Bug 2544 - [PATCH] CVE-2016-3990: out-of-bounds write in horizontalDifference8() in tiffcp tool
: [PATCH] CVE-2016-3990: out-of-bounds write in horizontalDifference8() in tiff...
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
: http://www.openwall.com/lists/oss-sec...
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-05-01 04:44 by
Modified: 2016-08-15 15:50 (History)


Attachments
Ignore libtiff-CVE-2016-3991.patch. I didn't attach the right patch (3.63 KB, text/plain)
2016-08-04 03:45, Even Rouault
Details
Patch taken from http://vault.centos.org/7.2.1511/updates/Source/SPackages/libtiff-4.0.3-25.el7_2.src.rpm (2.06 KB, patch)
2016-08-04 03:57, Even Rouault
Details | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-05-01 04:44:27
Hello,

out-of-bounds write vulnerability in horizontalDifference8() in tiffcp tool has
been reported in: http://www.openwall.com/lists/oss-security/2016/04/12/2

Affected Versions: <= 4.0.6
Tested system: CentOS Linux release 7.1.1503 64bit
Vulnerability Type: out-of-bounds write
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360
------- Comment #2 From 2016-08-04 03:46:20 -------
It would be good to have access to the poc.tif and src1.tif files of the
original report to check the fix.
------- Comment #4 From 2016-08-15 15:50:33 -------
Fixed per:

2016-08-15 Even Rouault <even.rouault at spatialys.com>

        * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
        if more input samples are provided than expected by
PixarLogSetupEncode.
        Idea based on libtiff-CVE-2016-3990.patch from
        libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
        simpler check. (bugzilla #2544)

/cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v  <-- 
libtiff/tif_pixarlog.c
new revision: 1.46; previous revision: 1.45