SUSE-SU-2013:1639-1: moderate: Security update for libtiff

Thu Nov 7 09:04:17 MST 2013

   SUSE Security Update: Security update for libtiff
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:1639-1
Rating:             moderate
References:         #753362 #767852 #767854 #770816 #781995 #787892 
                    #788741 #791607 #817573 #818117 #834477 #834779 
                    #834788 
Cross-References:   CVE-2012-1173 CVE-2012-2088 CVE-2012-2113
                    CVE-2012-3401 CVE-2012-4447 CVE-2012-4564
                    CVE-2012-5581 CVE-2013-1960 CVE-2013-1961
                    CVE-2013-4231 CVE-2013-4232 CVE-2013-4243
                    CVE-2013-4244
Affected Products:
                    SUSE Linux Enterprise Server 10 SP3 LTSS
______________________________________________________________________________

   An update that fixes 13 vulnerabilities is now available.

Description:

   This tiff LTSS roll up update fixes several security issues.

   * CVE-2013-4232 CVE-2013-4231: buffer overflows/use
   after free problem
   * CVE-2013-4243: libtiff (gif2tiff): heap-based buffer
   overflow in readgifimage()
   * CVE-2013-4244: libtiff (gif2tiff): OOB Write in LZW
   decompressor
   * CVE-2013-1961: Stack-based buffer overflow with
   malformed image-length and resolution
   * CVE-2013-1960: Heap-based buffer overflow in
   t2_process_jpeg_strip()
   * CVE-2012-4447: Heap-buffer overflow when processing a
   TIFF image with PixarLog Compression
   * CVE-2012-4564: Added a ppm2tiff missing return value
   check
   * CVE-2012-5581: Fixed Stack based buffer overflow when
   handling DOTRANGE tags
   * CVE-2012-3401: Fixed Heap-based buffer overflow due
   to improper initialization of T2P context struct pointer
   * CVE-2012-2113: integer overflow leading to heap-based
   buffer overflow when parsing crafted tiff files
   * Another heap-based memory corruption in the tiffp2s
   commandline tool has been fixed [bnc#788741]
   * CVE-2012-2088: A type conversion flaw in libtiff has
   been fixed.
   * CVE-2012-1173: A heap based buffer overflow in
   TIFFReadRGBAImageOriented was fixed.

   Security Issue references:

   * CVE-2012-1173
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1173
   >
   * CVE-2012-2088
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2088
   >
   * CVE-2012-2113
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2113
   >
   * CVE-2012-3401
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3401
   >
   * CVE-2012-4447
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4447
   >
   * CVE-2012-4564
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4564
   >
   * CVE-2012-5581
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5581
   >
   * CVE-2013-1960
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1960
   >
   * CVE-2013-1961
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1961
   >
   * CVE-2013-4231
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4231
   >
   * CVE-2013-4232
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4232
   >
   * CVE-2013-4243
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243
   >
   * CVE-2013-4244
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4244
   >

Package List:

   - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):

      libtiff-3.8.2-5.36.1
      libtiff-devel-3.8.2-5.36.1
      tiff-3.8.2-5.36.1

   - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64):

      libtiff-32bit-3.8.2-5.36.1
      libtiff-devel-32bit-3.8.2-5.36.1

References:

   http://support.novell.com/security/cve/CVE-2012-1173.html
   http://support.novell.com/security/cve/CVE-2012-2088.html
   http://support.novell.com/security/cve/CVE-2012-2113.html
   http://support.novell.com/security/cve/CVE-2012-3401.html
   http://support.novell.com/security/cve/CVE-2012-4447.html
   http://support.novell.com/security/cve/CVE-2012-4564.html
   http://support.novell.com/security/cve/CVE-2012-5581.html
   http://support.novell.com/security/cve/CVE-2013-1960.html
   http://support.novell.com/security/cve/CVE-2013-1961.html
   http://support.novell.com/security/cve/CVE-2013-4231.html
   http://support.novell.com/security/cve/CVE-2013-4232.html
   http://support.novell.com/security/cve/CVE-2013-4243.html
   http://support.novell.com/security/cve/CVE-2013-4244.html
   https://bugzilla.novell.com/753362
   https://bugzilla.novell.com/767852
   https://bugzilla.novell.com/767854
   https://bugzilla.novell.com/770816
   https://bugzilla.novell.com/781995
   https://bugzilla.novell.com/787892
   https://bugzilla.novell.com/788741
   https://bugzilla.novell.com/791607
   https://bugzilla.novell.com/817573
   https://bugzilla.novell.com/818117
   https://bugzilla.novell.com/834477
   https://bugzilla.novell.com/834779
   https://bugzilla.novell.com/834788
   http://download.novell.com/patch/finder/?keywords=db898b28994a0ce2b1deaf3ee47ec36c