Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 440154 (CVE-2012-4447) - <media-libs/tiff-{3.9.7,4.0.3-r2} : Buffer overflow vulnerability (CVE-2012-4447)
Summary: <media-libs/tiff-{3.9.7,4.0.3-r2} : Buffer overflow vulnerability (CVE-2012-4...
Status: RESOLVED FIXED
Alias: CVE-2012-4447
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on: CVE-2013-1960
Blocks:
  Show dependency tree
 
Reported: 2012-10-29 18:58 UTC by GLSAMaker/CVETool Bot
Modified: 2014-02-21 15:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-10-29 18:58:06 UTC
CVE-2012-4447 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4447):
  Heap-based buffer overflow in tif_pixarlog.c in LibTIFF before 4.0.3 allows
  remote attackers to cause a denial of service (application crash) and
  possibly execute arbitrary code via a crafted TIFF image using the PixarLog
  Compression format.


graphics: Is 4.0.3 ready for stabilization?
Comment 1 Samuli Suominen gentoo-dev 2012-10-30 06:59:11 UTC
(In reply to comment #0)
> graphics: Is 4.0.3 ready for stabilization?

yes, but does this affect 3.x series too? 

do note that 3.x doesn't install any of the tools, only the plain library .so which is why the security bug before this had no impact on 3.x for us.
Comment 2 Samuli Suominen gentoo-dev 2013-05-02 23:43:48 UTC
(In reply to comment #1)
> (In reply to comment #0)
> > graphics: Is 4.0.3 ready for stabilization?
> 
> yes, but does this affect 3.x series too? 

it did, and is fixed in 3.9.7 in the old slot
Comment 3 Samuli Suominen gentoo-dev 2013-05-03 00:05:03 UTC
I was wrong.   This is now fixed in 4.0.3-r2 with a upstream patch.
Comment 4 Chris Reffett gentoo-dev Security 2013-09-11 04:02:45 UTC
Added to GLSA draft. @maintainers: cleanup please.
Comment 5 Samuli Suominen gentoo-dev 2013-09-11 07:29:47 UTC
(In reply to Chris Reffett from comment #4)
> Added to GLSA draft. @maintainers: cleanup please.

What cleanup is that? There isn't a single .ebuild of tiff in tree that we could remove.
Comment 6 Sergey Popov gentoo-dev Security 2013-09-11 08:16:11 UTC
(In reply to Samuli Suominen from comment #5)
> (In reply to Chris Reffett from comment #4)
> > Added to GLSA draft. @maintainers: cleanup please.
> 
> What cleanup is that? There isn't a single .ebuild of tiff in tree that we
> could remove.

4.0.2-r1 ? It's stable only on m68k, we should proceed here somehow
Comment 7 Samuli Suominen gentoo-dev 2013-09-11 08:27:09 UTC
(In reply to Sergey Popov from comment #6)
> (In reply to Samuli Suominen from comment #5)
> > (In reply to Chris Reffett from comment #4)
> > > Added to GLSA draft. @maintainers: cleanup please.
> > 
> > What cleanup is that? There isn't a single .ebuild of tiff in tree that we
> > could remove.
> 
> 4.0.2-r1 ? It's stable only on m68k, we should proceed here somehow

IIRC, m68k is not an security supported arch so security@ shouldn't care
Comment 8 Chris Reffett gentoo-dev Security 2013-09-11 13:38:53 UTC
Okay then...guess we don't need cleanup.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 15:40:54 UTC
This issue was resolved and addressed in
 GLSA 201402-21 at http://security.gentoo.org/glsa/glsa-201402-21.xml
by GLSA coordinator Chris Reffett (creffett).