PublicDateAtUSN: 2012-10-28
Candidate: CVE-2012-4447
PublicDate: 2012-10-28 15:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4447
 http://www.openwall.com/lists/oss-security/2012/09/25/9
 https://ubuntu.com/security/notices/USN-1631-1
Description:
 Heap-based buffer overflow in tif_pixarlog.c in LibTIFF before 4.0.3 allows
 remote attackers to cause a denial of service (application crash) and
 possibly execute arbitrary code via a crafted TIFF image using the PixarLog
 Compression format.
Ubuntu-Description:
Notes:
 mdeslaur> as of 2012-10-05, patch may be incomplete. See oss-security
 mdeslaur> discussion.
 mdeslaur> incomplete fix in 4.0.2
Bugs:
 https://bugzilla.redhat.com/show_bug.cgi?id=860198
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688944
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_tiff:
 other: https://bugzilla.redhat.com/attachment.cgi?id=616925&action=diff&context=patch&collapsed=&headers=1&format=raw
upstream_tiff: released (4.0.2-4)
hardy_tiff: released (3.8.2-7ubuntu3.14)
lucid_tiff: released (3.9.2-2ubuntu0.11)
natty_tiff: ignored (reached end-of-life)
oneiric_tiff: released (3.9.5-1ubuntu1.4)
precise_tiff: released (3.9.5-2ubuntu1.3)
quantal_tiff: released (4.0.2-1ubuntu2.1)
raring_tiff: not-affected (4.0.2-4ubuntu1)
saucy_tiff: not-affected (4.0.2-4ubuntu1)
trusty_tiff: not-affected (4.0.2-4ubuntu1)
trusty/esm_tiff: not-affected (4.0.2-4ubuntu1)
devel_tiff: not-affected (4.0.2-4ubuntu1)

Patches_tiff3:
 other: https://bugzilla.redhat.com/attachment.cgi?id=616925&action=diff&context=patch&collapsed=&headers=1&format=raw
 vendor: http://www.debian.org/security/2012/dsa-2561
upstream_tiff3: needs-triage
hardy_tiff3: DNE
lucid_tiff3: DNE
natty_tiff3: DNE
oneiric_tiff3: DNE
precise_tiff3: DNE
quantal_tiff3: ignored (reached end-of-life)
raring_tiff3: ignored (reached end-of-life)
saucy_tiff3: ignored (reached end-of-life)
trusty_tiff3: DNE
trusty/esm_tiff3: DNE
devel_tiff3: DNE