Redhat released patches for a new vulnerability in libtiff today that apparently impacts RHEL 4,5,6, including tiff-3.9.4 which is currently the latest stable in the gentoo portage tree. I'm not sure if we're impacted, but since the description of the vulnerability mentions that it could be remotely exploitable for webapps that allow visitors to upload images, it would seem to be something worth investigating and patching quickly if needed. I search gentoo bugzilla for any reference of the vulnerability or patches and couldn't find it, so I'm opening up a new one and cc'ing security and the package maintainer. Here is some info: https://bugzilla.redhat.com/show_bug.cgi?id=678635 https://rhn.redhat.com/errata/RHSA-2011-0318.html RedHat has the vulnerability listed as priority "important" which is relatively high as far as their announcements normally go.
Thank you for the report.
Ubuntu also just released an update today for this vulnerability: Ubuntu Security Notice USN-1085-2 March 15, 2011 tiff regression https://launchpad.net/bugs/731540 Note that when RHEL released their notice, I couldn't actually find a patch or notice on the upstream site. If we haven't already identified what needs to be updated, perhaps the ubuntu vulnerability will have more info. Anyhow, it's been 13 days since this was reported and it might be remotely exploitable, so it would be nice to get fixed.
I think there are some patches in http://bugzilla.maptools.org/show_bug.cgi?id=2297
Created attachment 266681 [details, diff] Upstream patch for 3.9 merged patch suitable to apply in 3.9. (571 bytes, patch) 2011-03-16 12:05, Frank Warmerdam
@graphics, Steve, just a friendly ping on this one. Looks like upstream's 3.9.5 release will take care of a couple of issues for us... Renaming the existing ebuild correctly downloads and build 3.9.5 here, fwiw (hardened amd64). Thank you.
Done in 3.9.4-r1 (patched), 3.9.5 and 4.0 fixed upstream.
Sorry, habit...
(In reply to comment #7) > Sorry, habit... No prob, thanks for the bump. Arches, please test and mark stable: =media-libs/tiff-3.9.4-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
(In reply to comment #8) > (In reply to comment #7) > > Sorry, habit... > > No prob, thanks for the bump. > > Arches, please test and mark stable: > =media-libs/tiff-3.9.4-r1 > Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Looks like =media-libs/tiff-3.9.4-r1 went straight to stable. Was that intentional?
Already stable on SPARC, not proceeding any further. :)
Thanks, folks. GLSA request filed.
This issue was resolved and addressed in GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml by GLSA coordinator Sean Amoss (ackle).
