lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1OhSKn-0006Pe-Mk@titan.mandriva.com>
Date: Fri, 06 Aug 2010 21:12:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:146 ] libtiff

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:146
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : libtiff
 Date    : August 6, 2010
 Affected: 2010.0, 2010.1
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in libtiff:
 
 The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in
 ImageMagick, does not properly handle invalid ReferenceBlackWhite
 values, which allows remote attackers to cause a denial of service
 (application crash) via a crafted TIFF image that triggers an array
 index error, related to downsampled OJPEG input. (CVE-2010-2595)
 
 Multiple integer overflows in the Fax3SetupState function in tif_fax3.c
 in the FAX3 decoder in LibTIFF before 3.9.3 allow remote attackers to
 execute arbitrary code or cause a denial of service (application crash)
 via a crafted TIFF file that triggers a heap-based buffer overflow
 (CVE-2010-1411).
 
 Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3
 allows remote attackers to cause a denial of service (application
 crash) or possibly execute arbitrary code via a crafted TIFF file
 that triggers a buffer overflow (CVE-2010-2065).
 
 The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers
 to cause a denial of service (out-of-bounds read and application crash)
 via a TIFF file with an invalid combination of SamplesPerPixel and
 Photometric values (CVE-2010-2483).
 
 The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2
 makes incorrect calls to the TIFFGetField function, which allows
 remote attackers to cause a denial of service (application crash) via
 a crafted TIFF image, related to downsampled OJPEG input and possibly
 related to a compiler optimization that triggers a divide-by-zero error
 (CVE-2010-2597).
 
 The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly
 handle unknown tag types in TIFF directory entries, which allows
 remote attackers to cause a denial of service (out-of-bounds read
 and application crash) via a crafted TIFF file (CVE-2010-248).
 
 Stack-based buffer overflow in the TIFFFetchSubjectDistance function
 in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to
 cause a denial of service (application crash) or possibly execute
 arbitrary code via a long EXIF SubjectDistance field in a TIFF file
 (CVE-2010-2067).
 
 tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as
 used in ImageMagick, does not properly perform vertical flips, which
 allows remote attackers to cause a denial of service (application
 crash) or possibly execute arbitrary code via a crafted TIFF image,
 related to downsampled OJPEG input. (CVE-2010-2233).
 
 LibTIFF 3.9.4 and earlier does not properly handle an invalid
 td_stripbytecount field, which allows remote attackers to cause a
 denial of service (NULL pointer dereference and application crash)
 via a crafted TIFF file, a different vulnerability than CVE-2010-2443
 (CVE-2010-2482).
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2595
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1411
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2065
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2483
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2597
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2481
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2067
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2233
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2482
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.0:
 ceb7febb41b948977f6196b5bf31d538  2010.0/i586/libtiff3-3.9.1-4.1mdv2010.0.i586.rpm
 d38ee02dca1666e8d8f7c628e9debcbe  2010.0/i586/libtiff-devel-3.9.1-4.1mdv2010.0.i586.rpm
 e022bf3d3badddd3c480b4143a8cc2ec  2010.0/i586/libtiff-progs-3.9.1-4.1mdv2010.0.i586.rpm
 6f18f9ce3d9582ea3f6f9ddd7b1680d8  2010.0/i586/libtiff-static-devel-3.9.1-4.1mdv2010.0.i586.rpm 
 69aa854e6935c2d111e44e84225f6f69  2010.0/SRPMS/libtiff-3.9.1-4.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 3965284cc51603cfdc0d9420104b8fd3  2010.0/x86_64/lib64tiff3-3.9.1-4.1mdv2010.0.x86_64.rpm
 2768094532f4d1941ef66bae6da6ea15  2010.0/x86_64/lib64tiff-devel-3.9.1-4.1mdv2010.0.x86_64.rpm
 2e08c6517abcf34dab75040fbee15212  2010.0/x86_64/lib64tiff-static-devel-3.9.1-4.1mdv2010.0.x86_64.rpm
 3c81e78d3c389abcc370add6af857d12  2010.0/x86_64/libtiff-progs-3.9.1-4.1mdv2010.0.x86_64.rpm 
 69aa854e6935c2d111e44e84225f6f69  2010.0/SRPMS/libtiff-3.9.1-4.1mdv2010.0.src.rpm

 Mandriva Linux 2010.1:
 0ddf3e069a91387a7d85ad5aacd1dd81  2010.1/i586/libtiff3-3.9.2-2.1mdv2010.1.i586.rpm
 53d5d64cb3bb34a78d52776d42e0ed16  2010.1/i586/libtiff-devel-3.9.2-2.1mdv2010.1.i586.rpm
 e549b78e6658cb9a408454bf698e2ead  2010.1/i586/libtiff-progs-3.9.2-2.1mdv2010.1.i586.rpm
 821179322f86ba6dcc96dd6afc48fd0f  2010.1/i586/libtiff-static-devel-3.9.2-2.1mdv2010.1.i586.rpm 
 31563b8124d1953b9c8849e0a63f5422  2010.1/SRPMS/libtiff-3.9.2-2.1mdv2010.1.src.rpm

 Mandriva Linux 2010.1/X86_64:
 e858e4c72c5191395d4db7f994ffd7c4  2010.1/x86_64/lib64tiff3-3.9.2-2.1mdv2010.1.x86_64.rpm
 6bdce5697bc818f57cb56d22ce989b30  2010.1/x86_64/lib64tiff-devel-3.9.2-2.1mdv2010.1.x86_64.rpm
 daaf9562d71e8076e87578f25b8dbebe  2010.1/x86_64/lib64tiff-static-devel-3.9.2-2.1mdv2010.1.x86_64.rpm
 36d9eef4dd2739944f05fe7edd4e76f8  2010.1/x86_64/libtiff-progs-3.9.2-2.1mdv2010.1.x86_64.rpm 
 31563b8124d1953b9c8849e0a63f5422  2010.1/SRPMS/libtiff-3.9.2-2.1mdv2010.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMXDLBmqjQ0CJFipgRAsxuAJ9WAKaIXwvgmXJzs8W+fgn2/2+E/gCg9RT9
1DtIJJ4PJJj+9xrl7Yhsyw8=
=Ov4p
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