-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:064 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libtiff Date : April 4, 2011 Affected: 2009.0, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities were discovered and corrected in libtiff: Buffer overflow in LibTIFF allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image with JPEG encoding (CVE-2011-0191). Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value (CVE-2011-1167). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1167 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 469f83f325486ac28efade864c4c04dd 2009.0/i586/libtiff3-3.8.2-12.5mdv2009.0.i586.rpm 60ed02c79ace2efc9d360c6a254484d8 2009.0/i586/libtiff3-devel-3.8.2-12.5mdv2009.0.i586.rpm 9eec6c7a71319a0dbe42043e3ce0143c 2009.0/i586/libtiff3-static-devel-3.8.2-12.5mdv2009.0.i586.rpm c83359e62f148232dbf4716c3db1da27 2009.0/i586/libtiff-progs-3.8.2-12.5mdv2009.0.i586.rpm 394324226f6347b8adde7d5a3b94e616 2009.0/SRPMS/libtiff-3.8.2-12.5mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 12d1c6b013d1001804dcff1607ba0cbf 2009.0/x86_64/lib64tiff3-3.8.2-12.5mdv2009.0.x86_64.rpm 7160228a5f9eb015f7c39b034e4168fe 2009.0/x86_64/lib64tiff3-devel-3.8.2-12.5mdv2009.0.x86_64.rpm dd60de9c42e6e6db115866b0729d11a6 2009.0/x86_64/lib64tiff3-static-devel-3.8.2-12.5mdv2009.0.x86_64.rpm 019b6c2c67897e9e15b61c5bd5290d7c 2009.0/x86_64/libtiff-progs-3.8.2-12.5mdv2009.0.x86_64.rpm 394324226f6347b8adde7d5a3b94e616 2009.0/SRPMS/libtiff-3.8.2-12.5mdv2009.0.src.rpm Mandriva Linux 2010.0: 516da8a4ac19bd931ec94c948e2202b3 2010.0/i586/libtiff3-3.9.1-4.4mdv2010.0.i586.rpm bb474b98be4cee2d5ce83b18a97e0b0a 2010.0/i586/libtiff-devel-3.9.1-4.4mdv2010.0.i586.rpm 91bbafe5b93099fa6bc91a4ae2c792c5 2010.0/i586/libtiff-progs-3.9.1-4.4mdv2010.0.i586.rpm cfe592e3c30c76e9e814c828f4e9c850 2010.0/i586/libtiff-static-devel-3.9.1-4.4mdv2010.0.i586.rpm 82734445474583997f82f61a6bca5477 2010.0/SRPMS/libtiff-3.9.1-4.4mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 89d02f64104cdeefcfff27251ac493e3 2010.0/x86_64/lib64tiff3-3.9.1-4.4mdv2010.0.x86_64.rpm 184361a7a031fd0040ef210289e659ad 2010.0/x86_64/lib64tiff-devel-3.9.1-4.4mdv2010.0.x86_64.rpm ea63a95bea50aa8c6173b7e018b52c16 2010.0/x86_64/lib64tiff-static-devel-3.9.1-4.4mdv2010.0.x86_64.rpm b683c3de7768e3be291f3cd0810f29f7 2010.0/x86_64/libtiff-progs-3.9.1-4.4mdv2010.0.x86_64.rpm 82734445474583997f82f61a6bca5477 2010.0/SRPMS/libtiff-3.9.1-4.4mdv2010.0.src.rpm Mandriva Linux 2010.1: 6cae776a3869cba91324d4db8c3e445b 2010.1/i586/libtiff3-3.9.2-2.4mdv2010.2.i586.rpm 9eb7c8e16bdccb2a08bbd51b842d6b8a 2010.1/i586/libtiff-devel-3.9.2-2.4mdv2010.2.i586.rpm b22f03fcab8549799bd989a1ac5b9505 2010.1/i586/libtiff-progs-3.9.2-2.4mdv2010.2.i586.rpm 5207df22c3ce3a1dc5487e5a9f1386f5 