English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 143769 CVE descriptions
and 71225 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200410-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: tiff: Buffer overflows in image decoding
      Date: October 13, 2004
        ID: 200410-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple heap-based overflows have been found in the tiff library image
decoding routines, potentially allowing to execute arbitrary code with
the rights of the user viewing a malicious image.

Background
==========

The tiff library contains encoding and decoding routines for the Tag
Image File Format. It is called by numerous programs, including GNOME
and KDE, to help in displaying TIFF images. xv is a multi-format image
manipulation utility that is statically linked to the tiff library.

Affected packages
=================

    -------------------------------------------------------------------
     Package          /   Vulnerable   /                    Unaffected
    -------------------------------------------------------------------
  1  media-libs/tiff      < 3.6.1-r2                       >= 3.6.1-r2
  2  media-gfx/xv         <= 3.10a-r7                      >= 3.10a-r8
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

Chris Evans found heap-based overflows in RLE decoding routines in
tif_next.c, tif_thunder.c and potentially tif_luv.c.

Impact
======

A remote attacker could entice a user to view a carefully crafted TIFF
image file, which would potentially lead to execution of arbitrary code
with the rights of the user viewing the image. This affects any program
that makes use of the tiff library, including GNOME and KDE web
browsers or mail readers.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All tiff library users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=media-libs/tiff-3.6.1-r2"
    # emerge ">=media-libs/tiff-3.6.1-r2"

xv makes use of the tiff library and needs to be recompiled to receive
the new patched version of the library. All xv users should also
upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=media-gfx/xv-3.10a-r8"
    # emerge ">=media-gfx/xv-3.10a-r8"

References
==========

  [ 1 ] CAN-2004-0803
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-11.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0


--

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe

© 1998-2019 E-Soft Inc. All rights reserved.