Bug 6677 - libtiff new security issues CVE-2012-2088 and CVE-2012-2113
: libtiff new security issues CVE-2012-2088 and CVE-2012-2113
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/504899/
: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-03 22:11 CEST by David Walser
Modified: 2012-07-09 14:03 CEST (History)
4 users (show)

See Also:
Source RPM: libtiff-4.0.1-2.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-07-03 22:11:34 CEST
RedHat has issued an advisory today (July 3):
https://rhn.redhat.com/errata/RHSA-2012-1054.html

Updated package (4.0.2) uploaded for Cauldron.

Patched packages uploaded for Mageia 1 and Mageia 2.

Notice that CVE-2012-2088 only affects libtiff 3.x in Mageia 1.

I'll split the advisory for Mageia 1 and Mageia 2.

Advisory (Mageia 1):
========================

Updated libtiff packages fix security vulnerabilities:

libtiff did not properly convert between signed and unsigned integer
values, leading to a buffer overflow. An attacker could use this flaw
to create a specially-crafted TIFF file that, when opened, would cause
an application linked against libtiff to crash or, possibly, execute
arbitrary code (CVE-2012-2088).

Multiple integer overflow flaws, leading to heap-based buffer overflows,
were found in the tiff2pdf tool. An attacker could use these flaws to
create a specially-crafted TIFF file that would cause tiff2pdf to crash
or, possibly, execute arbitrary code (CVE-2012-2113).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2113
https://rhn.redhat.com/errata/RHSA-2012-1054.html
========================

Advisory (Mageia 2):
========================

Updated libtiff packages fix security vulnerability:

Multiple integer overflow flaws, leading to heap-based buffer overflows,
were found in the tiff2pdf tool. An attacker could use these flaws to
create a specially-crafted TIFF file that would cause tiff2pdf to crash
or, possibly, execute arbitrary code (CVE-2012-2113).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2113
https://rhn.redhat.com/errata/RHSA-2012-1054.html
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-3.9.5-1.4.mga1
libtiff3-3.9.5-1.4.mga1
libtiff-devel-3.9.5-1.4.mga1
libtiff-static-devel-3.9.5-1.4.mga1
libtiff-progs-4.0.1-2.1.mga2
libtiff5-4.0.1-2.1.mga2
libtiff-devel-4.0.1-2.1.mga2
libtiff-static-devel-4.0.1-2.1.mga2

from SRPMS:
libtiff-3.9.5-1.4.mga1.src.rpm
libtiff-4.0.1-2.1.mga2.src.rpm
Comment 1 Derek Jennings 2012-07-03 23:27:21 CEST
Is there a poc for this? A poc is mentioned in the RedHat Bugzilla, but I cannot find it.
Comment 2 David Walser 2012-07-03 23:42:42 CEST
(In reply to comment #1)
> Is there a poc for this? A poc is mentioned in the RedHat Bugzilla, but I
> cannot find it.

Might be one of the ones they're talking about here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668087
Comment 3 Dave Hodgins 2012-07-04 05:08:42 CEST
libtiff3-3.9.5-1.2.mga1 is also present in Mageia 2. Shouldn't it get updated
too?
Comment 4 Dave Hodgins 2012-07-04 05:15:23 CEST
Ah.  Sorry.  My Mageia 2 system was an upgrade from Mageia 1, so it still
has libtiff3.  It isn't in the online repositories.

Should it be obsoleted in Mageia 2, or updated like Mageia 1.
Comment 5 David Walser 2012-07-04 05:42:04 CEST
(In reply to comment #4)
> Should it be obsoleted in Mageia 2, or updated like Mageia 1.

Nope.  Our library policy means you get old libraries left behind on your system when you do distro upgrades.  It's supposed to be the system administrator's responsibility to remove them.  There are reasons for it, but it is annoying I'll admit.  At least you can do urpmq --not-available to find the ones not in the repository.
Comment 6 David Walser 2012-07-04 15:42:18 CEST
Mandriva has issued an advisory for this today (July 4):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:101
Comment 7 Derek Jennings 2012-07-04 18:25:49 CEST
I was unable to simulate any crash using any of the sample tiffs at
http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/
so validation had to be resricted to performing sample tiff manipulations with
bmp2tiff and tiff2pdf

Validated on x86_64  mga2
Comment 8 Derek Jennings 2012-07-04 22:55:38 CEST
Validated on i586  mga2

Validated on x86_64 mga1 (still not able to force a crash)
Comment 9 Derek Jennings 2012-07-05 16:07:08 CEST
Validated
Could someone from sysadmin please push libtiff-3.9.5-1.4.mga1.src.rpm  from mga1 core/updates/testing to core/updates

Advisory (Mageia 1):
========================

Updated libtiff packages fix security vulnerabilities:

libtiff did not properly convert between signed and unsigned integer
values, leading to a buffer overflow. An attacker could use this flaw
to create a specially-crafted TIFF file that, when opened, would cause
an application linked against libtiff to crash or, possibly, execute
arbitrary code (CVE-2012-2088).

Multiple integer overflow flaws, leading to heap-based buffer overflows,
were found in the tiff2pdf tool. An attacker could use these flaws to
create a specially-crafted TIFF file that would cause tiff2pdf to crash
or, possibly, execute arbitrary code (CVE-2012-2113).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2113
https://rhn.redhat.com/errata/RHSA-2012-1054.html

----------------------------------------------------------------

And please push libtiff-4.0.1-2.1.mga2.src.rpm from mga2 core/updates/testing to core/updates

Advisory (Mageia 2):
========================

Updated libtiff packages fix security vulnerability:

Multiple integer overflow flaws, leading to heap-based buffer overflows,
were found in the tiff2pdf tool. An attacker could use these flaws to
create a specially-crafted TIFF file that would cause tiff2pdf to crash
or, possibly, execute arbitrary code (CVE-2012-2113).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2113
https://rhn.redhat.com/errata/RHSA-2012-1054.html
Comment 10 Thomas Backlund 2012-07-09 14:03:02 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0137

Note You need to log in before you can comment on or make changes to this bug.