Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 324885 (CVE-2010-1411) - <media-libs/tiff-{3.9.4,4.0.0_beta6}: Multiple integer overflows (CVE-2010-{1411,2065,2067,2233,2443,2481,2483,2596,2597,2630,2631})
Summary: <media-libs/tiff-{3.9.4,4.0.0_beta6}: Multiple integer overflows (CVE-2010-{1...
Status: RESOLVED FIXED
Alias: CVE-2010-1411
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-20 22:34 UTC by Samuli Suominen
Modified: 2012-09-23 18:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Samuli Suominen gentoo-dev 2010-06-20 22:34:17 UTC
2010-06-08  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>

* libtiff/tif_fax3.c (Fax3SetupState): Avoid under-allocation of
  buffer due to integer overflow in TIFFroundup() and several other
  potential overflows.  In conjunction with the fix to TIFFhowmany(),
  fixes CVE-2010-1411.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1411

*tiff-3.9.4 (20 Jun 2010)

  20 Jun 2010; Samuli Suominen <ssuominen@gentoo.org> +tiff-3.9.4.ebuild:
  Version bump.

Current tiff-4.0_beta5 is ~arch is likely also vulnerable. To be honest, I don't understand why we have experimental beta in ~arch at all. It should at least be package.masked.
Comment 1 Samuli Suominen gentoo-dev 2010-06-21 22:09:25 UTC
test & stabilize:

=media-libs/tiff-3.9.4
Comment 2 Jeroen Roovers gentoo-dev 2010-06-22 01:20:28 UTC
Stable for HPPA.
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-06-22 07:17:23 UTC
x86 stable
Comment 4 Christoph Mende (RETIRED) gentoo-dev 2010-06-23 16:26:04 UTC
amd64 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2010-06-25 18:37:47 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 19:51:55 UTC
Fixing whiteboard. If you want to, have a look at http://www.gentoo.org/security/en/vulnerability-policy.xml on how to set it.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 21:36:30 UTC
CVE-2010-1411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1411):
  Multiple integer overflows in the Fax3SetupState function in
  tif_fax3.c in the FAX3 decoder in LibTIFF before 3.9.3, as used in
  ImageIO in Apple Mac OS X 10.5.8 and Mac OS X 10.6 before 10.6.4,
  allow remote attackers to execute arbitrary code or cause a denial of
  service (application crash) via a crafted TIFF file that triggers a
  heap-based buffer overflow.

Comment 8 Samuli Suominen gentoo-dev 2010-07-03 22:52:52 UTC
ppc64 stable
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2010-07-19 01:07:31 UTC
Marked ppc stable.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:32:27 UTC
Added to glsa for #307001.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 01:12:17 UTC
CVE-2010-2065 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2065):
  Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3 allows
  remote attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via a crafted TIFF file that triggers a
  buffer overflow.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 01:13:35 UTC
CVE-2010-2067 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2067):
  Stack-based buffer overflow in the TIFFFetchSubjectDistance function in
  tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to cause a
  denial of service (application crash) or possibly execute arbitrary code via
  a long EXIF SubjectDistance field in a TIFF file.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 01:17:18 UTC
CVE-2010-2233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2233):
  tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as used in
  ImageMagick, does not properly perform vertical flips, which allows remote
  attackers to cause a denial of service (application crash) or possibly
  execute arbitrary code via a crafted TIFF image, related to "downsampled
  OJPEG input."
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 01:19:13 UTC
CVE-2010-2443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2443):
  The OJPEGReadBufferFill function in tif_ojpeg.c in LibTIFF before 3.9.3
  allows remote attackers to cause a denial of service (NULL pointer
  dereference and application crash) via an OJPEG image with undefined strip
  offsets, related to the TIFFVGetField function.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 01:26:16 UTC
CVE-2010-2481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2481):
  The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly handle
  unknown tag types in TIFF directory entries, which allows remote attackers
  to cause a denial of service (out-of-bounds read and application crash) via
  a crafted TIFF file.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 01:28:24 UTC
CVE-2010-2483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2483):
  The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers to
  cause a denial of service (out-of-bounds read and application crash) via a
  TIFF file with an invalid combination of SamplesPerPixel and Photometric
  values.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 01:29:19 UTC
CVE-2010-2631 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2631):
  LibTIFF 3.9.0 ignores tags in certain situations during the first stage of
  TIFF file processing and does not properly handle this during the second
  stage, which allows remote attackers to cause a denial of service
  (application crash) via a crafted file, a different vulnerability than
  CVE-2010-2481.

CVE-2010-2630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2630):
  The TIFFReadDirectory function in LibTIFF 3.9.0 does not properly validate
  the data types of codec-specific tags that have an out-of-order position in
  a TIFF file, which allows remote attackers to cause a denial of service
  (application crash) via a crafted file, a different vulnerability than
  CVE-2010-2481.

CVE-2010-2597 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2597):
  The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2 makes
  incorrect calls to the TIFFGetField function, which allows remote attackers
  to cause a denial of service (application crash) via a crafted TIFF image,
  related to "downsampled OJPEG input" and possibly related to a compiler
  optimization that triggers a divide-by-zero error.

CVE-2010-2596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2596):
  The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as
  used in tiff2ps, allows remote attackers to cause a denial of service
  (assertion failure and application exit) via a crafted TIFF image, related
  to "downsampled OJPEG input."
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2012-09-23 18:46:17 UTC
This issue was resolved and addressed in
 GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml
by GLSA coordinator Sean Amoss (ackle).