Bug 7885

Summary: libtiff new security issue CVE-2012-4447
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: goetz.waschk, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/520740/
Whiteboard: MGA1TOO has_procedure mga1-32-OK mga1-64-OK MGA2-64-OK mga2-32-OK
Source RPM: libtiff-4.0.1-2.2.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-10-23 15:58:22 CEST 
Debian has issued an advisory on October 21:
http://www.debian.org/security/2012/dsa-2561

Mageia 1 and Mageia 2 are also affected.
Comment 1 David Walser 2012-10-23 17:51:05 CEST 
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated libtiff packages fix security vulnerability:

It was discovered that a buffer overflow in libtiff's parsing of files
using PixarLog compression could lead to the execution of arbitrary
code (CVE-2012-4447).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4447
http://www.debian.org/security/2012/dsa-2561
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-3.9.5-1.6.mga1
libtiff3-3.9.5-1.6.mga1
libtiff-devel-3.9.5-1.6.mga1
libtiff-static-devel-3.9.5-1.6.mga1
libtiff-progs-4.0.1-2.3.mga2
libtiff5-4.0.1-2.3.mga2
libtiff-devel-4.0.1-2.3.mga2
libtiff-static-devel-4.0.1-2.3.mga2

from SRPMS:
libtiff-3.9.5-1.6.mga1.src.rpm
libtiff-4.0.1-2.3.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA1TOO

Comment 2 Götz Waschk 2012-10-24 09:59:10 CEST 
With the update, tiff support is still working fine.

CC: (none) => goetz.waschk
Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK

Comment 3 claire robinson 2012-10-24 11:18:41 CEST 
Procedure here: https://wiki.mageia.org/en/QA_procedure:Libtiff

Whiteboard: MGA1TOO MGA2-64-OK => MGA1TOO has_procedure MGA2-64-OK

Comment 4 claire robinson 2012-10-24 11:23:07 CEST 
No PoC's
Comment 5 claire robinson 2012-10-29 15:49:49 CET 
testing mga2 32
Comment 6 claire robinson 2012-10-29 15:58:25 CET 
Testing complete mga2 32

Whiteboard: MGA1TOO has_procedure MGA2-64-OK => MGA1TOO has_procedure MGA2-64-OK mga2-32-OK

Comment 7 claire robinson 2012-10-29 17:54:19 CET 
testing complete mga1 32

Whiteboard: MGA1TOO has_procedure MGA2-64-OK mga2-32-OK => MGA1TOO has_procedure mga1-32-OK MGA2-64-OK mga2-32-OK

Comment 8 claire robinson 2012-10-29 19:11:12 CET 
Testing complete mga1 64

Validating

Advisory and srpms in comment 1

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure mga1-32-OK MGA2-64-OK mga2-32-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK MGA2-64-OK mga2-32-OK

Comment 9 Thomas Backlund 2012-10-29 19:34:22 CET 
Update pushed:

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 10 Thomas Backlund 2012-10-29 19:37:00 CET 
(In reply to comment #9)
> Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0317