Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 357271 (CVE-2011-0192) - <media-libs/tiff-3.9.4-r1: Heap-based buffer overflow in Fax4Decode (CVE-2011-0192)
Summary: <media-libs/tiff-3.9.4-r1: Heap-based buffer overflow in Fax4Decode (CVE-2011...
Status: RESOLVED FIXED
Alias: CVE-2011-0192
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://bugzilla.maptools.org/show_bug...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks: CVE-2011-1167
  Show dependency tree
 
Reported: 2011-03-03 21:25 UTC by Matthew Marlowe
Modified: 2012-09-23 18:46 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Upstream patch for 3.9 (tiff-3.9.4-CVE-2011-0192.patch,439 bytes, patch)
2011-03-21 06:17 UTC, Steve Arnold
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Marlowe gentoo-dev 2011-03-03 21:25:51 UTC
Redhat released patches for a new vulnerability in libtiff today that apparently impacts RHEL 4,5,6, including tiff-3.9.4 which is currently the latest stable in the gentoo portage tree.

I'm not sure if we're impacted, but since the description of the vulnerability mentions that it could be remotely exploitable for webapps that allow visitors to upload images, it would seem to be something worth investigating and patching quickly if needed.

I search gentoo bugzilla for any reference of the vulnerability or patches and couldn't find it, so I'm opening up a new one and cc'ing security and the package maintainer.

Here is some info:
https://bugzilla.redhat.com/show_bug.cgi?id=678635
https://rhn.redhat.com/errata/RHSA-2011-0318.html

RedHat has the vulnerability listed as priority "important" which is relatively high as far as their announcements normally go.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-03-05 21:43:59 UTC
Thank you for the report.
Comment 2 Matthew Marlowe gentoo-dev 2011-03-17 05:59:56 UTC
Ubuntu also just released an update today for this vulnerability:

Ubuntu Security Notice USN-1085-2            March 15, 2011
tiff regression
https://launchpad.net/bugs/731540

Note that when RHEL released their notice, I couldn't actually find a patch or notice on the upstream site.

If we haven't already identified what needs to be updated, perhaps the ubuntu vulnerability will have more info.

Anyhow, it's been 13 days since this was reported and it might be remotely exploitable, so it would be nice to get fixed.
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-17 10:30:58 UTC
I think there are some patches in http://bugzilla.maptools.org/show_bug.cgi?id=2297
Comment 4 Steve Arnold gentoo-dev 2011-03-21 06:17:24 UTC
Created attachment 266681 [details, diff]
Upstream patch for 3.9

merged patch suitable to apply in 3.9. (571 bytes, patch)
2011-03-16 12:05, Frank Warmerdam
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-04-13 04:33:55 UTC
@graphics, Steve, just a friendly ping on this one. 

Looks like upstream's 3.9.5 release will take care of a couple of issues for us... Renaming the existing ebuild correctly downloads and build 3.9.5 here, fwiw (hardened amd64). 

Thank you.
Comment 6 Steve Arnold gentoo-dev 2011-04-16 21:29:12 UTC
Done in 3.9.4-r1 (patched), 3.9.5 and 4.0 fixed upstream.
Comment 7 Steve Arnold gentoo-dev 2011-04-16 21:29:37 UTC
Sorry, habit...
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-04-16 21:49:13 UTC
(In reply to comment #7)
> Sorry, habit...

No prob, thanks for the bump.

Arches, please test and mark stable:
=media-libs/tiff-3.9.4-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-04-16 22:55:39 UTC
(In reply to comment #8)
> (In reply to comment #7)
> > Sorry, habit...
> 
> No prob, thanks for the bump.
> 
> Arches, please test and mark stable:
> =media-libs/tiff-3.9.4-r1
> Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Looks like =media-libs/tiff-3.9.4-r1 went straight to stable. Was that intentional?
Comment 10 Alex Buell 2011-04-17 23:53:56 UTC
Already stable on SPARC, not proceeding any further. :)
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-04-26 03:39:40 UTC
Thanks, folks. GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-09-23 18:46:19 UTC
This issue was resolved and addressed in
 GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml
by GLSA coordinator Sean Amoss (ackle).