Bug 7885 - libtiff new security issue CVE-2012-4447
: libtiff new security issue CVE-2012-4447
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/520740/
: MGA1TOO has_procedure mga1-32-OK mga1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-10-23 15:58 CEST by David Walser
Modified: 2012-10-29 19:37 CET (History)
3 users (show)

See Also:
Source RPM: libtiff-4.0.1-2.2.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-10-23 15:58:22 CEST
Debian has issued an advisory on October 21:
http://www.debian.org/security/2012/dsa-2561

Mageia 1 and Mageia 2 are also affected.
Comment 1 David Walser 2012-10-23 17:51:05 CEST
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated libtiff packages fix security vulnerability:

It was discovered that a buffer overflow in libtiff's parsing of files
using PixarLog compression could lead to the execution of arbitrary
code (CVE-2012-4447).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4447
http://www.debian.org/security/2012/dsa-2561
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-3.9.5-1.6.mga1
libtiff3-3.9.5-1.6.mga1
libtiff-devel-3.9.5-1.6.mga1
libtiff-static-devel-3.9.5-1.6.mga1
libtiff-progs-4.0.1-2.3.mga2
libtiff5-4.0.1-2.3.mga2
libtiff-devel-4.0.1-2.3.mga2
libtiff-static-devel-4.0.1-2.3.mga2

from SRPMS:
libtiff-3.9.5-1.6.mga1.src.rpm
libtiff-4.0.1-2.3.mga2.src.rpm
Comment 2 Götz Waschk 2012-10-24 09:59:10 CEST
With the update, tiff support is still working fine.
Comment 3 claire robinson 2012-10-24 11:18:41 CEST
Procedure here: https://wiki.mageia.org/en/QA_procedure:Libtiff
Comment 4 claire robinson 2012-10-24 11:23:07 CEST
No PoC's
Comment 5 claire robinson 2012-10-29 15:49:49 CET
testing mga2 32
Comment 6 claire robinson 2012-10-29 15:58:25 CET
Testing complete mga2 32
Comment 7 claire robinson 2012-10-29 17:54:19 CET
testing complete mga1 32
Comment 8 claire robinson 2012-10-29 19:11:12 CET
Testing complete mga1 64

Validating

Advisory and srpms in comment 1

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 9 Thomas Backlund 2012-10-29 19:34:22 CET
Update pushed:
Comment 10 Thomas Backlund 2012-10-29 19:37:00 CET
(In reply to comment #9)
> Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0317

Note You need to log in before you can comment on or make changes to this bug.