CERT RENATER
Nous contacter
- Mail : cert@support.renater.fr
- Web : Pages du CERT
- Tél : 01.53.94.20.44
- Fax : 01.53.94.20.31
==================================================================== CERT-Renater Note d'Information No. 2010/VULN209 _____________________________________________________________________ DATE : 16/06/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Libtiff versions prior to 3.9.3. ====================================================================== http://www.asmail.be/msg0054965410.html http://www.remotesensing.org/libtiff/v3.9.3.html ______________________________________________________________________ Libtiff 3.9.3 is now released. This releases fixes various bugs which which were reported via libtiff Bugzilla as well as some security issues. Please visit http://www.remotesensing.org/libtiff/v3.9.3.html to read about the release, or to download the software. Thanks, Bob -- Bob Friesenhahn bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ _____________________________________________________________________ TIFF CHANGE INFORMATION Current Version: v3.9.3 Previous Version: v3.9.2 Master FTP Site: ftp.remotesensing.org, directory pub/libtiff Master HTTP Site: http://www.remotesensing.org/libtiff This document describes the changes made to the software between the previous and current versions (see above). If you don't find something listed here, then it was not done in this timeframe, or it was not considered important enough to be mentioned. The following information is located here: * Major Changes * Changes in the software configuration * Changes in libtiff * Changes in the tools * Changes in the contrib area MAJOR CHANGES: * Fixes for CVE-2010-1411. * Various reported bug fixes. CHANGES IN THE SOFTWARE CONFIGURATION: * libtool is updated to version 2.2.10. CHANGES IN LIBTIFF: * Fix a couple of issues that trigger failures in some cases when using TIFFReadScanline() with JPEG compressed subsampled ycbcr images. http://bugzilla.maptools.org/show_bug.cgi?id36 * Ensure tile and scanline sizes are reset when moving to new directories. http://bugzilla.maptools.org/show_bug.cgi?id36 * Do not generate a JPEGTables tag when creating the JPEG TIFF as is is not required in order to prevent it from being unused and filled with invalid data. (Leave it to be generated by later activity.) http://bugzilla.maptools.org/show_bug.cgi?id!35 * Don't return error on badly-terminated MMR strips. http://bugzilla.maptools.org/show_bug.cgi?id 29 * Have TIFFTAG_REFERENCEBLACKWHITE always print 6 floats instead of 2*SamplesPerPixel. http://bugzilla.maptools.org/show_bug.cgi?id!86 * Ensure that JPEG quality is always set in JPEGPreEncode(), not just when we want to output local tables. Otherwise the quality used during compression may not be right and might not match the tables in the tables tag. This bug only occurs when seeking between directories in the midst of writing blocks. http://trac.osgeo.org/gdal/ticket/3539 * OJPEG: Report an error and avoid a crash if the input file is so broken that the strip offsets are not defined. * Eliminate FAX3 decoder buffer overrun possibility (CVE-2010-1411). * Restore ReferenceBlackWhite as a non-custom field. This avoids a multi-thread reentrancy problem as well as fixing output of wrong tag value due to redundant definitions for the same tag in the tiffFieldInfo[] array. Resolves http://bugzilla.maptools.org/show_bug.cgi?id!85 CHANGES IN THE TOOLS: * tiff2pdf: Write the JPEG SOI headers into the TIFF strip data rather than skipping them. This fixes the ability to view in Acrobat Reader, Evince, and Ghostscript. http://bugzilla.maptools.org/show_bug.cgi?id!35 * ppm2tiff: While case for parsing comment line requires extra parenthesis to work as expected. Reported by Thomas Sinclair. * tiffcp: add a new option -x to force merged tiff file PAGENUMBER value in sequence for users who care the page sequence, this will also prevent tiff2pdf from creating pdf file from the merged tiff file with wrong page sequence. * tiffcp: Applied Tom Lane's patch to reject YCbCr subsampled data since tiffcp currently doesn't support it. http://bugzilla.maptools.org/show_bug.cgi?id 97 CHANGES IN THE CONTRIB AREA: * None Last updated $Date: 2010-06-11 22:08:01 $. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================