Support / Security / Advisories / Corporate Server 4.0 / MDVSA-2008:184

Package name: libtiff
Date: 2008-09-03
Advisory ID: MDVSA-2008:184
Affected versions: CS4.0 i586 , CS4.0 x86_64 , MNF2.0 i586 , 2008.0 i586 , 2007.1 i586 , CS3.0 x86_64 , 2008.0 x86_64 , CS3.0 i586 , 2008.1 x86_64 , 2008.1 i586 , 2007.1 x86_64

Problem description

Drew Yao of the Apple Product Security Team reported multiple uses of
uninitialized values in libtiff's LZW compression algorithm decoder.
An attacker could create a carefully crafted LZW-encoded TIFF file that
would cause an application linked to libtiff to crash or potentially
execute arbitrary code (CVE-2008-2327).

The updated packages have been patched to prevent this issue.

Updated packages

CS4.0 i586

 700cb8f74636fbb25f2dd2a8d73c3841  corporate/4.0/i586/libtiff3-3.6.1-12.7.20060mlcs4.i586.rpm
 305bb87c84edf3261491526a9deef8f9  corporate/4.0/i586/libtiff3-devel-3.6.1-12.7.20060mlcs4.i586.rpm
 46bdebacb26f5f05ce572e7de85277e8  corporate/4.0/i586/libtiff3-static-devel-3.6.1-12.7.20060mlcs4.i586.rpm
 b637cbfec742d8a2c06106cb94c36b5a  corporate/4.0/i586/libtiff-progs-3.6.1-12.7.20060mlcs4.i586.rpm 
 bb4663c662718a57113cf78d7e8c7b13  corporate/4.0/SRPMS/libtiff-3.6.1-12.7.20060mlcs4.src.rpm

CS4.0 x86_64

 e655bb4c3a7b87eb363dcfd24f139dcf  corporate/4.0/x86_64/lib64tiff3-3.6.1-12.7.20060mlcs4.x86_64.rpm
 f9676f4f1400c9311d320a88d67d8b91  corporate/4.0/x86_64/lib64tiff3-devel-3.6.1-12.7.20060mlcs4.x86_64.rpm
 5c0dccb5f0168c4e43672d9d7982d49f  corporate/4.0/x86_64/lib64tiff3-static-devel-3.6.1-12.7.20060mlcs4.x86_64.rpm
 87a216a31e01f158135a23095fd341a1  corporate/4.0/x86_64/libtiff-progs-3.6.1-12.7.20060mlcs4.x86_64.rpm 
 bb4663c662718a57113cf78d7e8c7b13  corporate/4.0/SRPMS/libtiff-3.6.1-12.7.20060mlcs4.src.rpm

MNF2.0 i586

 5acf2c9864c31560ac109574e94caef0  mnf/2.0/i586/libtiff3-3.5.7-11.14.C30mdk.i586.rpm 
 b2f1fc5125dd9e951d6d38ead8050461  mnf/2.0/SRPMS/libtiff-3.5.7-11.14.C30mdk.src.rpm

2008.0 i586

 f48e75c73b1485dd999147f6916d714b  2008.0/i586/libtiff3-3.8.2-8.1mdv2008.0.i586.rpm
 1f81e09035972f2dd658b740913027f8  2008.0/i586/libtiff3-devel-3.8.2-8.1mdv2008.0.i586.rpm
 38cb329a1841478e36a4c2f78c2b9d0f  2008.0/i586/libtiff3-static-devel-3.8.2-8.1mdv2008.0.i586.rpm
 a69b25380f8eb9dff4cae5731aa1576b  2008.0/i586/libtiff-progs-3.8.2-8.1mdv2008.0.i586.rpm 
 4062ab04fafcc0b310643bdbcc39e343  2008.0/SRPMS/libtiff-3.8.2-8.1mdv2008.0.src.rpm

2007.1 i586

 5453e1e862c9516bf754ff5dd0510e99  2007.1/i586/libtiff3-3.8.2-8.1mdv2007.1.i586.rpm
 c41cc4f89c2a576b31f55604020686b9  2007.1/i586/libtiff3-devel-3.8.2-8.1mdv2007.1.i586.rpm
 3a84a5b36810fc04266b0e8db40cf95a  2007.1/i586/libtiff3-static-devel-3.8.2-8.1mdv2007.1.i586.rpm
 2e184a5e809f31357e1238d4ffb0e7e7  2007.1/i586/libtiff-progs-3.8.2-8.1mdv2007.1.i586.rpm 
 6f0b7a336c92b3f6026882f16fea8e36  2007.1/SRPMS/libtiff-3.8.2-8.1mdv2007.1.src.rpm

