Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200505-07 ] libTIFF: Buffer overflow
Date: Tue, 10 May 2005 20:07:02
Message-Id: 200505102207.04063.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200505-07
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: libTIFF: Buffer overflow
9 Date: May 10, 2005
10 Bugs: #91584
11 ID: 200505-07
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 The libTIFF library is vulnerable to a buffer overflow, potentially
19 resulting in the execution of arbitrary code.
20
21 Background
22 ==========
23
24 libTIFF provides support for reading and manipulating TIFF (Tag Image
25 File Format) images.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 media-libs/tiff < 3.7.2 >= 3.7.2
34
35 Description
36 ===========
37
38 Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
39 stack based buffer overflow in the libTIFF library when reading a TIFF
40 image with a malformed BitsPerSample tag.
41
42 Impact
43 ======
44
45 Successful exploitation would require the victim to open a specially
46 crafted TIFF image, resulting in the execution of arbitrary code.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All libTIFF users should upgrade to the latest version:
57
58 # emerge --sync
59 # emerge --ask --oneshot --verbose ">=media-libs/tiff-3.7.2"
60
61 References
62 ==========
63
64 [ 1 ] LIBTIFF BUG#863
65 http://bugzilla.remotesensing.org/show_bug.cgi?id=843
66
67 Availability
68 ============
69
70 This GLSA and any updates to it are available for viewing at
71 the Gentoo Security Website:
72
73 http://security.gentoo.org/glsa/glsa-200505-07.xml
74
75 Concerns?
76 =========
77
78 Security is a primary focus of Gentoo Linux and ensuring the
79 confidentiality and security of our users machines is of utmost
80 importance to us. Any security concerns should be addressed to
81 security@g.o or alternatively, you may file a bug at
82 http://bugs.gentoo.org.
83
84 License
85 =======
86
87 Copyright 2005 Gentoo Foundation, Inc; referenced text
88 belongs to its owner(s).
89
90 The contents of this document are licensed under the
91 Creative Commons - Attribution / Share Alike license.
92
93 http://creativecommons.org/licenses/by-sa/2.0