Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 135881 - media-libs/tiff: <=3.8.2 : buffer overflows in tiff2pdf and in tiffsplit (CVE-2006-2193, CVE-2006-2656)
Summary: media-libs/tiff: <=3.8.2 : buffer overflows in tiff2pdf and in tiffsplit (CVE...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa] Falco
: 135021 (view as bug list)
Depends on: 135021
  Show dependency tree
Reported: 2006-06-07 03:01 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2019-12-25 20:02 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

tiffsplit patch yanked from debian (tiff-3.8.2-tiffsplit.patch,646 bytes, patch)
2006-06-09 16:54 UTC, Steve Arnold
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-07 03:01:44 UTC
Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and earlier might might allow attackers to execute arbitrary code via a long filename.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-07 03:02:33 UTC
waiting for 3.8.3 or vendor patch
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-08 02:32:24 UTC
another one, same version

CVE-2006-2193 == SA20488

gpe92 has discovered a vulnerability in LibTIFF, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system.

The vulnerability is caused due to a boundary error within tiff2pdf when handling a TIFF file with a "DocumentName" tag that contains UTF-8 characters. This can be exploited to cause a stack-based buffer overflow and may allow arbitrary code execution.

The vulnerability has been confirmed in version 3.8.2. Other versions may also be affected.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-08 03:48:04 UTC
sorry for the mistake
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-08 21:10:55 UTC
Debian apparently fixed this with DSA-1091-1.
Comment 5 Steve Arnold archtester gentoo-dev 2006-06-09 16:54:37 UTC
Created attachment 88805 [details, diff]
tiffsplit patch yanked from debian
Comment 6 Steve Arnold archtester gentoo-dev 2006-06-09 16:59:54 UTC
I also have a rather large patch for tiff2pdf (from upstream CVS v. 1.35, where current tiff2pdf.c from 3.8.2 corresponds to CVS v. 1.30).  It fixes bug #135021, along with several other issues, some of them security-related, eg:

revision 1.35
date: 2006/06/08 11:27:11;  author: dron;  state: Exp;  lines: +226 -155
More fixes for character type safety.
revision 1.34
date: 2006/06/08 10:45:35;  author: dron;  state: Exp;  lines: +8 -7
Fixed buffer overflow condition in t2p_write_pdf_string() as per bug
revision 1.33
date: 2006/04/21 15:09:34;  author: dron;  state: Exp;  lines: +92 -92
Unified line ending characters (always use '\n') as per bug
revision 1.32
date: 2006/04/20 12:36:23;  author: dron;  state: Exp;  lines: +12 -1
Properly set the binary mode for stdin stream as per bug
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-09 23:39:04 UTC
*** Bug 135021 has been marked as a duplicate of this bug. ***
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-18 03:25:32 UTC
Most distros have already issued advisories. We're late.
Is someone of graphic team able to patch or bump ?
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-30 08:50:36 UTC
Graphics please provide an updated ebuild.
Comment 10 Steve Arnold archtester gentoo-dev 2006-07-05 00:22:48 UTC
Sorry, I already fixed it (and even asked about it at the time).  There were several other bugs waiting...
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-05 02:34:56 UTC
Thx Steve.
Comment 12 Fabian Groffen gentoo-dev 2006-07-05 09:33:40 UTC
ppc-macos stable
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-09 09:38:34 UTC
GLSA 200607-03