Bug 2625 - CVE-2016-10095: libtiff: stack-based buffer overflow in _TIFFVGetField (setting Predictor tag on uncompressed file)
: CVE-2016-10095: libtiff: stack-based buffer overflow in _TIFFVGetField (setti...
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
:
:
:
:
: 2580
  Show dependency treegraph
 
Reported: 2016-12-04 07:09 by
Modified: 2017-06-01 07:45 (History)


Attachments
stacktrace (3.50 KB, text/plain)
2016-12-04 07:09, Agostino Sarubbo
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-12-04 07:09:10
Created an attachment (id=717) [details]
stacktrace

On 4.0.7:

# tiffsplit $FILE

AddressSanitizer: stack-buffer-overflow
/tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_dir.c:1077:29 in
_TIFFVGetField


Testcase:
https://github.com/asarubbo/poc/blob/master/00104-libtiff-stackoverflow-_TIFFVGetField
------- Comment #1 From 2016-12-04 08:55:54 -------
This is very similar of http://bugzilla.maptools.org/show_bug.cgi?id=2564, and
in the same class of issues than
http://bugzilla.maptools.org/show_bug.cgi?id=2580
------- Comment #2 From 2016-12-04 09:10:12 -------
(In reply to comment #1)
> This is very similar of http://bugzilla.maptools.org/show_bug.cgi?id=2564, and
> in the same class of issues than
> http://bugzilla.maptools.org/show_bug.cgi?id=2580

For completeness, both attached testcases in 2564 does not work for me on 4.0.7
------- Comment #3 From 2017-01-06 20:13:24 -------
CVE-2015-7554 = #2584 / #2586
CVE-2016-5318 = #2561, which says same root cause as #2564

Now this bug and not clear if all 5 tickets are the same vuln or have enough
characteristics to be considered different.
------- Comment #4 From 2017-01-09 18:53:06 -------
Oh, and this ticket is assigned CVE-2016-10095 via the Debian ticket:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850316
------- Comment #5 From 2017-06-01 07:45:34 -------
Fixed per http://bugzilla.maptools.org/show_bug.cgi?id=2580