Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 561880 (CVE-2015-7313)

Summary: <media-libs/tiff-4.0.7: OOM when parsing crafted tiff files (CVE-2015-7313)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: graphics+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve glsa blocked]
Package list:
Runtime testing required: ---
Bug Depends on: 599746    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2015-09-30 07:03:26 UTC
From ${URL} :

We found a DoS using a crafted tiff file that causes a OOM kill in low memory
system (usually less than 3GB). This was tested in Ubuntu 14.04 (64bit) but the
issue exists even in the CVS libtiff version. Please find attached the
compressed test case (otherwise it can kill my browser since gdk-pixbuf is
loading tiff files in the preview dialog!). You can test it executing:

$ tiffdither oom.tif /dev/null

If you run it with ltrace, you can see some very large reallocs:>realloc(0, 1636178024)
             = 0x7f71a42b6010>realloc(0, 1636178024)
             = 0x7f7142a54010

Upstream was notified but there is still no fix.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 16:20:26 UTC
Added to existing GLSA request.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-01-09 17:01:03 UTC
This issue was resolved and addressed in
 GLSA 201701-16 at
by GLSA coordinator Thomas Deutschmann (whissi).