Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 480466 (CVE-2013-4231) - <media-libs/tiff-4.0.3-r4: Multiple vulnerabilities (CVE-2013-{4231,4232})
Summary: <media-libs/tiff-4.0.3-r4: Multiple vulnerabilities (CVE-2013-{4231,4232})
Status: RESOLVED FIXED
Alias: CVE-2013-4231
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-10 09:45 UTC by Agostino Sarubbo
Modified: 2014-02-21 15:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-08-10 09:45:25 UTC
From ${URL} :

  Pedro Ribeiro has recently reported the following five security
flaws being present in the tools of TIFF library:
  [1] http://www.asmail.be/msg0055359936.html

While they are present in the tools (=> not that urgent like they
would be in the library itself), there's been CVE ids assigned
in the past for TIFF library tools issues too. To mention some examples:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1961
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1960
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4564
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3401

Since there doesn't seem to be CVE identifiers assigned for these
[1] issues yet, could you allocate them?

FWIW regarding the patches and upstream bugs - if my information
is up2date, there aren't upstream bugs and patches for these issues
yet.



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Samuli Suominen gentoo-dev 2013-08-23 14:55:08 UTC
in tree:

+*tiff-4.0.3-r4 (23 Aug 2013)
+*tiff-4.0.3-r5 (23 Aug 2013)
+
+  23 Aug 2013; Samuli Suominen <ssuominen@gentoo.org>
+  +files/tiff-4.0.3-CVE-2013-4231.patch, +files/tiff-4.0.3-CVE-2013-4232.patch,
+  +tiff-4.0.3-r4.ebuild, +tiff-4.0.3-r5.ebuild:
+  Fix for CVE-2013-4231 (and CVE-2013-4232) from upstream. See security bug
+  #480466. The -r4 is for stabilization without multilib-minimal.eclass usage.
Comment 2 Samuli Suominen gentoo-dev 2013-08-23 14:57:13 UTC
Arch's, please test and stabilize:

=media-libs/tiff-4.0.3-r4 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 3 Jeroen Roovers gentoo-dev 2013-08-23 15:37:48 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2013-08-23 19:25:25 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-08-23 19:25:53 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-08-24 12:35:16 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-08-24 15:54:46 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-08-26 16:57:20 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-08-28 12:07:07 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-08-28 12:07:41 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-08-28 12:08:17 UTC
s390 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-08-28 12:09:06 UTC
sh stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-08-28 12:10:12 UTC
sparc stable
Comment 14 Sergey Popov gentoo-dev 2013-09-02 10:34:16 UTC
Thanks for your work

GLSA request filed
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-09-11 01:52:14 UTC
CVE-2013-4232 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4232):
  Use-after-free vulnerability in the t2p_readwrite_pdf_image function in
  tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause a denial
  of service (crash) or possible execute arbitrary code via a crafted TIFF
  image.
Comment 16 Agostino Sarubbo gentoo-dev 2013-09-28 20:56:26 UTC
M68K is not anymore a stable arch, removing it from the cc list
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-02-04 14:07:03 UTC
CVE-2013-4231 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4231):
  Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to
  cause a denial of service (out-of-bounds write) via a crafted (1) extension
  block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3) a
  long filename for a TIFF image to tools/rgb2ycbcr.c.  NOTE: vectors 1 and 3
  are disputed by Red Hat, which states that the input cannot exceed the
  allocated buffer size.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 15:41:04 UTC
This issue was resolved and addressed in
 GLSA 201402-21 at http://security.gentoo.org/glsa/glsa-201402-21.xml
by GLSA coordinator Chris Reffett (creffett).