Bug 2543 - [PATCH] CVE-2016-3991: out-of-bounds write in loadImage() in tiffcrop tool
: [PATCH] CVE-2016-3991: out-of-bounds write in loadImage() in tiffcrop tool
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
: http://www.openwall.com/lists/oss-sec...
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-05-01 04:37 by
Modified: 2016-08-15 16:18 (History)


Attachments
Patch taken from http://vault.centos.org/7.2.1511/updates/Source/SPackages/libtiff-4.0.3-25.el7_2.src.rpm (3.63 KB, patch)
2016-08-04 03:59, Even Rouault
Details | Diff
CVE-2016-3991 (384 bytes, image/tiff)
2016-08-11 01:48, Henri Salo
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-05-01 04:37:39
Hello,

out-of-bounds write in loadImage() in tiffcrop tool vulnerability has been
reported in: http://www.openwall.com/lists/oss-security/2016/04/12/3

Affected Versions: <= 4.0.6
Tested system: CentOS Linux release 7.1.1503 64bit
Vulnerability Type: out-of-bounds write
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360
------- Comment #2 From 2016-08-04 03:59:52 -------
Would be good to have access to the  _TIFFfree.tif  src1.tif files of the
report
------- Comment #3 From 2016-08-11 01:48:03 -------
Created an attachment (id=668) [details]
CVE-2016-3991

File received from advisory author.

MD5: 40d9b0af462e73f86accbeebce67114f
SHA1: 4b3e6d4631fc3bf796d94739610a437a95462e71
http://bugs.fi/media/afl/libtiff/CVE-2016-3991.tif
------- Comment #4 From 2016-08-15 16:06:07 -------
Fixed per

2016-08-15 Even Rouault <even.rouault at spatialys.com>

        * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
        From patch libtiff-CVE-2016-3991.patch from
        libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)

/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v  <--  tools/tiffcrop.c
new revision: 1.38; previous revision: 1.37
------- Comment #5 From 2016-08-15 16:17:37 -------
*** Bug 2560 has been marked as a duplicate of this bug. ***
------- Comment #6 From 2016-08-15 16:18:54 -------
*** Bug 2573 has been marked as a duplicate of this bug. ***