Bug 11035 - libtiff new security issues CVE-2013-4231 and CVE-2013-4232
: libtiff new security issues CVE-2013-4231 and CVE-2013-4232
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/563958/
: MGA2TOO has_procedure mga3-64-ok mga3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-19 23:53 CEST by David Walser
Modified: 2013-08-22 20:23 CEST (History)
3 users (show)

See Also:
Source RPM: libtiff-4.0.3-4.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-08-19 23:53:19 CEST
Fedora has issued an advisory on August 15:
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114181.html

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated libtiff packages fix security vulnerabilities:

Pedro Ribeiro discovered a buffer overflow flaw in rgb2ycbcr, a tool to convert
RGB color, greyscale, or bi-level TIFF images to YCbCr images, and multiple
buffer overflow flaws in gif2tiff, a tool to convert GIF images to TIFF. A
remote attacker could provide a specially-crafted TIFF or GIF file that, when
processed by rgb2ycbcr and gif2tiff respectively, would cause the tool to crash
or, potentially, execute arbitrary code with the privileges of the user running
the tool (CVE-2013-4231)

Pedro Ribeiro discovered a use-after-free flaw in the t2p_readwrite_pdf_image()
function in tiff2pdf, a tool for converting a TIFF image to a PDF document. A
remote attacker could provide a specially-crafted TIFF file that, when processed
by tiff2pdf, would cause tiff2pdf to crash or, potentially, execute arbitrary
code with the privileges of the user running tiff2pdf (CVE-2013-4232).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4232
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114181.html
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.1-2.7.mga2
libtiff5-4.0.1-2.7.mga2
libtiff-devel-4.0.1-2.7.mga2
libtiff-static-devel-4.0.1-2.7.mga2
libtiff-progs-4.0.3-4.1.mga3
libtiff5-4.0.3-4.1.mga3
libtiff-devel-4.0.3-4.1.mga3
libtiff-static-devel-4.0.3-4.1.mga3

from SRPMS:
libtiff-4.0.1-2.7.mga2.src.rpm
libtiff-4.0.3-4.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-08-20 15:08:35 CEST
Procedure on the wiki: https://wiki.mageia.org/en/QA_procedure:Libtiff
Comment 2 claire robinson 2013-08-20 15:16:30 CEST
No PoC's
Comment 3 David GEIGER 2013-08-20 15:32:37 CEST
Testing complete mga3_64, ok for me nothing to report.

wget http://www.ac-grenoble.fr/ien.vienne1-2/spip/IMG/bmp_Image001.bmp

$ bmp2tiff bmp_Image001.bmp bmp_Image001.tif 

$ tiff2pdf bmp_Image001.tif > bmp_Image001.pdf

$ tiffinfo bmp_Image001.tif
TIFF Directory at offset 0x58976 (362870)
  Image Width: 400 Image Length: 300
  Bits/Sample: 8
  Compression Scheme: PackBits
  Photometric Interpretation: RGB color
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 3
  Rows/Strip: 6
  Planar Configuration: single image plane

$ gimp bmp_Image001.tif
Gtk-Message: Failed to load module "canberra-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
Comment 4 David GEIGER 2013-08-20 15:42:51 CEST
Testing complete mga3_32, ok for me nothing to report.

$ wget http://www.ac-grenoble.fr/ien.vienne1-2/spip/IMG/bmp_Image001.bmp
--2013-08-20 15:37:45--  http://www.ac-grenoble.fr/ien.vienne1-2/spip/IMG/bmp_Image001.bmp
...etc

100%[======================================>] 360 054      248KB/s   ds 1,4s   

2013-08-20 15:37:47 (248 KB/s) - «bmp_Image001.bmp» sauvegardé [360054/360054]

$ ls
bmp_Image001.bmp  

$ bmp2tiff bmp_Image001.bmp bmp_Image001.tif
$ ls
bmp_Image001.bmp  
bmp_Image001.tif  

$ tiff2pdf bmp_Image001.tif > bmp_Image001.pdf
$ ls
bmp_Image001.bmp  
bmp_Image001.pdf  
bmp_Image001.tif  

$ tiffinfo bmp_Image001.tif
TIFF Directory at offset 0x58976 (362870)
  Image Width: 400 Image Length: 300
  Bits/Sample: 8
  Compression Scheme: PackBits
  Photometric Interpretation: RGB color
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 3
  Rows/Strip: 6
  Planar Configuration: single image plane

$ gimp bmp_Image001.tif
Comment 5 David GEIGER 2013-08-20 15:53:38 CEST
Testing complete mga2_32, ok for me nothing to report.

$ wget http://www.ac-grenoble.fr/ien.vienne1-2/spip/IMG/bmp_Image001.bmp
--2013-08-20 15:49:23--  http://www.ac-grenoble.fr/ien.vienne1-2/spip/IMG/bmp_Image001.bmp
...etc

100%[======================================>] 360 054      288K/s   ds 1,2s

2013-08-20 15:49:24 (288 KB/s) - «bmp_Image001.bmp» sauvegardé [360054/360054]

$ ls
bmp_Image001.bmp  

$ bmp2tiff bmp_Image001.bmp bmp_Image001.tif
$ ls
bmp_Image001.bmp  
bmp_Image001.tif  

$ tiff2pdf bmp_Image001.tif > bmp_Image001.pdf
$ ls
bmp_Image001.bmp  
bmp_Image001.pdf  
bmp_Image001.tif  

$ tiffinfo bmp_Image001.tif
TIFF Directory at offset 0x58976 (362870)
  Image Width: 400 Image Length: 300
  Bits/Sample: 8
  Compression Scheme: PackBits
  Photometric Interpretation: RGB color
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 3
  Rows/Strip: 6
  Planar Configuration: single image plane

$ gimp bmp_Image001.tif
Comment 6 claire robinson 2013-08-20 16:17:58 CEST
Testing complete mga2 64
Comment 7 claire robinson 2013-08-20 16:23:39 CEST
Validating. Advisory from comment 0 uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to updates

Thanks!
Comment 8 Thomas Backlund 2013-08-22 20:23:07 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0258.html

Note You need to log in before you can comment on or make changes to this bug.