Bug 11281 - libtiff new security issue CVE-2013-4243
Summary: libtiff new security issue CVE-2013-4243
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/568128/
Whiteboard: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-09-24 18:57 CEST by David Walser
Modified: 2013-09-24 23:47 CEST (History)
3 users (show)

See Also:
Source RPM: libtiff-4.0.3-4.2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-09-24 18:57:23 CEST
OpenSuSE has issued an advisory today (September 24):
http://lists.opensuse.org/opensuse-updates/2013-09/msg00053.html

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated libtiff packages fix security vulnerability:

A possible heap-based buffer overflow flaw was found in the readgifimage()
function in gif2tiff, a tool to convert GIF images to TIFF. A remote attacker
could provide a specially-crafted GIF file that, when processed by gif2tiff,
would cause gif2tiff to crash or, potentially, execute arbitrary code with the
privileges of the user running gif2tiff (CVE-2013-4243).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243
http://lists.opensuse.org/opensuse-updates/2013-09/msg00053.html
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.1-2.9.mga2
libtiff5-4.0.1-2.9.mga2
libtiff-devel-4.0.1-2.9.mga2
libtiff-static-devel-4.0.1-2.9.mga2
libtiff-progs-4.0.3-4.3.mga3
libtiff5-4.0.3-4.3.mga3
libtiff-devel-4.0.3-4.3.mga3
libtiff-static-devel-4.0.3-4.3.mga3

from SRPMS:
libtiff-4.0.1-2.9.mga2.src.rpm
libtiff-4.0.3-4.3.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-09-24 18:57:46 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 Dave Hodgins 2013-09-24 20:28:49 CEST
Advisory 11281.adv committed to svn.

CC: (none) => davidwhodgins

Comment 2 Dave Hodgins 2013-09-24 21:04:05 CEST
No poc, that I could find, so just testing that various programs from
libtiff-progs work ok. Testing both releases, both arches shortly.
Comment 3 Dave Hodgins 2013-09-24 21:40:06 CEST
Testing complete both releases, both arches.

Someone from the sysadmin team please push 11281.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2013-09-24 23:47:07 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0291.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.