Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 307001 - <media-libs/tiff-3.9.2-r1: Fix for CVE-2009-2347 incomplete
Summary: <media-libs/tiff-3.9.2-r1: Fix for CVE-2009-2347 incomplete
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2010-02-26 20:25 UTC by Samuli Suominen
Modified: 2012-09-23 18:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Samuli Suominen gentoo-dev 2010-02-26 20:25:00 UTC
This is a portion of the patch we were carrying for CVE-2009-2347 in 3.8.2.
Unfortunately the upstream fix in 3.9.2 is incomplete, so we still need this

Original bug for this CVE:

Upstream bug reported by Fedora: 

The missing piece of the fix:
Comment 1 Samuli Suominen gentoo-dev 2010-02-26 20:31:43 UTC
+*tiff-3.9.2-r1 (26 Feb 2010)
+  26 Feb 2010; Samuli Suominen <> +tiff-3.9.2-r1.ebuild,
+  +files/tiff-3.9.2-CVE-2009-2347.patch:
+  Fix CVE-2009-2347 again wrt security #307001.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2010-02-26 21:31:51 UTC
Nice catch, Samuli, thanks!

Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-02-27 10:12:24 UTC
x86 stable
Comment 4 Brent Baude (RETIRED) gentoo-dev 2010-03-01 14:42:09 UTC
ppc64 done
Comment 5 Jeroen Roovers gentoo-dev 2010-03-02 02:37:05 UTC
Stable for HPPA.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2010-03-04 19:41:44 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 7 Markus Meier gentoo-dev 2010-03-07 15:07:08 UTC
amd64 stable
Comment 8 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 21:46:36 UTC
Marked ppc stable.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-18 00:16:11 UTC
GLSA request filed.
Please don't forget "all arches done", it will easy bug handling for the security team.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-09-23 18:46:15 UTC
This issue was resolved and addressed in
 GLSA 201209-02 at
by GLSA coordinator Sean Amoss (ackle).