[SECURITY] [DSA 2575-1] tiff security update

2012-11-1814:22:07

lists.debian.org

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

69.5%

JSON

Debian Security Advisory DSA-2575-1 [email protected]
http://www.debian.org/security/ Nico Golde
November 18, 2012 http://www.debian.org/security/faq

Package : tiff
Vulnerability : heap-based buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2012-4564

It was discovered that ppm2tiff of the tiff tools, a set of utilities
for TIFF manipulation and conversion, is not properly checking the return
value of an internal function used in order to detect integer overflows.
As a consequence, ppm2tiff suffers of a heap-based buffer overflow.
This allows attacker to potentially execute arbitrary code via a crafted
ppm image, especially in scenarios in which images are automatically
processed.

For the stable distribution (squeeze), this problem has been fixed in
version 3.9.4-5+squeeze7.

For the testing distribution (wheezy), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 4.0.2-5.

We recommend that you upgrade your tiff packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6amd64libtiff-opengl< 3.9.4-5+squeeze7libtiff-opengl_3.9.4-5+squeeze7_amd64.deb
Debian6i386libtiff4-dev< 3.9.4-5+squeeze7libtiff4-dev_3.9.4-5+squeeze7_i386.deb
Debian6sparclibtiff-opengl< 3.9.4-5+squeeze7libtiff-opengl_3.9.4-5+squeeze7_sparc.deb
Debian6sparclibtiff4-dev< 3.9.4-5+squeeze7libtiff4-dev_3.9.4-5+squeeze7_sparc.deb
Debian6powerpclibtiff4-dev< 3.9.4-5+squeeze7libtiff4-dev_3.9.4-5+squeeze7_powerpc.deb
Debian6kfreebsd-amd64libtiffxx0c2< 3.9.4-5+squeeze7libtiffxx0c2_3.9.4-5+squeeze7_kfreebsd-amd64.deb
Debian6powerpclibtiff-opengl< 3.9.4-5+squeeze7libtiff-opengl_3.9.4-5+squeeze7_powerpc.deb
Debian6s390libtiff4< 3.9.4-5+squeeze7libtiff4_3.9.4-5+squeeze7_s390.deb
Debian6s390libtiff-tools< 3.9.4-5+squeeze7libtiff-tools_3.9.4-5+squeeze7_s390.deb
Debian6ia64libtiff-tools< 3.9.4-5+squeeze7libtiff-tools_3.9.4-5+squeeze7_ia64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	amd64	libtiff-opengl	< 3.9.4-5+squeeze7	libtiff-opengl_3.9.4-5+squeeze7_amd64.deb
Debian	6	i386	libtiff4-dev	< 3.9.4-5+squeeze7	libtiff4-dev_3.9.4-5+squeeze7_i386.deb
Debian	6	sparc	libtiff-opengl	< 3.9.4-5+squeeze7	libtiff-opengl_3.9.4-5+squeeze7_sparc.deb
Debian	6	sparc	libtiff4-dev	< 3.9.4-5+squeeze7	libtiff4-dev_3.9.4-5+squeeze7_sparc.deb
Debian	6	powerpc	libtiff4-dev	< 3.9.4-5+squeeze7	libtiff4-dev_3.9.4-5+squeeze7_powerpc.deb
Debian	6	kfreebsd-amd64	libtiffxx0c2	< 3.9.4-5+squeeze7	libtiffxx0c2_3.9.4-5+squeeze7_kfreebsd-amd64.deb
Debian	6	powerpc	libtiff-opengl	< 3.9.4-5+squeeze7	libtiff-opengl_3.9.4-5+squeeze7_powerpc.deb
Debian	6	s390	libtiff4	< 3.9.4-5+squeeze7	libtiff4_3.9.4-5+squeeze7_s390.deb
Debian	6	s390	libtiff-tools	< 3.9.4-5+squeeze7	libtiff-tools_3.9.4-5+squeeze7_s390.deb
Debian	6	ia64	libtiff-tools	< 3.9.4-5+squeeze7	libtiff-tools_3.9.4-5+squeeze7_ia64.deb