<<< Date Index >>>     <<< Thread Index >>>

[ MDKSA-2006:137 ] - Updated libtiff packages fix multiple vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:137
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : libtiff
 Date    : August 1, 2006
 Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 Tavis Ormandy, Google Security Team, discovered several vulnerabilites
 the libtiff image processing library:
 
 Several buffer overflows have been discovered, including a stack
 buffer overflow via TIFFFetchShortPair() in tif_dirread.c, which is
 used to read two unsigned shorts from the input file. While a bounds
 check is performed via CheckDirCount(), no action is taken on the
 result allowing a pathological tdir_count to read an arbitrary number
 of unsigned shorts onto a stack buffer. (CVE-2006-3459) 
 
 A heap overflow vulnerability was discovered in the jpeg decoder,
 where TIFFScanLineSize() is  documented to return the size in bytes
 that a subsequent call to TIFFReadScanline() would write, however the
 encoded jpeg stream may disagree with these results and overrun the
 buffer with more data than expected. (CVE-2006-3460)
 
 Another heap overflow exists in the PixarLog decoder where a run
 length encoded data stream may specify a stride that is not an exact
 multiple of the number of samples. The result is that on the final
 decode operation the destination buffer is overrun, potentially
 allowing an attacker to execute arbitrary code. (CVE-2006-3461)
 
 The NeXT RLE decoder was also vulnerable to a heap overflow
 vulnerability, where no bounds checking was performed on the result of
 certain RLE decoding operations. This was solved by ensuring the
 number of pixels written did not exceed the size of the scanline
 buffer already prepared. (CVE-2006-3462)
 
 An infinite loop was discovered in EstimateStripByteCounts(), where a
 16bit unsigned short was used to iterate over a 32bit unsigned value,
 should the unsigned int (td_nstrips) have exceeded USHORT_MAX, the
 loop would never terminate and continue forever. (CVE-2006-3463)
 
 Multiple unchecked arithmetic operations were uncovered, including a
 number of the range checking operations deisgned to ensure the offsets
 specified in tiff directories are legitimate. These  can be caused to
 wrap for extreme values, bypassing sanity checks. Additionally, a
 number of codepaths were uncovered where assertions did not hold true,
 resulting in the client application calling abort(). (CVE-2006-3464)
 
 A flaw was also uncovered in libtiffs custom tag support, as
 documented here http://www.libtiff.org/v3.6.0.html. While well formed
 tiff files must have correctly ordered directories, libtiff attempts
 to support broken images that do not. However in certain
 circumstances, creating anonymous fields prior to merging field
 information from codec information can result in recognised fields
 with unexpected values. This state results in abnormal behaviour,
 crashes, or potentially arbitrary code execution. (CVE-2006-3465)
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 c0173eb2f2d497fce68b863a6d01433e  
2006.0/RPMS/libtiff3-3.6.1-12.6.20060mdk.i586.rpm
 55369714ae92ea654507f33944285322  
2006.0/RPMS/libtiff3-devel-3.6.1-12.6.20060mdk.i586.rpm
 8303a2a5f5b98d0fe984c4f62a8849e7  
2006.0/RPMS/libtiff3-static-devel-3.6.1-12.6.20060mdk.i586.rpm
 898dbc11589b623cba53d4e0dea4ec6e  
2006.0/RPMS/libtiff-progs-3.6.1-12.6.20060mdk.i586.rpm
 1f77f216c421961825035b17e2fc3d0f  
2006.0/SRPMS/libtiff-3.6.1-12.6.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 67217a6617c35cfa110b9199ce827c7f  
x86_64/2006.0/RPMS/lib64tiff3-3.6.1-12.6.20060mdk.x86_64.rpm
 b5ea6efd7fcb1db40c69457de4d90980  
x86_64/2006.0/RPMS/lib64tiff3-devel-3.6.1-12.6.20060mdk.x86_64.rpm
 673437e87cd25febee28993cd3c9488d  
x86_64/2006.0/RPMS/lib64tiff3-static-devel-3.6.1-12.6.20060mdk.x86_64.rpm
 c0173eb2f2d497fce68b863a6d01433e  
x86_64/2006.0/RPMS/libtiff3-3.6.1-12.6.20060mdk.i586.rpm
 55369714ae92ea654507f33944285322  
x86_64/2006.0/RPMS/libtiff3-devel-3.6.1-12.6.20060mdk.i586.rpm
 8303a2a5f5b98d0fe984c4f62a8849e7  
x86_64/2006.0/RPMS/libtiff3-static-devel-3.6.1-12.6.20060mdk.i586.rpm
 c3a7a68b6fef5f74240a6f526412d216  
x86_64/2006.0/RPMS/libtiff-progs-3.6.1-12.6.20060mdk.x86_64.rpm
 1f77f216c421961825035b17e2fc3d0f  
x86_64/2006.0/SRPMS/libtiff-3.6.1-12.6.20060mdk.src.rpm

 Corporate 3.0:
 7ed65170763bdbb2db2c73a0e6d21dc5  
corporate/3.0/RPMS/libtiff3-3.5.7-11.12.C30mdk.i586.rpm
 c4fd193c4ac3c199f98751b615f7f5ad  
corporate/3.0/RPMS/libtiff3-devel-3.5.7-11.12.C30mdk.i586.rpm
 2d4920c58d576d4174358a62eb533acd  
corporate/3.0/RPMS/libtiff3-static-devel-3.5.7-11.12.C30mdk.i586.rpm
 aa07135a25873d7265dfb1a4ac1fd365  
corporate/3.0/RPMS/libtiff-progs-3.5.7-11.12.C30mdk.i586.rpm
 8c70315b6e8fcbfeb56abaf9df8fef52  
corporate/3.0/SRPMS/libtiff-3.5.7-11.12.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 c48326e5749da37145fe7744b2ec7da7  
x86_64/corporate/3.0/RPMS/lib64tiff3-3.5.7-11.12.C30mdk.x86_64.rpm
 d5a2fa2ad3de5d7a77332920eea6ccb2  
x86_64/corporate/3.0/RPMS/lib64tiff3-devel-3.5.7-11.12.C30mdk.x86_64.rpm
 3582b0f21935141f83bb83787ce6537a  
x86_64/corporate/3.0/RPMS/lib64tiff3-static-devel-3.5.7-11.12.C30mdk.x86_64.rpm
 7ed65170763bdbb2db2c73a0e6d21dc5  
x86_64/corporate/3.0/RPMS/libtiff3-3.5.7-11.12.C30mdk.i586.rpm
 b8de80aaa29a62815ef364357c319d95  
x86_64/corporate/3.0/RPMS/libtiff-progs-3.5.7-11.12.C30mdk.x86_64.rpm
 8c70315b6e8fcbfeb56abaf9df8fef52  
x86_64/corporate/3.0/SRPMS/libtiff-3.5.7-11.12.C30mdk.src.rpm

 Multi Network Firewall 2.0:
 8cc2951ca065dced86d900d2713f7755  
mnf/2.0/RPMS/libtiff3-3.5.7-11.12.M20mdk.i586.rpm
 20c7813342fc7964cfc3f35465232ade  
mnf/2.0/SRPMS/libtiff-3.5.7-11.12.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEz4TtmqjQ0CJFipgRAjTYAJ9tZ6Kqz9K0x3vYAWL8PHtli0+rTgCeN5m8
+R9B81Ti9uezqZlT1CNf3o8=
=TKF2
-----END PGP SIGNATURE-----