2010.1/i586/libtiff-static-devel-3.9.2-2.4mdv2010.2.i586.rpm edc5ff22e092f6c0c761ea064beec57e 2010.1/SRPMS/libtiff-3.9.2-2.4mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: fead69647d8429a2e0f3bde99440a81e 2010.1/x86_64/lib64tiff3-3.9.2-2.4mdv2010.2.x86_64.rpm f8eefcab2c69e31dc9e59b7c5fd1370a 2010.1/x86_64/lib64tiff-devel-3.9.2-2.4mdv2010.2.x86_64.rpm a14aa71d4721718fc2312f04b76163db 2010.1/x86_64/lib64tiff-static-devel-3.9.2-2.4mdv2010.2.x86_64.rpm cd214410be00ea40859776ac4f95f1da 2010.1/x86_64/libtiff-progs-3.9.2-2.4mdv2010.2.x86_64.rpm edc5ff22e092f6c0c761ea064beec57e 2010.1/SRPMS/libtiff-3.9.2-2.4mdv2010.2.src.rpm Corporate 4.0: 26f8d583111883193418679358070dac corporate/4.0/i586/libtiff3-3.6.1-12.11.20060mlcs4.i586.rpm 6cc27c218fc154873d80b9f20d0026a0 corporate/4.0/i586/libtiff3-devel-3.6.1-12.11.20060mlcs4.i586.rpm d2cc27f255b5c06ac0270501742d075a corporate/4.0/i586/libtiff3-static-devel-3.6.1-12.11.20060mlcs4.i586.rpm 1dce21141558e525afac04376ee88b0e corporate/4.0/i586/libtiff-progs-3.6.1-12.11.20060mlcs4.i586.rpm b71b082cfc6e374765bdcc433074876e corporate/4.0/SRPMS/libtiff-3.6.1-12.11.20060mlcs4.src.rpm Corporate 4.0/X86_64: 909321cebadb1a6a98363111aafaa51f corporate/4.0/x86_64/lib64tiff3-3.6.1-12.11.20060mlcs4.x86_64.rpm 1e65799b8f71945b8577caa953f26f1a corporate/4.0/x86_64/lib64tiff3-devel-3.6.1-12.11.20060mlcs4.x86_64.rpm e0f3f375533db24c097249e2865d67c5 corporate/4.0/x86_64/lib64tiff3-static-devel-3.6.1-12.11.20060mlcs4.x86_64.rpm 45d3bf776d6b0bf18b6dd475719d5109 corporate/4.0/x86_64/libtiff-progs-3.6.1-12.11.20060mlcs4.x86_64.rpm b71b082cfc6e374765bdcc433074876e corporate/4.0/SRPMS/libtiff-3.6.1-12.11.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 0e74dc01232af741c73b5429222c104b mes5/i586/libtiff3-3.8.2-12.5mdvmes5.2.i586.rpm cf4880e23bca7320947faffb7493fe1c mes5/i586/libtiff3-devel-3.8.2-12.5mdvmes5.2.i586.rpm 35e2c51269229b05e8127d8ff7a70559 mes5/i586/libtiff3-static-devel-3.8.2-12.5mdvmes5.2.i586.rpm 053e112ce08dee96024c78cf1cc62c68 mes5/i586/libtiff-progs-3.8.2-12.5mdvmes5.2.i586.rpm b11fe44b7f27853a08cb447713ba2b5d mes5/SRPMS/libtiff-3.8.2-12.5mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 8b9eee08db52a402ff116c6f4f66e1cc mes5/x86_64/lib64tiff3-3.8.2-12.5mdvmes5.2.x86_64.rpm ae5a101036721b2f2cb852861dd9195a mes5/x86_64/lib64tiff3-devel-3.8.2-12.5mdvmes5.2.x86_64.rpm deb731157dd46e649eb01fb66bb9c4ca mes5/x86_64/lib64tiff3-static-devel-3.8.2-12.5mdvmes5.2.x86_64.rpm cf1e27dfce8783ba6dfa4d0d07949f8d mes5/x86_64/libtiff-progs-3.8.2-12.5mdvmes5.2.x86_64.rpm b11fe44b7f27853a08cb447713ba2b5d mes5/SRPMS/libtiff-3.8.2-12.5mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNmbcVmqjQ0CJFipgRAhpFAKCtkISR0abadP0ESPSt/5N9ZMtkHQCggcfu Vxz/7h+yOk4y1oCT/+u7P34= =+u6N -----END PGP SIGNATURE-----