Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 614024 (CVE-2016-10095) - <media-libs/tiff-4.0.7-r1: stack-based buffer overflow in _TIFFVGetField (tif_dir.c)
Summary: <media-libs/tiff-4.0.7-r1: stack-based buffer overflow in _TIFFVGetField (tif...
Status: RESOLVED FIXED
Alias: CVE-2016-10095
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://blogs.gentoo.org/ago/2017/01/...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-27 09:19 UTC by Agostino Sarubbo
Modified: 2017-11-19 21:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-03-27 09:19:21 UTC 
Details at $URL.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-03-29 06:51:15 UTC 
    CVE ID: CVE-2016-10095
   Summary: Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file.
 Published: 2017-03-01T15:59:00.000Z
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-03-31 03:43:35 UTC 
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 4 Agostino Sarubbo gentoo-dev 2017-05-24 13:00:52 UTC 
This bug has _not_ been fixed by upstream. There are no patches.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-24 16:36:27 UTC 
From Debian:

> This is a duplicate of CVE-2015-7554, both were reported against tiffsplit
> While the _TIFFVGetField function is a generic function, CVE IDs seem to be
> assigned per tool using it, so CVE-2015-7554/CVE-2016-10095 refers to the
> tiffsplit tool

...and Debian uses https://sources.debian.net/src/tiff/4.0.7-7/debian/patches/28-CVE-2015-7554.patch/ (similar to RH). It is only a partial fix, however Debian and RH consider the vulnerability fixed...


@ Vapier: Can you please help to identify which patch from your commit should address the issue?
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-10-20 01:57:52 UTC 
(In reply to Thomas Deutschmann from comment #5)
> From Debian:
> 
> > This is a duplicate of CVE-2015-7554, both were reported against tiffsplit
> > While the _TIFFVGetField function is a generic function, CVE IDs seem to be
> > assigned per tool using it, so CVE-2015-7554/CVE-2016-10095 refers to the
> > tiffsplit tool
> 
> ...and Debian uses
> https://sources.debian.net/src/tiff/4.0.7-7/debian/patches/28-CVE-2015-7554.
> patch/ (similar to RH). It is only a partial fix, however Debian and RH
> consider the vulnerability fixed...
> 
> 
> @ Vapier: Can you please help to identify which patch from your commit
> should address the issue?

The patch he used is from here:

http://bugzilla.maptools.org/show_bug.cgi?id=2599


+From 9bbbe303c8e5db20d7f687ee1ca19c98fb852044 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 3 Dec 2016 15:30:31 +0000
+Subject: [PATCH] * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS,
+ ) is called, limit the return number of inks to SamplesPerPixel, so that code
+ that parses ink names doesn't go past the end of the buffer. Reported by
+ Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599

It is applied as Vapier said.  I see nothing indicating this is a partial fix.

This is also a DoS.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2017-10-30 00:12:19 UTC 
@maintainers, please clean the vulnerable versions.

<media-libs/tiff-4.0.8:0