Bug 12556 (int-178734)

Summary: libtiff: Various vulnerabilites (CVE)
Product: [Extras] Maemo 5 Community SSU Reporter: Andre Klapper <andre_klapper>
Component: generalAssignee: unassigned <nobody>
Status: NEW QA Contact: general
Severity: major    
Priority: Unspecified Keywords: security
Version: testing   
Target Milestone: ---   
Hardware: N900   
OS: Maemo   

Description Andre Klapper (reporter) maemo.org 2012-01-21 18:55:20 UTC
SOFTWARE VERSION:
21.2011.38-1Tmaemo1.2 (17.01.2012)
libtiff4 1:3.8.2-11maemo5+0m5 as officially shipped

DESCRIPTION:
See
* https://www.redhat.com/security/data/cve/CVE-2006-2193.html
* https://www.redhat.com/security/data/cve/CVE-2009-2285.html
* https://www.redhat.com/security/data/cve/CVE-2009-2347.html
* https://www.redhat.com/security/data/cve/CVE-2010-2481.html
* https://www.redhat.com/security/data/cve/CVE-2010-2482.html
* https://www.redhat.com/security/data/cve/CVE-2010-4665.html
* https://www.redhat.com/security/data/cve/CVE-2011-0192.html
* https://www.redhat.com/security/data/cve/CVE-2011-1167.html
These only mention 3.9.0 and 3.9.2 so not sure if they apply:
* https://www.redhat.com/security/data/cve/CVE-2010-2595.html
* https://www.redhat.com/security/data/cve/CVE-2010-2597.html
* https://www.redhat.com/security/data/cve/CVE-2010-3087.html

UPSTREAM REPORTS AND PATCHES:
* CVE-2006-2193: http://bugzilla.maptools.org/show_bug.cgi?id=1894
* CVE-2009-2285: http://bugzilla.maptools.org/show_bug.cgi?id=1985
* CVE-2009-2347: http://bugzilla.maptools.org/show_bug.cgi?id=2079
* CVE-2010-2481: http://bugzilla.maptools.org/show_bug.cgi?id=2210
* CVE-2010-2482: http://bugzilla.maptools.org/show_bug.cgi?id=1996#c13
* CVE-2010-4665: http://bugzilla.maptools.org/show_bug.cgi?id=2218
* CVE-2010-2595: http://bugzilla.maptools.org/show_bug.cgi?id=2208
* CVE-2010-2597: http://bugzilla.maptools.org/show_bug.cgi?id=2215
These only mention 3.9.0 and 3.9.2 so not sure if they apply:
* CVE-2010-3087: http://bugzilla.maptools.org/show_bug.cgi?id=2140
* CVE-2011-0192: http://bugzilla.maptools.org/show_bug.cgi?id=2297#c7
* CVE-2011-1167: http://bugzilla.maptools.org/show_bug.cgi?id=2300

OTHER COMMENTS:
CVE-2009-5022, CVE-2010-2443 and CVE-2010-2596 do not apply as OJPEG_SUPPORT is
disabled.
Comment 1 Andre Klapper (reporter) maemo.org 2012-07-23 15:31:00 UTC
Plus libtiff 4.0.2 fixes CVE-2012-1173 (though maybe only 3.9.4 is affected?)
and CVE-2012-2113, compared to 4.0.1.