Bug 8317 - libtiff new security issue CVE-2012-5581
: libtiff new security issue CVE-2012-5581
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/528312/
: has_procedure mga2-32-OK mga2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-12-07 01:27 CET by David Walser
Modified: 2012-12-07 22:41 CET (History)
2 users (show)

See Also:
Source RPM: libtiff-4.0.1-2.4.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-12-07 01:27:04 CET
Ubuntu has issued an advisory on December 5:
http://www.ubuntu.com/usn/usn-1655-1/

Cauldron is not affected as this was fixed in 4.0.2 upstream.

Patched package uploaded for Mageia 2.

Patch also committed to Mageia 1 SVN.

Advisory:
========================

Updated libtiff packages fix security vulnerability:

It was discovered that LibTIFF incorrectly handled certain malformed
images using the DOTRANGE tag. If a user or automated system were
tricked into opening a specially crafted TIFF image, a remote attacker
could crash the application, leading to a denial of service, or possibly
execute arbitrary code with user privileges (CVE-2012-5581).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5581
http://www.ubuntu.com/usn/usn-1655-1/
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.1-2.5.mga2
libtiff5-4.0.1-2.5.mga2
libtiff-devel-4.0.1-2.5.mga2
libtiff-static-devel-4.0.1-2.5.mga2

from libtiff-4.0.1-2.5.mga2.src.rpm
Comment 1 claire robinson 2012-12-07 17:33:51 CET
Procedure: https://wiki.mageia.org/en/QA_procedure:Libtiff
Comment 2 claire robinson 2012-12-07 17:45:15 CET
Testing complete mga2 32 & 64

Validating

Advisory & srpm n comment 0

Could sysadmin please push from core updates testing to core updates

Thanks!
Comment 3 Thomas Backlund 2012-12-07 22:41:54 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0355

Note You need to log in before you can comment on or make changes to this bug.