Bug 11281 - libtiff new security issue CVE-2013-4243
: libtiff new security issue CVE-2013-4243
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/568128/
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-24 18:57 CEST by David Walser
Modified: 2013-09-24 23:47 CEST (History)
3 users (show)

See Also:
Source RPM: libtiff-4.0.3-4.2.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-09-24 18:57:23 CEST
OpenSuSE has issued an advisory today (September 24):
http://lists.opensuse.org/opensuse-updates/2013-09/msg00053.html

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated libtiff packages fix security vulnerability:

A possible heap-based buffer overflow flaw was found in the readgifimage()
function in gif2tiff, a tool to convert GIF images to TIFF. A remote attacker
could provide a specially-crafted GIF file that, when processed by gif2tiff,
would cause gif2tiff to crash or, potentially, execute arbitrary code with the
privileges of the user running gif2tiff (CVE-2013-4243).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243
http://lists.opensuse.org/opensuse-updates/2013-09/msg00053.html
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.1-2.9.mga2
libtiff5-4.0.1-2.9.mga2
libtiff-devel-4.0.1-2.9.mga2
libtiff-static-devel-4.0.1-2.9.mga2
libtiff-progs-4.0.3-4.3.mga3
libtiff5-4.0.3-4.3.mga3
libtiff-devel-4.0.3-4.3.mga3
libtiff-static-devel-4.0.3-4.3.mga3

from SRPMS:
libtiff-4.0.1-2.9.mga2.src.rpm
libtiff-4.0.3-4.3.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Dave Hodgins 2013-09-24 20:28:49 CEST
Advisory 11281.adv committed to svn.
Comment 2 Dave Hodgins 2013-09-24 21:04:05 CEST
No poc, that I could find, so just testing that various programs from
libtiff-progs work ok. Testing both releases, both arches shortly.
Comment 3 Dave Hodgins 2013-09-24 21:40:06 CEST
Testing complete both releases, both arches.

Someone from the sysadmin team please push 11281.adv to updates.
Comment 4 Thomas Backlund 2013-09-24 23:47:07 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0291.html

Note You need to log in before you can comment on or make changes to this bug.