Fedora Legacy Test Update Notification: libtiff

Marc Deslauriers marcdeslauriers at videotron.ca
Sat Mar 5 18:12:19 UTC 2005


---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-2163
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2163
2005-03-05
---------------------------------------------------------------------

Name        : libtiff
Versions    : rh7.3: libtiff-3.5.7-2.2.legacy
Versions    : rh9: libtiff-3.5.7-11.2.legacy
Versions    : fc1: libtiff-3.5.7-14.2.legacy
Summary     : A library of functions for manipulating TIFF format image
               files.
Description :
The libtiff package contains a library of functions for manipulating
TIFF (Tagged Image File Format) image format files. TIFF is a widely
used file format for bitmapped images. TIFF files usually end in the
.tif extension and they are often quite large.

---------------------------------------------------------------------
Update Information:

Updated libtiff packages that fix various buffer and integer overflows
are now available.

The libtiff package contains a library of functions for manipulating
TIFF (Tagged Image File Format) image format files.

During a source code audit, Chris Evans discovered a number of integer
overflow bugs that affect libtiff. An attacker who has the ability to
trick a user into opening a malicious TIFF file could cause the
application linked to libtiff to crash or possibly execute arbitrary
code. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CAN-2004-0886 and CAN-2004-0804 to these issues.

Additionally, a number of buffer overflow bugs that affect libtiff have
been found. An attacker who has the ability to trick a user into opening
a malicious TIFF file could cause the application linked to libtiff to
crash or possibly execute arbitrary code. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0803 to
this issue.

iDEFENSE has reported an integer overflow bug that affects libtiff. An
attacker who has the ability to trick a user into opening a malicious
TIFF file could cause the application linked to libtiff to crash or
possibly execute arbitrary code. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-1308 to
this issue.

Dmitry V. Levin reported another integer overflow in the tiffdump
utility. An atacker who has the ability to trick a user into opening a
malicious TIFF file with tiffdump could possibly execute arbitrary code.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-1183 to this issue.

All users are advised to upgrade to these updated packages, which
contain backported fixes for these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Sat Feb 19 2005 Pekka Savola <pekkas at netcore.fi> 3.5.7-2.2.legacy
- Added security patches for CAN-2004-{1183,1308} from RHEL (#2163)

* Tue Oct 19 2004 Marc Deslauriers <marcdeslauriers at videotron.ca> 
3.5.7-2.1.legacy
- Added security patches for CAN-2004-0803 and CAN-2004-0886

rh9:
* Sat Feb 19 2005 Pekka Savola <pekkas at netcore.fi> 3.5.7-11.2.legacy
- Added security patches for CAN-2004-{1183,1308} from RHEL (#2163)

* Tue Oct 19 2004 Marc Deslauriers <marcdeslauriers at videotron.ca> 
3.5.7-11.1.legacy
- Added security patches for CAN-2004-0803 and CAN-2004-0886

fc1:
* Sat Feb 19 2005 Pekka Savola <pekkas at netcore.fi> 3.5.7-14.2.legacy
- Added security patches for CAN-2004-{1183,1308} from RHEL (#2163)

* Tue Oct 19 2004 Marc Deslauriers <marcdeslauriers at videotron.ca> 
3.5.7-14.1.legacy
- Added security patches for CAN-2004-0803 and CAN-2004-0886

---------------------------------------------------------------------
This update can be downloaded from:
   http://download.fedoralegacy.org/
(sha1sums)

rh7.3:
524fd6c80901dbd665cfbf0b4ba1eea276a95cca 
redhat/7.3/updates-testing/i386/libtiff-3.5.7-2.2.legacy.i386.rpm
3ced2ba5eac07c60515a41d73dbfb0df36cfc962 
redhat/7.3/updates-testing/i386/libtiff-devel-3.5.7-2.2.legacy.i386.rpm
864581d2f1d76fcc5d0540173338a84a7a3ffe80 
redhat/7.3/updates-testing/SRPMS/libtiff-3.5.7-2.2.legacy.src.rpm

rh9:
a17298a3be3e3d6f7fce2108ac226ff8ef26ee39 
redhat/9/updates-testing/i386/libtiff-3.5.7-11.2.legacy.i386.rpm
b35700b8e8ee819565998a033f484ebd7e837646 
redhat/9/updates-testing/i386/libtiff-devel-3.5.7-11.2.legacy.i386.rpm
2024a97a377a37851d3a4be92403eaad0a7b1be2 
redhat/9/updates-testing/SRPMS/libtiff-3.5.7-11.2.legacy.src.rpm

fc1:
8dd2d8035eaf4b0e41cc7ac68536b752387a1cc8 
fedora/1/updates-testing/i386/libtiff-3.5.7-14.2.legacy.i386.rpm
4475fb4f26ab358d1c9bf8b6e8da060eace1a8dd 
fedora/1/updates-testing/i386/libtiff-devel-3.5.7-14.2.legacy.i386.rpm
f854a97125ca806b9a1c04c985f9939c6b6f7611 
fedora/1/updates-testing/SRPMS/libtiff-3.5.7-14.2.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20050305/f106f86e/attachment.sig>


More information about the fedora-legacy-list mailing list