You need to log in before you can comment on or make changes to this bug.
While analyzing libtiff security issues I noticed that there is additional buffer overflow in gif2tiff tool (different issue than CVE-2016-3186) tested with 4.0.6 version. http://bugs.fi/media/afl/libtiff/gif2tiff-bufferoverflow.gif file: GIF image data, version 87a, 12336 x 12336 SHA1: 6a90ff2a087b5a351ee0652097064942764d51d4 (gdb) run Starting program: ./bin/gif2tiff gif2tiff-bufferoverflow.gif /tmp/test.tiff warning: wrong rastersize: 2 bytes instead of 592128 bytes warning: wrong rastersize: 4 bytes instead of 592128 bytes warning: wrong rastersize: 2 bytes instead of 592128 bytes warning: wrong rastersize: 4 bytes instead of 592128 bytes warning: wrong rastersize: 2 bytes instead of 592128 bytes warning: wrong rastersize: 4 bytes instead of 592128 bytes raster full before eoi code warning: wrong rastersize: 6332624 bytes instead of 592128 bytes Program received signal SIGSEGV, Segmentation fault. __GI___libc_free (mem=0x181) at malloc.c:2929 2929 malloc.c: No such file or directory. (gdb) bt #0 __GI___libc_free (mem=0x181) at malloc.c:2929 #1 0x0000000000401fb1 in readgifimage (mode=mode@entry=0x402299 "a") at gif2tiff.c:331 #2 0x00000000004021a8 in convert () at gif2tiff.c:214 #3 0x00000000004010d8 in main (argc=<optimized out>, argv=0x7fffffffe138) at gif2tiff.c:174 Breakpoint 1, readgifimage (mode=mode@entry=0x402362 "w") at gif2tiff.c:331 331 _TIFFfree(raster);
CVE-2016-5102 has been assigned to this issue.
This issue was found with using american fuzzy lop fuzzer.
The gif2tiff utility is now removed from the libtiff package (as will appear in 4.0.7).
(In reply to comment #3) > The gif2tiff utility is now removed from the libtiff package (as will appear in > 4.0.7). That's just crazy... Was the utility so useless? Henri, the URL you set for this ticket returns a 404. Examining the directory (http://bugs.fi/media/afl/libtiff/ ), I can see the CVE-2016-5102.gif, but get a 403, when I attempt to download it... Could you make it readable, please? Maybe, I can craft a patch to save the utility from oblivion? Thanks!
Mikhail, you should be able to download it now. Sorry for the trouble. Fyi they have said similar removal comment about thumbnail tool.
Created an attachment (id=670) [details] CVE-2016-5102.gif