Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200608-07 ] libTIFF: Multiple vulnerabilities
Date: Fri, 04 Aug 2006 23:02:00
Message-Id: 200608050040.42605.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200608-07
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: libTIFF: Multiple vulnerabilities
9 Date: August 04, 2006
10 Bugs: #142383
11 ID: 200608-07
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 libTIFF contains several vulnerabilities that could result in arbitrary
19 code execution.
20
21 Background
22 ==========
23
24 libTIFF provides support for reading and manipulating TIFF images.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 media-libs/tiff < 3.8.2-r2 >= 3.8.2-r2
33
34 Description
35 ===========
36
37 Tavis Ormandy of the Google Security Team discovered several heap and
38 stack buffer overflows and other flaws in libTIFF. The affected parts
39 include the TIFFFetchShortPair(), TIFFScanLineSize() and
40 EstimateStripByteCounts() functions, and the PixarLog and NeXT RLE
41 decoders.
42
43 Impact
44 ======
45
46 A remote attacker could entice a user to open a specially crafted TIFF
47 file, resulting in the possible execution of arbitrary code.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All libTIFF users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=media-libs/tiff-3.8.2-r2"
61
62 References
63 ==========
64
65 [ 1 ] CVE-2006-3459
66 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459
67 [ 2 ] CVE-2006-3460
68 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460
69 [ 3 ] CVE-2006-3461
70 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461
71 [ 4 ] CVE-2006-3462
72 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462
73 [ 5 ] CVE-2006-3463
74 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463
75 [ 6 ] CVE-2006-3464
76 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464
77 [ 7 ] CVE-2006-3465
78 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465
79
80 Availability
81 ============
82
83 This GLSA and any updates to it are available for viewing at
84 the Gentoo Security Website:
85
86 http://security.gentoo.org/glsa/glsa-200608-07.xml
87
88 Concerns?
89 =========
90
91 Security is a primary focus of Gentoo Linux and ensuring the
92 confidentiality and security of our users machines is of utmost
93 importance to us. Any security concerns should be addressed to
94 security@g.o or alternatively, you may file a bug at
95 http://bugs.gentoo.org.
96
97 License
98 =======
99
100 Copyright 2006 Gentoo Foundation, Inc; referenced text
101 belongs to its owner(s).
102
103 The contents of this document are licensed under the
104 Creative Commons - Attribution / Share Alike license.
105
106 http://creativecommons.org/licenses/by-sa/2.5
Report Message
Find on MARC Find on Google Groups