384089 – (CVE-2011-3194) <x11-libs/qt-gui-4.7.4-r1: TIFF Grayscale Image Processing Buffer Overflow (CVE-2011-3194)

Bug 384089 (CVE-2011-3194) - <x11-libs/qt-gui-4.7.4-r1: TIFF Grayscale Image Processing Buffer Overflow (CVE-2011-3194)

Summary: <x11-libs/qt-gui-4.7.4-r1: TIFF Grayscale Image Processing Buffer Overflow (C...

Status:	RESOLVED FIXED

Alias:	CVE-2011-3194

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://secunia.com/advisories/46140/
Whiteboard:	B2 [glsa]
Keywords:

Depends on:	qt-4.7.4-stable
Blocks:
	Show dependency tree

Reported:	2011-09-22 14:41 UTC by Agostino Sarubbo
Modified:	2012-07-12 00:37 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2011-09-22 14:41:06 UTC

From secunia security advisor at $URL:

Description:
The vulnerability is caused due to an error in the TIFF reader (src/gui/image/qtiffhandler.cpp) when processing grayscale images and can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 4.7.4. Other versions may also be affected.


Solution:
Fixed in the Git repository:
https://qt.gitorious.org/qt/qt/commit/cb6380beb81ab9571c547270c144988781fed465

Comment 1 Agostino Sarubbo gentoo-dev

2011-12-01 23:10:47 UTC

Since qt 4.7.4 is ready for stabilization and after talked with Davide(pesa) on
irc, I add this bug as a blocker for the qt-stabilization tracker ( bug 390963
).

We fast stabilize asap after the patch on this bug will be applied

Comment 2 Davide Pesavento gentoo-dev

2011-12-03 00:44:03 UTC

Well... I think the advisory is wrong.
The proposed fix (https://qt.gitorious.org/qt/qt/commit/cb6380beb81ab9571c547270c144988781fed465) was committed to qt upstream repo more than a year ago. Indeed that patch does not apply to qt-gui-4.7.4. The code in qtiffhandler.cpp has evolved during this time and it's slightly different now, but afaict the bug *is* fixed in 4.7.4.

Comment 3 Tim Sammut (RETIRED) gentoo-dev

2011-12-09 00:15:20 UTC

The Novell bug at [1] says that [2] reliably reproduces the issue. Would it be possible to test using this file? Thank you.

[1] https://bugzilla.novell.com/show_bug.cgi?id=637275
[2] https://bugzilla.novell.com/attachment.cgi?id=387705

Comment 4 Davide Pesavento gentoo-dev

2011-12-10 11:57:55 UTC

(In reply to comment #3)
> The Novell bug at [1] says that [2] reliably reproduces the issue. Would it be
> possible to test using this file? Thank you.
> 
> [1] https://bugzilla.novell.com/show_bug.cgi?id=637275
> [2] https://bugzilla.novell.com/attachment.cgi?id=387705

I can't reproduce the crash on 4.7.4

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2011-12-18 22:12:02 UTC

(In reply to comment #2)
> but afaict the bug *is* fixed in 4.7.4.

Ok, thanks. Let's depend on 390963 instead of blocking it.

Comment 6 Tim Sammut (RETIRED) gentoo-dev

2012-05-15 06:37:58 UTC

Thanks, everyone. GLSA request filed.

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2012-06-03 11:52:09 UTC

This issue was resolved and addressed in
 GLSA 201206-02 at http://security.gentoo.org/glsa/glsa-201206-02.xml
by GLSA coordinator Sean Amoss (ackle).

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2012-07-12 00:37:23 UTC

CVE-2011-3194 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3194):
  Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4
  allows remote attackers to cause a denial of service (crash) and possibly
  execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale
  TIFF image with multiple samples per pixel.