From secunia security advisory at $URL:
A vulnerability has been reported in LibTIFF, which can be exploited by malicious people to compromise an application using the library.
The vulnerability is caused due to an integer overflow error in the "gtTileSeparate()" function (libtiff/tif_getimage.c) when parsing images. This can be exploited to cause a heap-based buffer overflow via a specially crafted image.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in version 3.9.4. Other versions may also be affected.
This vulnerability is confirmed too in latest upstream stable version (4.0.1)
@security: Notice that tiff also has now 2 SLOTs from which the old one is binary-only like libpng. So we need to patch 2 SLOTs. This is for 3.9.5 from Fedora:
Test & stabilize:
=media-libs/tiff-3.9.5-r2 "amd64 x86" (special binary only slot, with only 1 depend in tree, only amd64 and x86 need this)
=media-libs/tiff-4.0.1-r1 "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Archtested on x86: Everything OK.
For both media-libs/tiff-3.9.5-r2 and media-libs/tiff-4.0.1-r1:
- Both compile successfully.
- Rdeps successfully compile and test phases pass.
- Performed manual runtime testing of several applications that link against media-libs/tiff, all function appropriately.
x86 stable, thanks Dan
Stable for HPPA.
Thanks, everyone. Already on existing GLSA request which is ready for review.
Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote
attackers to execute arbitrary code via a crafted tile size in a TIFF file,
which is not properly handled by the (1) gtTileSeparate or (2)
gtStripSeparate function, leading to a heap-based buffer overflow.
This issue was resolved and addressed in
GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml
by GLSA coordinator Sean Amoss (ackle).