-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:137 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libtiff Date : August 1, 2006 Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Tavis Ormandy, Google Security Team, discovered several vulnerabilites the libtiff image processing library: Several buffer overflows have been discovered, including a stack buffer overflow via TIFFFetchShortPair() in tif_dirread.c, which is used to read two unsigned shorts from the input file. While a bounds check is performed via CheckDirCount(), no action is taken on the result allowing a pathological tdir_count to read an arbitrary number of unsigned shorts onto a stack buffer. (CVE-2006-3459) A heap overflow vulnerability was discovered in the jpeg decoder, where TIFFScanLineSize() is documented to return the size in bytes that a subsequent call to TIFFReadScanline() would write, however the encoded jpeg stream may disagree with these results and overrun the buffer with more data than expected. (CVE-2006-3460) Another heap overflow exists in the PixarLog decoder where a run length encoded data stream may specify a stride that is not an exact multiple of the number of samples. The result is that on the final decode operation the destination buffer is overrun, potentially allowing an attacker to execute arbitrary code. (CVE-2006-3461) The NeXT RLE decoder was also vulnerable to a heap overflow vulnerability, where no bounds checking was performed on the result of certain RLE decoding operations. This was solved by ensuring the number of pixels written did not exceed the size of the scanline buffer already prepared. (CVE-2006-3462) An infinite loop was discovered in EstimateStripByteCounts(), where a 16bit unsigned short was used to iterate over a 32bit unsigned value, should the unsigned int (td_nstrips) have exceeded USHORT_MAX, the loop would never terminate and continue forever. (CVE-2006-3463) Multiple unchecked arithmetic operations were uncovered, including a number of the range checking operations deisgned to ensure the offsets specified in tiff directories are legitimate. These can be caused to wrap for extreme values, bypassing sanity checks. Additionally, a number of codepaths were uncovered where assertions did not hold true, resulting in the client application calling abort(). (CVE-2006-3464) A flaw was also uncovered in libtiffs custom tag support, as documented here http://www.libtiff.org/v3.6.0.html. While well formed tiff files must have correctly ordered directories, libtiff attempts to support broken images that do not. However in certain circumstances, creating anonymous fields prior to merging field information from codec information can result in recognised fields with unexpected values. This state results in abnormal behaviour, crashes, or potentially arbitrary code execution. (CVE-2006-3465) The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: c0173eb2f2d497fce68b863a6d01433e 2006.0/RPMS/libtiff3-3.6.1-12.6.20060mdk.i586.rpm 55369714ae92ea654507f33944285322 2006.0/RPMS/libtiff3-devel-3.6.1-12.6.20060mdk.i586.rpm 8303a2a5f5b98d0fe984c4f62a8849e7 2006.0/RPMS/libtiff3-static-devel-3.6.1-12.6.20060mdk.i586.rpm 898dbc11589b623cba53d4e0dea4ec6e 2006.0/RPMS/libtiff-progs-3.6.1-12.6.20060mdk.i586.rpm 1f77f216c421961825035b17e2fc3d0f 2006.0/SRPMS/libtiff-3.6.1-12.6.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 67217a6617c35cfa110b9199ce827c7f x86_64/2006.0/RPMS/lib64tiff3-3.6.1-12.6.20060mdk.x86_64.rpm b5ea6efd7fcb1db40c69457de4d90980 x86_64/2006.0/RPMS/lib64tiff3-devel-3.6.1-12.6.20060mdk.x86_64.rpm 673437e87cd25febee28993cd3c9488d x86_64/2006.0/RPMS/lib64tiff3-static-devel-3.6.1-12.6.20060mdk.x86_64.rpm c0173eb2f2d497fce68b863a6d01433e x86_64/2006.0/RPMS/libtiff3-3.6.1-12.6.20060mdk.i586.rpm 55369714ae92ea654507f33944285322 x86_64/2006.0/RPMS/libtiff3-devel-3.6.1-12.6.20060mdk.i586.rpm 8303a2a5f5b98d0fe984c4f62a8849e7 x86_64/2006.0/RPMS/libtiff3-static-devel-3.6.1-12.6.20060mdk.i586.rpm c3a7a68b6fef5f74240a6f526412d216 x86_64/2006.0/RPMS/libtiff-progs-3.6.1-12.6.20060mdk.x86_64.rpm 1f77f216c421961825035b17e2fc3d0f x86_64/2006.0/SRPMS/libtiff-3.6.1-12.6.20060mdk.src.rpm Corporate 3.0: 7ed65170763bdbb2db2c73a0e6d21dc5 corporate/3.0/RPMS/libtiff3-3.5.7-11.12.C30mdk.i586.rpm c4fd193c4ac3c199f98751b615f7f5ad corporate/3.0/RPMS/libtiff3-devel-3.5.7-11.12.C30mdk.i586.rpm 2d4920c58d576d4174358a62eb533acd corporate/3.0/RPMS/libtiff3-static-devel-3.5.7-11.12.C30mdk.i586.rpm aa07135a25873d7265dfb1a4ac1fd365 corporate/3.0/RPMS/libtiff-progs-3.5.7-11.12.C30mdk.i586.rpm 8c70315b6e8fcbfeb56abaf9df8fef52 corporate/3.0/SRPMS/libtiff-3.5.7-11.12.C30mdk.src.rpm Corporate 3.0/X86_64: c48326e5749da37145fe7744b2ec7da7 x86_64/corporate/3.0/RPMS/lib64tiff3-3.5.7-11.12.C30mdk.x86_64.rpm d5a2fa2ad3de5d7a77332920eea6ccb2 x86_64/corporate/3.0/RPMS/lib64tiff3-devel-3.5.7-11.12.C30mdk.x86_64.rpm 3582b0f21935141f83bb83787ce6537a x86_64/corporate/3.0/RPMS/lib64tiff3-static-devel-3.5.7-11.12.C30mdk.x86_64.rpm 7ed65170763bdbb2db2c73a0e6d21dc5 x86_64/corporate/3.0/RPMS/libtiff3-3.5.7-11.12.C30mdk.i586.rpm b8de80aaa29a62815ef364357c319d95 x86_64/corporate/3.0/RPMS/libtiff-progs-3.5.7-11.12.C30mdk.x86_64.rpm 8c70315b6e8fcbfeb56abaf9df8fef52 x86_64/corporate/3.0/SRPMS/libtiff-3.5.7-11.12.C30mdk.src.rpm Multi Network Firewall 2.0: 8cc2951ca065dced86d900d2713f7755 mnf/2.0/RPMS/libtiff3-3.5.7-11.12.M20mdk.i586.rpm 20c7813342fc7964cfc3f35465232ade mnf/2.0/SRPMS/libtiff-3.5.7-11.12.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEz4TtmqjQ0CJFipgRAjTYAJ9tZ6Kqz9K0x3vYAWL8PHtli0+rTgCeN5m8 +R9B81Ti9uezqZlT1CNf3o8= =TKF2 -----END PGP SIGNATURE-----