A heap-based buffer overflow flaw was found in the way tiff2pdf, a TIFF
image to a PDF document conversion tool, of libtiff, a library of
functions for manipulating TIFF (Tagged Image File Format) image format
files, performed write of TIFF image content into particular PDF
document file, when not properly initialized T2P context struct pointer
has been provided by tiff2pdf (application requesting the conversion)
as one of parameters for the routine performing the write. A remote
attacker could provide a specially-crafted TIFF image format file, that
when processed by tiff2pdf would lead to tiff2pdf executable crash or,
potentially, arbitrary code execution with the privileges of the user
running the tiff2pdf binary.
This issue has been assigned CVE-2012-3401.
The relevant patch for the issue has been applied to upstream
Thanks for the report, taaroa.
From oss-sec mailing list thread (http://www.openwall.com/lists/oss-security/2012/07/19/4):
"I know that 3.9.x upto the latest 4.0.2 are affected.
Older versions may be affected as well, i am not sure
The t2p_read_tiff_init function in tiff2pdf (tools/tiff2pdf.c) in LibTIFF
4.0.2 and earlier does not properly initialize the T2P context struct
pointer in certain error conditions, which allows context-dependent
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a crafted TIFF image that triggers a heap-based buffer
Fixed by 4.0.2-r1. Please test and stabilize:
=media-libs/tiff-4.0.2-r1 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
(In reply to comment #3)
> Fixed by 4.0.2-r1.
Thanks, Samuli. Would you be able to provide a patched 3.9.5, also? (Unless we can drop that slot?)
(In reply to comment #5)
> (In reply to comment #3)
> > Fixed by 4.0.2-r1.
> Thanks, Samuli. Would you be able to provide a patched 3.9.5, also? (Unless
> we can drop that slot?)
The bug is in tools/tiff2pdf.c and we don't install any tools with the older SLOT which is only for 2 binary-only programs in Portage, one from sci-* and another is net-im/skype with USE=qt-static enabled
So I'd say we are good as is
Stable for HPPA.
Already on existing GLSA draft.
Maintainers, please clean up vulnerable version.
This issue was resolved and addressed in
GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml
by GLSA coordinator Sean Amoss (ackle).
(In reply to comment #10)
> Maintainers, please clean up vulnerable version.