Bug 194362 (CVE-2006-2193)

Summary: CVE-2006-2193 tiff2pdf buffer overflow
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Tom Lane <tgl>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, kreilly, mmalik
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-09 09:40:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 458814, 458815    
Bug Blocks:    

Description Josh Bressers 2006-06-07 15:15:54 UTC 
tiff2pdf buffer overflow

A buffer overflow flaw has been found in tiff2pdf.
Thomas Biege told vendor-sec about this (it came from a colleague of
his)

The code in question is as such:

char buffer[5];
...
sprintf(buffer, "\\%.3o", pdfstr[i]);


pdfstr[i] is signed char, therefore would write \37777777741
Comment 3 Jindrich Novy 2006-09-05 12:54:54 UTC 
Fixed since libtiff-3.8.2-6.fc6
Comment 5 Fedora Update System 2006-09-05 14:26:33 UTC 
libtiff-3.8.2-1.fc5 has been pushed for fc5, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 6 Mark J. Cox 2007-08-21 11:20:49 UTC 
moving to security response product -- should we decide to fix this in a future
update we'll create the appropriate tracking bugs with flags for rhel4.
Comment 8 Red Hat Product Security 2009-01-09 09:40:09 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0848.html