+++ This bug was initially created as a clone of Bug #189933 +++ Several libtiff issues were reported upstream in this bug: http://bugzilla.remotesensing.org/show_bug.cgi?id=1102 Here is the changelog information for these issues (mangled to groups issues together). The dates are as such: 2006-03-07 Andrey Kiselev <dron.edu> 2006-03-03 Andrey Kiselev <dron.edu> Denial of service ----------------- * libtiff/tif_dirread.c: Fixed error reporting in TIFFFetchAnyArray() function * libtiff/{tif_lzw.c, tif_pixarlog.c, tif_zip.c}: Use TIFFPredictorCleanup() in codec cleanup methods. * libtiff/{tif_jpeg.c, tif_pixarlog.c, tif_fax3.c, tif_zip.c}: Properly restore setfield/getfield methods in cleanup functions. * libtiff/{tif_predict.c, tif_predict.h}: Added new function TIFFPredictorCleanup() to restore parent decode/encode/field methods. Integer Overflow ---------------- * libtiff/tif_dirread.c: Fixed integer overflow condition in TIFFFetchData() function. * libtiff/tif_dirread.c: More wise check for integer overflow condition Double Free ----------- * libtiff/{tif_jpeg.c, tif_pixarlog.c, tif_fax3.c, tif_zip.c}: Properly restore setfield/getfield methods in cleanup functions. Only the tif_jpeg.c patch has been shown to cause a double free issue. This block is the same as the one in the DoS section, just copied here for the double free description. The quick testing I did consisted of running tiffinfo over the reproducers in the upstream bug, only the attachment in comments #1, #2, and #4 crashed on FC4 (I didn't have a FC4 machine handy to test). A source analysis may be needed to verify all these issues. -- Additional comment from bressers on 2006-04-25 17:20 EST -- Created an attachment (id=128227) Patch extracted from upstream CVS
I have built libtiff-3.5.7-30.el2.1 (RHEL2.1) libtiff-3.5.7-25.el3.1 (RHEL3) libtiff-3.6.1-10 (RHEL4) with the fixes
Can someone provide update to FC3?
This was fixed in FEDORA-2006-474 for FC4 and FEDORA-2006-473 for FC5 Updates for FC3 willbe handled by the fedora legacy project.