Bug 8087

Summary: libtiff new security issue CVE-2012-4564
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/525259/
Whiteboard: MGA1TOO has_procedure mga2-32-OK mga2-64-OK mga1-32-OK mga1-64-OK
Source RPM: libtiff-4.0.1-2.3.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-11-15 19:41:01 CET 
Ubuntu has issued an advisory today (November 15):
http://www.ubuntu.com/usn/usn-1631-1/

Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated libtiff packages fix security vulnerability:

ppm2tiff does not check the return value of the TIFFScanlineSize function,
which allows remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code via a crafted PPM image that triggers an
integer overflow, a zero-memory allocation, and a heap-based buffer overflow
(CVE-2012-4564).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4564
http://www.ubuntu.com/usn/usn-1631-1/
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-3.9.5-1.7.mga1.x86_64.rpm
libtiff3-3.9.5-1.7.mga1
libtiff-devel-3.9.5-1.7.mga1
libtiff-static-devel-3.9.5-1.7.mga1
libtiff-progs-4.0.1-2.4.mga2
libtiff5-4.0.1-2.4.mga2
libtiff-devel-4.0.1-2.4.mga2
libtiff-static-devel-4.0.1-2.4.mga2

from SRPMS:
libtiff-3.9.5-1.7.mga1.src.rpm
libtiff-4.0.1-2.4.mga2.src.rpm
David Walser 2012-11-15 19:41:06 CET

Whiteboard: (none) => MGA1TOO

Comment 1 Samuel Verschelde 2012-11-16 13:24:32 CET 
Procedure: https://wiki.mageia.org/en/QA_procedure:Libtiff

Whiteboard: MGA1TOO => MGA1TOO has_procedure

Comment 2 claire robinson 2012-11-16 16:05:42 CET 
Testing complete mga2 32 & 64

Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure mga2-32-OK mga2-64-OK

Comment 3 claire robinson 2012-11-16 16:17:27 CET 
Testing complete mga1 32 & 64

Validating

Advisory & srpms in comment 0

Could sysadmin please push to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure mga2-32-OK mga2-64-OK => MGA1TOO has_procedure mga2-32-OK mga2-64-OK mga1-32-OK mga1-64-OK

Comment 4 Thomas Backlund 2012-11-17 17:34:12 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0332

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED