff (gif2tiff): OOB Write in LZW decompressor
>    [CVE-2013-4244][bnc#834788]

This one is bug 486590. So lets keep this bug only for CVE-2013-4243. Just added to confusion.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 08:09:09 UTC 
@arches, please stabilize >=media-libs/tiff-4.0.5

@maintainer(s), once stabilization is complete please remove vulnerable versions, <media-libs/tiff-4.0.3
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-06 08:23:48 UTC 
(In reply to Aaron Bauman from comment #4)
> @arches, please stabilize >=media-libs/tiff-4.0.5

4.0.6 or 4.0.5?
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-03-06 10:02:17 UTC 
@arches, please stabilize =media-libs/tiff-4.0.6
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-06 13:50:52 UTC 
I wouldn't recommend changing the bug title to reflect <media-libs/tiff-4.0.6 as it implies that all versions less than that are vulnerable which is not the case here.  This can be applied to most bugs, as often unstable versions are available that mitigate certain vulnerabilities.

@arches, does this titling make it easier for you to track or use various tools?
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-07 08:04:40 UTC 
amd64 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-08 13:42:08 UTC 
Stable for HPPA PPC64.
Comment 10 Markus Meier gentoo-dev 2016-03-11 16:39:52 UTC 
arm stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-14 18:50:38 UTC 
Stable on alpha.
Comment 12 Agostino Sarubbo gentoo-dev 2016-03-15 16:40:43 UTC 
x86 stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-03-16 12:04:35 UTC 
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-03-19 11:37:07 UTC 
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2016-03-20 12:01:18 UTC 
ia64 stable
Comment 16 Pacho Ramos gentoo-dev 2016-05-06 10:02:16 UTC 
The remaining arches a not officially "stable" then maybe they should not block the subsequent "CVE" process here :/
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2016-07-09 13:30:13 UTC 
Removing unstable arches from CC.

@maintainer(s), please cleanup vulnerable versions.
Comment 18 Markus Meier gentoo-dev 2016-07-10 08:50:27 UTC 
Cleaned up vulnerable versions: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f65cfb30904aa816aa0977ce4ccf188f8c31e1a
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2016-07-11 05:00:46 UTC 
New GLSA request filed.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2017-01-09 17:00:40 UTC 
This issue was resolved and addressed in
 GLSA 201701-16 at https://security.gentoo.org/glsa/201701-16
by GLSA coordinator Thomas Deutschmann (whissi).