You need to log in before you can comment on or make changes to this bug.
Hello, out-of-bounds write vulnerability in the tiff2rgba tool has been reported in: http://www.openwall.com/lists/oss-security/2016/04/08/6 """ Affected Versions: <= 4.0.6 Vulnerability Type: Out-of-bounds Write Credit: Mei Wang of the Cloud Security Team, Qihoo 360 When libtiff 4.0.6 tiff2rgba handle malicious tif file(width= 8388640, height=31) and set param -b will cause illegal write. The vulnerability exist in function cvt_by_strip (also exist in cvt_by_tile ) without checking the buffer allocate result. An attacker may control the write address and/or value to result in denial-of-service or command execution. """
Created an attachment (id=664) [details] Patch taken from http://vault.centos.org/7.2.1511/updates/Source/SPackages/libtiff-4.0.3-25.el7_2.src.rpm
Would be good to have access to the sample/test.tif file
Fixed per: 2016-08-15 Even Rouault <even.rouault at spatialys.com> * tools/tiff2rgba.c: Fix integer overflow in size of allocated buffer, when -b mode is enabled, that could result in out-of-bounds write. Based initially on patch tiff-CVE-2016-3945.patch from libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid tests that rejected valid files. /cvs/maptools/cvsroot/libtiff/tools/tiff2rgba.c,v <-- tools/tiff2rgba.c new revision: 1.22; previous revision: 1.21
Downstream RedHat notified per https://bugzilla.redhat.com/show_bug.cgi?id=1325093#c9