Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 371308 (CVE-2009-5022) - <media-libs/tiff-3.9.5: Multiple vulnerabilities (CVE-2009-5022,CVE-2010-{2482,2595,3087,4665},CVE-2011-{0192,1167})
Summary: <media-libs/tiff-3.9.5: Multiple vulnerabilities (CVE-2009-5022,CVE-2010-{248...
Status: RESOLVED FIXED
Alias: CVE-2009-5022
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.remotesensing.org/libtiff/...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-12 20:43 UTC by Tim Sammut (RETIRED)
Modified: 2012-09-23 18:46 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-06-12 20:43:43 UTC
The libtiff changelog at $URL includes several security related fixes, including:

# libtiff/tif_jpeg.c, libtiff/tif_strip.c: apply patch for CVE-2010-3087 per bug http://bugzilla.maptools.org/show_bug.cgi?id=2140 
# libtiff/tif_color.c: prevent crash in handling bad TIFFs resolves CVE-2010-2595 http://bugzilla.maptools.org/show_bug.cgi?id=2208 
# libtiff/tif_fax3.h: Protect against a fax VL(n) codeword commanding a move left. Without this, a malicious input file can generate an indefinitely large series of runs without a0 ever reaching the right margin, thus overrunning our buffer of run lengths. Per CVE-2011-0192. This is a modified version of a patch proposed by Drew Yao of Apple Product Security. It adds an unexpected() report, and disallows the equality case, since emitting a run without increasing a0 still allows buffer overrun. 
# libtiff/tif_thunder.c: Correct potential buffer overflow with thunder encoded files with wrong bitspersample set. The libtiff development team would like to thank Marin Barbella and TippingPoint's Zero Day Initiative for reporting this vulnerability (ZDI-CAN-1004, CVE-2011-1167). http://bugzilla.maptools.org/show_bug.cgi?id=2300 
# libtiff/tif_ojpeg.c: fix buffer overflow on problem data http://bugzilla.maptools.org/show_bug.cgi?id=1999 

@graphics, @nerdboy, can we move forward with stabilizing 3.9.5? Thanks.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-07-10 02:05:24 UTC
CVE-2009-5022 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5022):
  Heap-based buffer overflow in tif_ojpeg.c in the OJPEG decoder in LibTIFF
  before 3.9.5 allows remote attackers to execute arbitrary code via a crafted
  TIFF file.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-07-11 23:37:37 UTC
CVE-2010-3087 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3087):
  LibTIFF before 3.9.2-5.2.1 in SUSE openSUSE 11.3 allows remote attackers to
  cause a denial of service (memory corruption) or possibly execute arbitrary
  code via a crafted TIFF image.

CVE-2010-2595 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2595):
  The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in
  ImageMagick, does not properly handle invalid ReferenceBlackWhite values,
  which allows remote attackers to cause a denial of service (application
  crash) via a crafted TIFF image that triggers an array index error, related
  to "downsampled OJPEG input."
Comment 3 Agostino Sarubbo gentoo-dev 2011-09-11 09:49:32 UTC
Maintainer timed out.

Arches, please test and mark stable:
=media-libs/tiff-3.9.5
target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Myckel Habets 2011-09-11 18:31:21 UTC
Builds fine on x86. Tested with shutterbug rdep and converted the tiff image to pdf with tiff2pdf. Please mark stable for x86.
Comment 5 Jeff (JD) Horelick (RETIRED) gentoo-dev 2011-09-11 20:35:04 UTC
Archtested on x86: Everything fine
Comment 6 Agostino Sarubbo gentoo-dev 2011-09-12 12:40:31 UTC
amd64 ok
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-12 14:36:24 UTC
ppc/ppc64 stable
Comment 8 Andreas Schürch gentoo-dev 2011-09-13 06:05:01 UTC
x86 stable, thanks Myckel and JD!
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2011-09-13 09:37:00 UTC
amd64 done. Thanks Agostino
Comment 10 Jeroen Roovers gentoo-dev 2011-09-13 17:18:38 UTC
Stable for HPPA.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2011-09-17 13:01:23 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-09-19 18:47:54 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 01:27:19 UTC
CVE-2010-2482 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2482):
  LibTIFF 3.9.4 and earlier does not properly handle an invalid
  td_stripbytecount field, which allows remote attackers to cause a denial of
  service (NULL pointer dereference and application crash) via a crafted TIFF
  file, a different vulnerability than CVE-2010-2443.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 01:33:27 UTC
CVE-2010-4665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4665):
  Integer overflow in the ReadDirectory function in tiffdump.c in tiffdump in
  LibTIFF before 3.9.5 allows remote attackers to cause a denial of service
  (application crash) or possibly have unspecified other impact via a crafted
  TIFF file containing a directory data structure with many directory entries.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-09-23 18:46:25 UTC
This issue was resolved and addressed in
 GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml
by GLSA coordinator Sean Amoss (ackle).