Bug 510041 (CVE-2009-2347)
| Summary: | CVE-2009-2347 libtiff: integer overflows in various inter-color spaces conversion tools (crash, ACE) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | jlieskov, mvadkert, security-response-team, tgl | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2010-07-08 16:19:44 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 507722, 507723, 507724, 507725, 507726, 809169 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Comment 7
Jan Lieskovsky
2009-07-10 12:24:06 UTC
Created attachment 351312 [details]
revised patch
The original patch missed two out of three places with the same bug in
tiff2rgba. (I looked around for additional occurrences and didn't find any,
though I can't swear there are none.) Also, I checked with Frank Warmerdam who
disapproved of letting the tools/ files use tiffiop.h, so the revised patch
does not use _TIFFCheckMalloc. Some other cleanup too, mostly around being
careful if size_t is wider than 32 bits and not claiming that
possibly-perfectly-legal files are "malformed".
libtiff-3.8.2-14.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/libtiff-3.8.2-14.fc11 libtiff-3.8.2-14.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/libtiff-3.8.2-14.fc10 Filed upstream as http://bugzilla.maptools.org/show_bug.cgi?id=2079 MITRE's CVE record (CVE-2009-2347): Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2347 http://www.securityfocus.com/archive/1/archive/1/504892/100/0/threaded http://www.ocert.org/advisories/ocert-2009-012.html http://article.gmane.org/gmane.linux.debian.devel.changes.unstable/178563/ http://bugzilla.maptools.org/show_bug.cgi?id=2079 http://www.mandriva.com/security/advisories?name=MDVSA-2009:150 http://www.securityfocus.com/bid/35652 http://secunia.com/advisories/35817 http://secunia.com/advisories/35817 This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1159 https://rhn.redhat.com/errata/RHSA-2009-1159.html libtiff-3.8.2-14.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. libtiff-3.8.2-14.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. |