Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 486590 (CVE-2013-4244) - <media-libs/tiff-4.0.3-r6: Denial of Service/Arbitrary Code Execution (CVE-2013-4244)
Summary: <media-libs/tiff-4.0.3-r6: Denial of Service/Arbitrary Code Execution (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2013-4244
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-30 16:24 UTC by GLSAMaker/CVETool Bot
Modified: 2014-02-21 15:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-09-30 16:24:50 UTC
CVE-2013-4244 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4244):
  The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier
  allows context-dependent attackers to cause a denial of service
  (out-of-bounds write and crash) or possibly execute arbitrary code via a
  crafted GIF image.


Patch available at http://bugzilla.maptools.org/show_bug.cgi?id=2452
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2014-02-04 16:28:35 UTC
Fixed in -r6, please test and stabilize:

=media-libs/tiff-4.0.3-r6 (every stable arch)
=media-libs/tiff-3.9.7-r1 (amd64 and x86 only, special SLOT)

Thank you.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-04 22:55:29 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2014-02-06 06:05:24 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-02-06 06:05:44 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-02-09 08:19:00 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-02-09 08:23:48 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-02-09 08:27:05 UTC
sparc stable
Comment 8 Akinori Hattori gentoo-dev 2014-02-11 15:10:41 UTC
ia64 stable
Comment 9 Sergey Popov gentoo-dev 2014-02-14 06:43:03 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-02-16 07:34:56 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2014-02-16 19:44:48 UTC
Added to existing GLSA draft. 

Maintainer(s), please cleanup.
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-17 20:28:24 UTC
Cleanup done by ssuominen.
Comment 13 Samuli Suominen (RETIRED) gentoo-dev 2014-02-19 17:19:05 UTC
bug was only in 4.0.3-r6 since 3.9.7-r1 is a special SLOT that only installs lib and doesn't involve the code of this bug
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 15:41:07 UTC
This issue was resolved and addressed in
 GLSA 201402-21 at http://security.gentoo.org/glsa/glsa-201402-21.xml
by GLSA coordinator Chris Reffett (creffett).