Scientific Linux Security Update : libtiff on SL3.x, SL4.x, SL5.x i386/x86_64

high Nessus Plugin ID 60471

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

Multiple uses of uninitialized values were discovered in libtiff's Lempel-Ziv-Welch (LZW) compression algorithm decoder. An attacker could create a carefully crafted LZW-encoded TIFF file that would cause an application linked with libtiff to crash or, possibly, execute arbitrary code. (CVE-2008-2327)

SL4: A buffer overflow flaw was discovered in the tiff2pdf conversion program distributed with libtiff. An attacker could create a TIFF file containing UTF-8 characters that would, when converted to PDF format, cause tiff2pdf to crash, or, possibly, execute arbitrary code.
(CVE-2006-2193)

SL4 & SL5: Additionally, these updated packages fix the following bug :

- the libtiff packages included manual pages for the sgi2tiff and tiffsv commands, which are not included in these packages. These extraneous manual pages were removed.

Solution

Update the affected libtiff and / or libtiff-devel packages.

See Also

http://www.nessus.org/u?fc281cfd

Plugin Details

Severity: High

ID: 60471

File Name: sl_20080828_libtiff_on_SL3_x.nasl

Version: 1.5

Type: local

Agent: unix

Published: 8/1/2012

Updated: 1/14/2021

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 8/28/2008

Reference Information

CVE: CVE-2006-2193, CVE-2008-2327

CWE: 119