| Summary: | wxGTK might contain vulnerable libtiff | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Thierry Carrez (RETIRED) <koon> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | major | CC: | wxwidgets |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:111 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
I checked all our ebuilds and I can confirm none give the user any option to compile with wxGTK's tiff code. Perfect :) Thanks for this quick answer. |
From Mandrake advisory : ----------------------------------- Several vulnerabilities have been discovered in the libtiff package; wxGTK2 uses a libtiff code tree, so it may have the same vulnerabilities: Chris Evans discovered several problems in the RLE (run length encoding) decoders that could lead to arbitrary code execution. (CAN-2004-0803) Matthias Clasen discovered a division by zero through an integer overflow. (CAN-2004-0804) Dmitry V. Levin discovered several integer overflows that caused malloc issues which can result to either plain crash or memory corruption. (CAN-2004-0886) ---------------------------------------- Our version looks dynamically linked: # ldd /usr/lib/libwx_gtk2* | grep libtiff libtiff.so.3 => /usr/lib/libtiff.so.3 (0x409a8000) libtiff.so.3 => /usr/lib/libtiff.so.3 (0x409a8000) libtiff.so.3 => /usr/lib/libtiff.so.3 (0x409a8000) libtiff.so.3 => /usr/lib/libtiff.so.3 (0x404d2000) libtiff.so.3 => /usr/lib/libtiff.so.3 (0x404d2000) libtiff.so.3 => /usr/lib/libtiff.so.3 (0x404d2000) however to be sure I prefer to ask you to confirm that the libtiff code in wxGTK is ignored by Gentoo builds :)