Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

[ MDVSA-2012:127 ] libtiff

 

 

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


security at mandriva

Aug 8, 2012, 5:58 AM

Post #1 of 1 (173 views)
Permalink
[ MDVSA-2012:127 ] libtiff

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:127
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libtiff
Date : August 8, 2012
Affected: 2011., Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

A vulnerability was found and corrected in libtiff:

A heap-based buffer overflow flaw was found in the way tiff2pdf, a
TIFF image to a PDF document conversion tool, of libtiff, a library
of functions for manipulating TIFF (Tagged Image File Format) image
format files, performed write of TIFF image content into particular PDF
document file, when not properly initialized T2P context struct pointer
has been provided by tiff2pdf (application requesting the conversion)
as one of parameters for the routine performing the write. A remote
attacker could provide a specially-crafted TIFF image format file,
that when processed by tiff2pdf would lead to tiff2pdf executable
crash or, potentially, arbitrary code execution with the privileges
of the user running the tiff2pdf binary (CVE-2012-3401).

The updated packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3401
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2011:
415c8a711e94429c4187a4620f9d3eec 2011/i586/libtiff3-3.9.5-1.3-mdv2011.0.i586.rpm
b99c8d1bfa16a1158a3e03692ba56335 2011/i586/libtiff-devel-3.9.5-1.3-mdv2011.0.i586.rpm
a96608f5fae7aa711d1b64cbc76ca752 2011/i586/libtiff-progs-3.9.5-1.3-mdv2011.0.i586.rpm
11a1fb628ef761d33294aef1eff34565 2011/i586/libtiff-static-devel-3.9.5-1.3-mdv2011.0.i586.rpm
9a9505df7408b0c75192ac502fd18504 2011/SRPMS/libtiff-3.9.5-1.3.src.rpm

Mandriva Linux 2011/X86_64:
c18a5d5069de99d93b3411998e6960d0 2011/x86_64/lib64tiff3-3.9.5-1.3-mdv2011.0.x86_64.rpm
e326395e5ddf305ac322d1c57f436cd4 2011/x86_64/lib64tiff-devel-3.9.5-1.3-mdv2011.0.x86_64.rpm
c8de4431798dcbd235c82e8764d348ad 2011/x86_64/lib64tiff-static-devel-3.9.5-1.3-mdv2011.0.x86_64.rpm
ba66bfb07baed4c0848a64c2b7d94183 2011/x86_64/libtiff-progs-3.9.5-1.3-mdv2011.0.x86_64.rpm
9a9505df7408b0c75192ac502fd18504 2011/SRPMS/libtiff-3.9.5-1.3.src.rpm

Mandriva Enterprise Server 5:
3e94f2cd1306ce817f03b9e0d383d87a mes5/i586/libtiff3-3.8.2-12.8mdvmes5.2.i586.rpm
c08735b0c0f665235f422b05b59aaaae mes5/i586/libtiff3-devel-3.8.2-12.8mdvmes5.2.i586.rpm
fad7566f026aefd3fbae97f48e02aa91 mes5/i586/libtiff3-static-devel-3.8.2-12.8mdvmes5.2.i586.rpm
1b5263306ed5890541f2ebcd5374aad9 mes5/i586/libtiff-progs-3.8.2-12.8mdvmes5.2.i586.rpm
4c0ee36afa646eaeaae78bdf425c399d mes5/SRPMS/libtiff-3.8.2-12.8mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
09c6eddf7c45e53fe672c40fdefc7f6f mes5/x86_64/lib64tiff3-3.8.2-12.8mdvmes5.2.x86_64.rpm
7cde1e5ae217118a09ab14b898e59563 mes5/x86_64/lib64tiff3-devel-3.8.2-12.8mdvmes5.2.x86_64.rpm
af9cb316c7a9a130267d089c1cfd64a5 mes5/x86_64/lib64tiff3-static-devel-3.8.2-12.8mdvmes5.2.x86_64.rpm
2a716b33ff39a3518f57a4757c6c585c mes5/x86_64/libtiff-progs-3.8.2-12.8mdvmes5.2.x86_64.rpm
4c0ee36afa646eaeaae78bdf425c399d mes5/SRPMS/libtiff-3.8.2-12.8mdvmes5.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFQIjWKmqjQ0CJFipgRAu9aAKCFPFCguG+r8YzSC6NoNbuJqDHbowCfSCaK
zRjfu/1Oe46lSLkAwaBsCqM=
=3KUE
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.