-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:127 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libtiff Date : August 8, 2012 Affected: 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability was found and corrected in libtiff: A heap-based buffer overflow flaw was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, when not properly initialized T2P context struct pointer has been provided by tiff2pdf (application requesting the conversion) as one of parameters for the routine performing the write. A remote attacker could provide a specially-crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash or, potentially, arbitrary code execution with the privileges of the user running the tiff2pdf binary (CVE-2012-3401). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3401 _______________________________________________________________________ Updated Packages: Mandriva Linux 2011: 415c8a711e94429c4187a4620f9d3eec 2011/i586/libtiff3-3.9.5-1.3-mdv2011.0.i586.rpm b99c8d1bfa16a1158a3e03692ba56335 2011/i586/libtiff-devel-3.9.5-1.3-mdv2011.0.i586.rpm a96608f5fae7aa711d1b64cbc76ca752 2011/i586/libtiff-progs-3.9.5-1.3-mdv2011.0.i586.rpm 11a1fb628ef761d33294aef1eff34565 2011/i586/libtiff-static-devel-3.9.5-1.3-mdv2011.0.i586.rpm 9a9505df7408b0c75192ac502fd18504 2011/SRPMS/libtiff-3.9.5-1.3.src.rpm Mandriva Linux 2011/X86_64: c18a5d5069de99d93b3411998e6960d0 2011/x86_64/lib64tiff3-3.9.5-1.3-mdv2011.0.x86_64.rpm e326395e5ddf305ac322d1c57f436cd4 2011/x86_64/lib64tiff-devel-3.9.5-1.3-mdv2011.0.x86_64.rpm c8de4431798dcbd235c82e8764d348ad 2011/x86_64/lib64tiff-static-devel-3.9.5-1.3-mdv2011.0.x86_64.rpm ba66bfb07baed4c0848a64c2b7d94183 2011/x86_64/libtiff-progs-3.9.5-1.3-mdv2011.0.x86_64.rpm 9a9505df7408b0c75192ac502fd18504 2011/SRPMS/libtiff-3.9.5-1.3.src.rpm Mandriva Enterprise Server 5: 3e94f2cd1306ce817f03b9e0d383d87a mes5/i586/libtiff3-3.8.2-12.8mdvmes5.2.i586.rpm c08735b0c0f665235f422b05b59aaaae mes5/i586/libtiff3-devel-3.8.2-12.8mdvmes5.2.i586.rpm fad7566f026aefd3fbae97f48e02aa91 mes5/i586/libtiff3-static-devel-3.8.2-12.8mdvmes5.2.i586.rpm 1b5263306ed5890541f2ebcd5374aad9 mes5/i586/libtiff-progs-3.8.2-12.8mdvmes5.2.i586.rpm 4c0ee36afa646eaeaae78bdf425c399d mes5/SRPMS/libtiff-3.8.2-12.8mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 09c6eddf7c45e53fe672c40fdefc7f6f mes5/x86_64/lib64tiff3-3.8.2-12.8mdvmes5.2.x86_64.rpm 7cde1e5ae217118a09ab14b898e59563 mes5/x86_64/lib64tiff3-devel-3.8.2-12.8mdvmes5.2.x86_64.rpm af9cb316c7a9a130267d089c1cfd64a5 mes5/x86_64/lib64tiff3-static-devel-3.8.2-12.8mdvmes5.2.x86_64.rpm 2a716b33ff39a3518f57a4757c6c585c mes5/x86_64/libtiff-progs-3.8.2-12.8mdvmes5.2.x86_64.rpm 4c0ee36afa646eaeaae78bdf425c399d mes5/SRPMS/libtiff-3.8.2-12.8mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQIjWKmqjQ0CJFipgRAu9aAKCFPFCguG+r8YzSC6NoNbuJqDHbowCfSCaK zRjfu/1Oe46lSLkAwaBsCqM= =3KUE -----END PGP SIGNATURE-----