CS3.0 x86_64

 bec82cc9258d4500374b06871f420492  corporate/3.0/x86_64/lib64tiff3-3.5.7-11.14.C30mdk.x86_64.rpm
 3baa1d2a9aef965ec71ed15ba8bf1a20  corporate/3.0/x86_64/lib64tiff3-devel-3.5.7-11.14.C30mdk.x86_64.rpm
 02a22843046e7a3a3208e20ff95f633a  corporate/3.0/x86_64/lib64tiff3-static-devel-3.5.7-11.14.C30mdk.x86_64.rpm
 529cb32db1c9e2f21278ec3154498278  corporate/3.0/x86_64/libtiff-progs-3.5.7-11.14.C30mdk.x86_64.rpm 
 e08892c5ded68d96e16862f8b69946ab  corporate/3.0/SRPMS/libtiff-3.5.7-11.14.C30mdk.src.rpm

2008.0 x86_64

 e06c6562905343841510dc6149321ea7  2008.0/x86_64/lib64tiff3-3.8.2-8.1mdv2008.0.x86_64.rpm
 2645a673dd22ff97b87f315e228a6e8a  2008.0/x86_64/lib64tiff3-devel-3.8.2-8.1mdv2008.0.x86_64.rpm
 3b35439a9606085a451c85fb87762476  2008.0/x86_64/lib64tiff3-static-devel-3.8.2-8.1mdv2008.0.x86_64.rpm
 712fa17a6debde8aaa02b6b63f25e99c  2008.0/x86_64/libtiff-progs-3.8.2-8.1mdv2008.0.x86_64.rpm 
 4062ab04fafcc0b310643bdbcc39e343  2008.0/SRPMS/libtiff-3.8.2-8.1mdv2008.0.src.rpm

CS3.0 i586

 518e89f46b971a1bb21ae1c014247924  corporate/3.0/i586/libtiff3-3.5.7-11.14.C30mdk.i586.rpm
 d60decb8c0b256b22f78aadbe8eebe0c  corporate/3.0/i586/libtiff3-devel-3.5.7-11.14.C30mdk.i586.rpm
 b3f257066e07132549b2d5027736c028  corporate/3.0/i586/libtiff3-static-devel-3.5.7-11.14.C30mdk.i586.rpm
 2907ac3739e1718f7908ce64c3fd7867  corporate/3.0/i586/libtiff-progs-3.5.7-11.14.C30mdk.i586.rpm 
 e08892c5ded68d96e16862f8b69946ab  corporate/3.0/SRPMS/libtiff-3.5.7-11.14.C30mdk.src.rpm

2008.1 x86_64

 67aba91807aa52b92baefac9f51e5991  2008.1/x86_64/lib64tiff3-3.8.2-10.1mdv2008.1.x86_64.rpm
 60bfa4862afb7b8719fa17c7661a422f  2008.1/x86_64/lib64tiff3-devel-3.8.2-10.1mdv2008.1.x86_64.rpm
 6e96394972e36c83768433e2b2ad36a7  2008.1/x86_64/lib64tiff3-static-devel-3.8.2-10.1mdv2008.1.x86_64.rpm
 0a16cd2b222893004166293534b9edde  2008.1/x86_64/libtiff-progs-3.8.2-10.1mdv2008.1.x86_64.rpm 
 991200fe0e312eb8532e76a42a5f5f36  2008.1/SRPMS/libtiff-3.8.2-10.1mdv2008.1.src.rpm

2008.1 i586

 96ab6a2cbd02a41d51d28852ba8c542a  2008.1/i586/libtiff3-3.8.2-10.1mdv2008.1.i586.rpm
 586ed80dcca4c1512fa0a8f344c4b1ca  2008.1/i586/libtiff3-devel-3.8.2-10.1mdv2008.1.i586.rpm
 8536b2918799e028e92946ae5a9f8bfa  2008.1/i586/libtiff3-static-devel-3.8.2-10.1mdv2008.1.i586.rpm
 0e311bd531287bd6f71aede0ab233375  2008.1/i586/libtiff-progs-3.8.2-10.1mdv2008.1.i586.rpm 
 991200fe0e312eb8532e76a42a5f5f36  2008.1/SRPMS/libtiff-3.8.2-10.1mdv2008.1.src.rpm

2007.1 x86_64

 712950c98f929999cb7a53dad56db456  2007.1/x86_64/lib64tiff3-3.8.2-8.1mdv2007.1.x86_64.rpm
 820be023570529dbcbc4682a687aa59d  2007.1/x86_64/lib64tiff3-devel-3.8.2-8.1mdv2007.1.x86_64.rpm
 741e09ecc07a42f95ba97f99daf8b474  2007.1/x86_64/lib64tiff3-static-devel-3.8.2-8.1mdv2007.1.x86_64.rpm
 5f44d3ec3d223be06ecdeacae2fc3c04  2007.1/x86_64/libtiff-progs-3.8.2-8.1mdv2007.1.x86_64.rpm 
 6f0b7a336c92b3f6026882f16fea8e36  2007.1/SRPMS/libtiff-3.8.2-8.1mdv2007.1.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2327