iDefense reported to us a libtiff flaw discovered by Dan Rosenberg. Quoting description from iDefense advisory draft:
Remote exploitation of a stack buffer overflow vulnerability in
version 3.9.2 of LibTIFF, as included in various vendors' operating
system distributions, could allow an attacker to execute arbitrary
code with the privileges of the current user.
This vulnerability is due to insufficient bounds checking when copying
data into a stack allocated buffer. During the processing of a certain
EXIF tag a fixed sized stack buffer is used as a destination location
for a memory copy. This memory copy can cause the bounds of a stack
buffer to be overflown and this condition may lead to arbitrary code
Created attachment 419396 [details]
Patch from Frank Warmerdam (libtiff upstream)
Created attachment 422072 [details]
Unified context diff
Same thing as patch in comment #1, just with some extra context for future reference.
Not vulnerable. These issues did not affect the versions of libtiff as shipped with Red Hat Enterprise Linux 3, 4, or 5.
(In reply to comment #1)
> Created an attachment (id=419396) [details]
> Patch from Frank Warmerdam (libtiff upstream)
This patch is included in upstream version 3.9.4, libtiff/tif_dirread.c r184.108.40.206.
Public now via Ubuntu USN-954-1:
libtiff-3.9.4-1.fc12 has been submitted as an update for Fedora 12.
libtiff-3.9.4-1.fc13 has been submitted as an update for Fedora 13.
libtiff-3.9.4-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
libtiff-3.9.4-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.