Scientific Linux Security Update : libtiff on SL3.x, SL4.x, SL5.x i386/x86_64
High Nessus Plugin ID 60471
SynopsisThe remote Scientific Linux host is missing one or more security updates.
DescriptionMultiple uses of uninitialized values were discovered in libtiff's Lempel-Ziv-Welch (LZW) compression algorithm decoder. An attacker could create a carefully crafted LZW-encoded TIFF file that would cause an application linked with libtiff to crash or, possibly, execute arbitrary code. (CVE-2008-2327)
SL4: A buffer overflow flaw was discovered in the tiff2pdf conversion program distributed with libtiff. An attacker could create a TIFF file containing UTF-8 characters that would, when converted to PDF format, cause tiff2pdf to crash, or, possibly, execute arbitrary code.
SL4 & SL5: Additionally, these updated packages fix the following bug :
- the libtiff packages included manual pages for the sgi2tiff and tiffsv commands, which are not included in these packages. These extraneous manual pages were removed.
SolutionUpdate the affected libtiff and / or libtiff-devel packages.