Summary: | <media-libs/tiff-4.0.6-r1: gif2tiff utility: Multiple vulnerabilities | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | graphics+disabled, tka | ||||
Priority: | Normal | Keywords: | PATCH | ||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1343407 | ||||||
Whiteboard: | B2 [glsa cve glsa blocked] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 599746 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Agostino Sarubbo
2016-06-07 11:54:14 UTC
Upstream removed gif2tiff entirely. Perhaps we simply revbump our package and remove the binary as well instead of waiting for the 4.0.7 upstream release? (In reply to Lars Wendler (Polynomial-C) from comment #1) > Upstream removed gif2tiff entirely. Perhaps we simply revbump our package > and remove the binary as well instead of waiting for the 4.0.7 upstream > release? That sounds like a very reasonable solution. Let us know which version in tree has it removed if you decide to do that. Thanks. commit c833e82151f379f180b50c7dff58b8f989a9c1a9 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Aug 3 15:37:49 2016 media-libs/tiff: Revbump for security bug #585274 Removing vulnerable gif2tiff (CVE-2016-5102) Upstream seems to no longer ship this tool with >=tiff-4.0.7 versions. Package-Manager: portage-2.3.0 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> I'd prefer to let tiff-4.0.6-r1 settle for a while as I don't know if any third-party app makes use of gif2tiff. Created attachment 442726 [details, diff]
Patch that also removes the test for git2tiff.
The original patch leaves the test for gif2tiff in place. Of course, that test fails now. Thus, also remove it for consistency and to keep the tests passing.
Adding CVE-2016-3186 because same solution (removal of gif2tiff) applies: Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. @maintainer, please patch the test issue as previously reported. After that let us know when you are comfortable to stabilize, which may be dependent on newer bugs of course. This issue was resolved and addressed in GLSA 201701-16 at https://security.gentoo.org/glsa/201701-16 by GLSA coordinator Thomas Deutschmann (whissi). |