Bug 2545 - [PATCH] CVE-2016-3945: out-of-bounds write in the tiff2rgba tool
: [PATCH] CVE-2016-3945: out-of-bounds write in the tiff2rgba tool
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
: http://www.openwall.com/lists/oss-sec...
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-05-01 05:08 by
Modified: 2016-08-15 15:13 (History)


Attachments
Patch taken from http://vault.centos.org/7.2.1511/updates/Source/SPackages/libtiff-4.0.3-25.el7_2.src.rpm (3.28 KB, patch)
2016-08-04 04:04, Even Rouault
Details | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-05-01 05:08:04
Hello,

out-of-bounds write vulnerability in the tiff2rgba tool has been reported in:
http://www.openwall.com/lists/oss-security/2016/04/08/6

"""
Affected Versions: <= 4.0.6
Vulnerability Type:  Out-of-bounds Write
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

When libtiff 4.0.6 tiff2rgba handle malicious tif file(width= 8388640,
height=31) and set param -b will cause illegal write. The vulnerability exist
in function cvt_by_strip (also exist in cvt_by_tile ) without checking the
buffer allocate result. An attacker may control the write address and/or value
to result in denial-of-service or command execution.
"""
------- Comment #2 From 2016-08-04 04:05:35 -------
Would be good to have access to the  sample/test.tif file
------- Comment #3 From 2016-08-15 15:07:40 -------
Fixed per:

2016-08-15 Even Rouault <even.rouault at spatialys.com>

* tools/tiff2rgba.c: Fix integer overflow in size of allocated
buffer, when -b mode is enabled, that could result in out-of-bounds
write. Based initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
invalid tests that rejected valid files.

/cvs/maptools/cvsroot/libtiff/tools/tiff2rgba.c,v  <--  tools/tiff2rgba.c
new revision: 1.22; previous revision: 1.21
------- Comment #4 From 2016-08-15 15:13:22 -------
Downstream RedHat notified per
https://bugzilla.redhat.com/show_bug.cgi?id=1325093#c9