Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 75213 - media-libs/tiff: version 3.7.1 fixes integer overflows
Summary: media-libs/tiff: version 3.7.1 fixes integer overflows
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa] koon
Depends on: 75423
  Show dependency tree
Reported: 2004-12-21 10:42 UTC by Thierry Carrez (RETIRED)
Modified: 2005-01-12 17:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 10:42:44 UTC
Two iDEFENSE advisories should go out soon :

- libtiff STRIPOFFSETS Integer Overflow Vulnerability
- LibTIFF Directory Entry Count Integer Overflow Vulnerability

Both are fixed in upstream release 3.7.1

nerdboy: This is still semi-public, so please don't talk about it (should be public in a few hours) but please submit a new 3.7.1 ebuild silently referencing this bug.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 11:04:05 UTC
Note to self, this might also affect :

- PDFLib (includes modified libtiff)
- kfax (includes libtiff code)
- xv (might need to be rebuilt with a new libtiff.a)
Comment 2 Steve Arnold gentoo-dev 2004-12-21 14:41:02 UTC
Okay, new ebuild going in portage now.  Should I remove the old ones and mark the 
new 3.7.1 version stable on all arches?  I'm about to commit it as ~arch, and 
I'll be right back after I go turn the grades in...
Comment 3 Luke Macken (RETIRED) gentoo-dev 2004-12-21 14:51:25 UTC
This issue is now public

arches, please mark stable.
Comment 4 Mike Doty (RETIRED) gentoo-dev 2004-12-21 16:55:22 UTC
stable on amd64
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-22 05:01:10 UTC
sparc stable.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-12-22 07:28:11 UTC
Hmm I think we'll hold on this one a little.

Apparently the 'libtiff STRIPOFFSETS Integer' is a subset of CAN-2004-0886 that has already been fixed by GLSA 200410-11.

The other one would not be exploitable except for a crash. However there is another one coming.

Removing arches for the time being, as we probably will commit a -r1 with a patch.
Comment 7 Steve Arnold gentoo-dev 2004-12-22 11:12:18 UTC
I'm not sure how to link these in bugzilla, but this bug 75316 seems to have been 
introduced with the new 3.7.1 release.  I'm still researching it, so that's all 
I know so far.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-12-23 02:49:06 UTC
Test image for the "LibTIFF Directory Entry Count Integer Overflow" Vulnerability
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-12-27 09:10:23 UTC
LibTIFF Directory Entry Count Integer Overflow Vulnerability is CAN-2004-1308, see DSA 617-1.

If work doesn't progress on the other libtiff-related vuln, we'll probably go on and release an updated tiff with only this one. Steve, you might prefer us to wait so that you get time to sort out bug 75316 before we start asking arches to test again. Keep us posted.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-01-01 11:31:52 UTC
No progress on the other security issue, better unblocking this one.

Calling back arches to test and mark stable. Please pay special attention to possible transparency issues to see if you reproduce bug 75316.
Comment 11 Steve Arnold gentoo-dev 2005-01-01 20:36:09 UTC
The transparency bug has bitten at least two windowmaker users (confirmed via 
independent tools) so if you can, it might be better to wait and get it all 
sorted out at once.  I'm not sure if transparent faxes are a big deal, but 
there are probably other applications with a bigger need for transparency 
than security is a risk.  Or we can do it piece-meal...
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2005-01-02 06:44:39 UTC
stable on ppc64
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2005-01-02 08:00:21 UTC
Stable on alpha.
Comment 14 Steve Arnold gentoo-dev 2005-01-02 18:21:04 UTC
Fixes for both 75316 and 75423 are in -r1.  I guess everyone gets to test and 
mark stable as you can.  Thanks in advance.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-01-03 00:29:28 UTC
Arches: please test and mark 3.7.1-r1 stable. It's just 3.7.1 + a bugfix on the transparency issue and a fix on the tiffdump utility.
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2005-01-03 00:52:49 UTC
stable on ppc64
Comment 17 Joe Jezak (RETIRED) gentoo-dev 2005-01-03 05:08:36 UTC
Tested and marked ppc stable.
Comment 18 Gustavo Zacarias (RETIRED) gentoo-dev 2005-01-03 06:33:33 UTC
sparc stable.
Comment 19 Olivier Crete (RETIRED) gentoo-dev 2005-01-03 21:26:30 UTC
x86 there
Comment 20 Hardave Riar (RETIRED) gentoo-dev 2005-01-04 01:03:36 UTC
Stable on mips.
Comment 21 Bryan Østergaard (RETIRED) gentoo-dev 2005-01-04 02:34:05 UTC
Stable on alpha.
Comment 22 Jeremy Huddleston (RETIRED) gentoo-dev 2005-01-04 04:47:58 UTC
stable amd64.
Comment 23 Lina Pezzella (RETIRED) gentoo-dev 2005-01-04 18:12:28 UTC
Stable ppc-macos.
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2005-01-05 14:08:42 UTC
GLSA 200501-06
arm hppa ia64 s390 : please remember to mark stable to benefit from GLSA.