Oval Definition:oval:com.redhat.rhsa:def:20091159
Revision Date:2009-07-16Version:643
Title:RHSA-2009:1159: libtiff security update (Moderate)
Description:The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

  • Several integer overflow flaws, leading to heap-based buffer overflows, were found in various libtiff color space conversion tools. An attacker could create a specially-crafted TIFF file, which once opened by an unsuspecting user, would cause the conversion tool to crash or, potentially, execute arbitrary code with the privileges of the user running the tool. (CVE-2009-2347)

  • A buffer underwrite flaw was found in libtiff's Lempel-Ziv-Welch (LZW) compression algorithm decoder. An attacker could create a specially-crafted LZW-encoded TIFF file, which once opened by an unsuspecting user, would cause an application linked with libtiff to access an out-of-bounds memory location, leading to a denial of service (application crash). (CVE-2009-2285)

    The CVE-2009-2347 flaws were discovered by Tielei Wang from ICST-ERCIS, Peking University.

    All libtiff users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, all applications linked with the libtiff library (such as Konqueror) must be restarted for the update to take effect.
    • Family:unixClass:patch
    Status:Reference(s):CVE-2009-2285
    CVE-2009-2347
    RHSA-2009:1159
    RHSA-2009:1159-01
    RHSA-2009:1159-01
    Platform(s):Red Hat Enterprise Linux 3
    Red Hat Enterprise Linux 4
    Red Hat Enterprise Linux 5
    		Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 3 is installed
  • AND
  • libtiff-devel is earlier than 0:3.5.7-33.el3
  • AND libtiff-devel is signed with Red Hat master key
  • libtiff is earlier than 0:3.5.7-33.el3
  • AND libtiff is signed with Red Hat master key
  • OR Package Information
  • Red Hat Enterprise Linux 4 is installed
  • AND
  • libtiff is earlier than 0:3.6.1-12.el4_8.4
  • AND libtiff is signed with Red Hat master key
  • libtiff-devel is earlier than 0:3.6.1-12.el4_8.4
  • AND libtiff-devel is signed with Red Hat master key
  • OR Package Information
  • Red Hat Enterprise Linux 5 is installed
  • AND
  • libtiff-devel is earlier than 0:3.8.2-7.el5_3.4
  • AND libtiff-devel is signed with Red Hat redhatrelease key
  • libtiff is earlier than 0:3.8.2-7.el5_3.4
  • AND libtiff is signed with Red Hat redhatrelease key
    • Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 4 is installed
  • AND
  • libtiff is earlier than 0:3.6.1-12.el4_8.4
  • AND libtiff is signed with Red Hat redhatrelease2 key
  • libtiff-devel is earlier than 0:3.6.1-12.el4_8.4
  • AND libtiff-devel is signed with Red Hat redhatrelease2 key
  • OR Package Information
  • Red Hat Enterprise Linux 5 is installed
  • AND
  • libtiff is earlier than 0:3.8.2-7.el5_3.4
  • AND libtiff is signed with Red Hat redhatrelease2 key
  • libtiff-devel is earlier than 0:3.8.2-7.el5_3.4
  • AND libtiff-devel is signed with Red Hat redhatrelease2 key
    • BACK