Bug 11281

Summary: libtiff new security issue CVE-2013-4243
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/568128/
Whiteboard: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
Source RPM: libtiff-4.0.3-4.2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-09-24 18:57:23 CEST 
OpenSuSE has issued an advisory today (September 24):
http://lists.opensuse.org/opensuse-updates/2013-09/msg00053.html

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated libtiff packages fix security vulnerability:

A possible heap-based buffer overflow flaw was found in the readgifimage()
function in gif2tiff, a tool to convert GIF images to TIFF. A remote attacker
could provide a specially-crafted GIF file that, when processed by gif2tiff,
would cause gif2tiff to crash or, potentially, execute arbitrary code with the
privileges of the user running gif2tiff (CVE-2013-4243).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243
http://lists.opensuse.org/opensuse-updates/2013-09/msg00053.html
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.1-2.9.mga2
libtiff5-4.0.1-2.9.mga2
libtiff-devel-4.0.1-2.9.mga2
libtiff-static-devel-4.0.1-2.9.mga2
libtiff-progs-4.0.3-4.3.mga3
libtiff5-4.0.3-4.3.mga3
libtiff-devel-4.0.3-4.3.mga3
libtiff-static-devel-4.0.3-4.3.mga3

from SRPMS:
libtiff-4.0.1-2.9.mga2.src.rpm
libtiff-4.0.3-4.3.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-09-24 18:57:46 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 Dave Hodgins 2013-09-24 20:28:49 CEST 
Advisory 11281.adv committed to svn.

CC: (none) => davidwhodgins

Comment 2 Dave Hodgins 2013-09-24 21:04:05 CEST 
No poc, that I could find, so just testing that various programs from
libtiff-progs work ok. Testing both releases, both arches shortly.
Comment 3 Dave Hodgins 2013-09-24 21:40:06 CEST 
Testing complete both releases, both arches.

Someone from the sysadmin team please push 11281.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2013-09-24 23:47:07 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0291.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED