BugTraq
[ MDVSA-2012:174 ] libtiff Nov 22 2012 02:33PM
security mandriva com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:174
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libtiff
Date : November 22, 2012
Affected: 2011., Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities was found and corrected in libtiff:

Heap-based buffer overflow in tif_pixarlog.c in LibTIFF before 4.0.3
allows remote attackers to cause a denial of service (application
crash) and possibly execute arbitrary code via a crafted TIFF image
using the PixarLog Compression format (CVE-2012-4447).

ppm2tiff does not check the return value of the TIFFScanlineSize
function, which allows remote attackers to cause a denial of service
(crash) and possibly execute arbitrary code via a crafted PPM image
that triggers an integer overflow, a zero-memory allocation, and a
heap-based buffer overflow (CVE-2012-4564).

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4564
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2011:
1c3b7205e5c9c032c342b3cffdaaa4e0 2011/i586/libtiff3-3.9.5-1.4-mdv2011.0.i586.rpm
01033b253d303aacc572a55202ecdbda 2011/i586/libtiff-devel-3.9.5-1.4-mdv2011.0.i586.rpm
bfe4f6d0387874084596b8ba4d503229 2011/i586/libtiff-progs-3.9.5-1.4-mdv2011.0.i586.rpm
fa39228d1a7ab0fea42beda812651976 2011/i586/libtiff-static-devel-3.9.5-1.4-mdv2011.0.i586.rpm
23dfc5da956a6b0a20fa8a22a9eeb3c0 2011/SRPMS/libtiff-3.9.5-1.4.src.rpm

Mandriva Linux 2011/X86_64:
fd52f90d6f819996e58193b261cdb27b 2011/x86_64/lib64tiff3-3.9.5-1.4-mdv2011.0.x86_64.rpm
d818311ad57d872948357a9265e1fbfa 2011/x86_64/lib64tiff-devel-3.9.5-1.4-mdv2011.0.x86_64.rpm
fca4bcdb23487d73da93f88107d051e1 2011/x86_64/lib64tiff-static-devel-3.9.5-1.4-mdv2011.0.x86_64.rpm
b7ebfba2f1c200c0946582fdff7bb1ff 2011/x86_64/libtiff-progs-3.9.5-1.4-mdv2011.0.x86_64.rpm
23dfc5da956a6b0a20fa8a22a9eeb3c0 2011/SRPMS/libtiff-3.9.5-1.4.src.rpm

Mandriva Enterprise Server 5:
157bb1f11666282583f7fccb899ea8d0 mes5/i586/libtiff3-3.8.2-12.9mdvmes5.2.i586.rpm
5f674bd895134e591a9fa5e59b311d62 mes5/i586/libtiff3-devel-3.8.2-12.9mdvmes5.2.i586.rpm
2bd89b0b77b0ec1ae01189baa798d522 mes5/i586/libtiff3-static-devel-3.8.2-12.9mdvmes5.2.i586.rpm
c53d009a1d82b7be97e4405f422e2e0f mes5/i586/libtiff-progs-3.8.2-12.9mdvmes5.2.i586.rpm
e5181e34b5feb4ca18a0498d29065cb5 mes5/SRPMS/libtiff-3.8.2-12.9mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
62dd7b0a037b19d7d95aff18d8dd9291 mes5/x86_64/lib64tiff3-3.8.2-12.9mdvmes5.2.x86_64.rpm
28a4bd37d769b3136fcc31f7d64bf67b mes5/x86_64/lib64tiff3-devel-3.8.2-12.9mdvmes5.2.x86_64.rpm
a19fd768a016968b5b733ee0e29f1bb9 mes5/x86_64/lib64tiff3-static-devel-3.8.2-12.9mdvmes5.2.x86_64.rpm
bd7688430b424fcfdea1c73a2b5696de mes5/x86_64/libtiff-progs-3.8.2-12.9mdvmes5.2.x86_64.rpm
e5181e34b5feb4ca18a0498d29065cb5 mes5/SRPMS/libtiff-3.8.2-12.9mdvmes5.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFQrgq2mqjQ0CJFipgRAkByAJ0diVceShgchgAtC0eezhdmEq96DACfbGBz
F9ViBvaHWjx2gEEl9A/dRVE=
=bIj/
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus