Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 129675 - media-libs/tiff: <3.8.1 several vulns: DoS, int. overflow, double-free vuln (CVE-2006-202[456], CVE-2006-2120)
Summary: media-libs/tiff: <3.8.1 several vulns: DoS, int. overflow, double-free vuln (...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://bugzilla.remotesensing.org/sho...
Whiteboard: A2 [glsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-12 03:59 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-11-11 20:06 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch 3.7.4 (tiff-3.7.4-bug129675.patch,6.40 KB, patch)
2006-05-09 10:13 UTC, Raphael Marichez (Falco) (RETIRED)
no flags Details | Diff
patch 3.7.3 (not verified) (tiff-3.7.3-bug129675.patch,6.40 KB, patch)
2006-05-09 10:15 UTC, Raphael Marichez (Falco) (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-12 03:59:59 UTC
As said in http://bugzilla.remotesensing.org/show_bug.cgi?id=1102 , tiffinfo crashes with the proposed files.

My tiff-3.7.3 (last stable, x86) is affected.

kuickshow, and xzgv totally crash.

gv, Gimp and konqueror can't display the picture but they recover the error and they don't crash.
My Firefox doesn't display the picture at all.

However, it may be possible to send a special .tiff file via a mail or a web server and to cause the client's application to crash. Since i wasn't able to find an example of mail-application or web-application crashing, please check if this is possible.

Thanks to ed who has indicated us the bug.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-13 06:30:05 UTC
This seems related with #1029 :
http://bugzilla.remotesensing.org/show_bug.cgi?id=1029
which has a CVE entry : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0405
Or, at least, it has the same effects (application crash)

Corrected in upstream CVS.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-04-22 03:27:28 UTC
graphics / taviso: care to patch ?
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2006-04-25 22:36:07 UTC
Upstream bug 1102 is CVE-2006-202{4-6}. 

Fixes are here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189933
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2006-04-28 11:05:13 UTC
Ccing marienz as he did a recent tiff bump.
Marien: Does it include this vulnerability fix ?
Comment 5 Marien Zwart (RETIRED) gentoo-dev 2006-04-28 11:14:51 UTC
A tiff bump? Me? :)

The only thing I committed to tiff was a digest fix for bug 131396. For bumps you want vapier or before that sekretarz.
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-05 10:03:14 UTC
Hi;

Other vulns are related to the original one, including possible code execution. See SA-19838 http://secunia.com/advisories/19838/
It's note a B3 anymore, it's an A2.

it seems hard to "grep" the different patches from the CVS tree.
3.8.1 is out since a while and corrects the vuln.
3.8.2 is in portage and ~arched.

Graphics team, do you want to mark stable 3.8.2 or (introduce in portage and) mark stable 3.8.1 ?

Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-09 10:12:34 UTC
Hi all, i've merged the diff from debian [1] correcting CVE-2006-202[456], and the one from Red Hat [2] correcting CVE-2006-2120. Debian hasn't corrected CVE-2006-2120 issue, don't ask me why.

Please verify this patch and add it to portage, then mark stable either 3.8.1, or 3.7.3/3.7.4 patched.

adm64, ppc, sparc, x86 : 3.7.4
alpha, hppa, ppc64, sh : 3.7.3
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-09 10:13:11 UTC
Created attachment 86490 [details, diff]
patch 3.7.4
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-09 10:15:47 UTC
Created attachment 86492 [details, diff]
patch 3.7.3 (not verified)
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-27 01:08:36 UTC
arches, please test and mark 3.8.2 stable, thank you
Comment 12 Fabian Groffen gentoo-dev 2006-05-27 01:59:57 UTC
ppc-macos stable
Comment 13 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2006-05-27 05:16:17 UTC
stable on alpha. 
Comment 14 Samuli Suominen gentoo-dev 2006-05-27 05:22:18 UTC
I unkeyworded media-libs/tiff-3.8.2 , and emerged it with collision-protect. Builds fine on x86.

Runtime testcase I made was,

wget ftp://ftp.remotesensing.org/pub/libtiff/pics-3.8.0.tar.gz
tar xfvz pics-3.8.0.tar.gz
cd libtiffpic
tiff2pdf g3test.tif > g3test.pdf

And verified conversion went okay with PDF reader. Good to go stable on x86.

Portage 2.0.54-r2 (default-linux/x86/2006.0, gcc-3.4.5, glibc-2.3.6-r3, 2.6.16-gentoo-r4 i686)
=================================================================
System uname: 2.6.16-gentoo-r4 i686 AMD Athlon(tm) XP 2200+
Gentoo Base System version 1.6.14
dev-lang/python:     2.4.2
dev-python/pycrypto: [Not Present]
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-xp -O2 -pipe -g"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib/X11/xkb"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=athlon-xp -O2 -pipe -g"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo/"
LANG="en_US.utf8"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://trumpetti.atm.tut.fi/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aac alsa apm audiofile avi berkdb bitmap-fonts bzip2 cli crypt dri emboss encode expat fam ffmpeg flac foomaticdb fortran gdbm gif gstreamer gtk gtk2 id3 imagemagick imlib ipv6 isdnlog jpeg libg++ libwww mad mikmod mmx mmxext motif mp3 mp4live mpeg mpeg2 musicbrainz ncurses nptl nptlonly ogg opengl oss pam pcre pdflib perl pic player png pppd python quicktime readline reflection sdk sdl session spl sse ssl tcltk tcpd theora tiff truetype truetype-fonts type1-fonts udev unicode userlocales vorbis win32codecs xine xml xml2 xorg xv xvid zlib userland_GNU kernel_linux elibc_glibc"
Unset:  CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTAGE_RSYNC_OPTS, PORTDIR_OVERLAY
Comment 15 Thomas Cort (RETIRED) gentoo-dev 2006-05-28 08:18:55 UTC
amd64 stable.
Comment 16 Steve Arnold gentoo-dev 2006-05-28 11:20:59 UTC
Marked stable on x86, and versions prior to 3.7.3 removed.  Still several arches to go (which I can't test on) for complete stable on 3.8.2...
Comment 17 Mark Loeser (RETIRED) gentoo-dev 2006-05-28 11:26:04 UTC
compnerd: pretty pretty please let the x86 team handle our bugs in the future :)

Thanks
Comment 18 Mark Loeser (RETIRED) gentoo-dev 2006-05-28 11:35:26 UTC
Err, and by compnerd, I mean nerdboy...for some reason, I always mix you two up...
Comment 19 Samuli Suominen gentoo-dev 2006-05-28 13:22:55 UTC
Sorry about bugspam, removing CC..
Comment 20 Tobias Scherbaum (RETIRED) gentoo-dev 2006-05-28 14:07:08 UTC
hppa stable
Comment 21 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-30 09:51:24 UTC
GLSA 200605-17

Thanks everybody