Bug 5236

Summary: libtiff new security issue CVE-2012-1173
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: libtiff-3.9.5-1.1.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-04-05 13:35:09 CEST 
Mandriva has issued this advisory today:
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:054

Mageia 1 and Cauldron were affected.  Patched packages have been uploaded in both.

Advisory:
========================

Updated libtiff packages fix security vulnerability:

An integer overflow was discovered in the libtiff/tiff_getimage.c
file in the tiff library which could cause execution of arbitrary
code using a specially crafted TIFF image file (CVE-2012-1173).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1173
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:054
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-3.9.5-1.2.mga1
libtiff3-3.9.5-1.2.mga1
libtiff-devel-3.9.5-1.2.mga1
libtiff-static-devel-3.9.5-1.2.mga1

from libtiff-3.9.5-1.2.mga1.src.rpm
Comment 1 Dave Hodgins 2012-04-06 05:10:11 CEST 
Testing complete on i586 for the srpm
libtiff-3.9.5-1.2.mga1.src.rpm

No poc, so just testing converting a bmp to tiff usinb bmp2tiff,
using tiffinfo, and xv on the resulting image.

CC: (none) => davidwhodgins

Comment 2 Manuel Hiebel 2012-04-11 02:29:46 CEST 
Testing complete on x86_64


Suggested Advisory:
-------------
Updated libtiff packages fix security vulnerability:

An integer overflow was discovered in the libtiff/tiff_getimage.c
file in the tiff library which could cause execution of arbitrary
code using a specially crafted TIFF image file (CVE-2012-1173).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1173
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:054

https://bugs.mageia.org/show_bug.cgi?id=5236#c1
-------------

SRPM: libtiff-3.9.5-1.2.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 3 Thomas Backlund 2012-04-11 21:59:03 CEST 
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED