Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 91584

Summary: media-libs/tiff: buffer overflow
Product: Gentoo Security Reporter: Tavis Ormandy (RETIRED) <taviso>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: eradicator, josejx, nerdboy
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A2 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
samples vulnerability patch none

Description Tavis Ormandy (RETIRED) gentoo-dev 2005-05-05 09:32:08 UTC
libtiff is vulnerable to a buffer overflow when a malformed value is set as BitsPerSample.

Upstream has been informed: http://bugzilla.remotesensing.org/show_bug.cgi?id=843
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-05 09:54:29 UTC
Proposed patch by upstream attached to referenced bug.

Steve please commit an updated ebuild.
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-05 11:05:36 UTC
upstream developer has stated that this has now been fixed in cvs. (see URL above)
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-07 08:56:08 UTC
Created attachment 58276 [details, diff]
samples vulnerability patch

Here's the patch from cvs, the ChangeLog indicates the 1.52 revision was
incomplete, so these are the updates from 1.51-1.53.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-07 10:39:01 UTC
Steve provide an updated ebuild.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-07 10:55:35 UTC
Of course should have been Steve please provide an updated ebuild.
Comment 6 Steve Arnold archtester gentoo-dev 2005-05-08 11:27:21 UTC
Now in CVS:
  +files/tiff-3.7.2-buffer_check.patch, -tiff-3.7.0.ebuild,
  -tiff-3.7.1.ebuild, +tiff-3.7.2.ebuild:
  bump, cleanup, and patch for bug 91584

The new ebuild is all ~arch with the patch; the two older stable ebuilds are not 
patched (haven't tried yet).  3.7.2 is listed on the maptools.org site as both
latest stable and latest development release.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-08 11:42:52 UTC
Thx Steve.

Devs please test and mark 3.7.2 stable.

alpha: kloeri
amd64: eradicator
ppc: josejx
sparc: gustavoz
x86: tester

arm hppa ia64 mips ppc64 ppc-macos s390 will be called shortly.
Comment 8 Jeremy Huddleston (RETIRED) gentoo-dev 2005-05-08 16:13:11 UTC
I'm testing for amd64 and sparc now... is this really neccessary:

pkg_postinst() {
        einfo "Latest tiff with bug #91584 fixes."
}
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2005-05-09 08:25:39 UTC
sparc done by eradicator, i'm no longer required here :)
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-10 14:46:20 UTC
GLSA 200505-07