Summary: | <media-libs/tiff-4.0.7-r1: stack-based buffer overflow in _TIFFVGetField (tif_dir.c) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | graphics+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://blogs.gentoo.org/ago/2017/01/01/libtiff-stack-based-buffer-overflow-in-_tiffvgetfield-tif_dir-c/ | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2017-03-27 09:19:21 UTC
CVE ID: CVE-2016-10095 Summary: Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file. Published: 2017-03-01T15:59:00.000Z pulled in 4.0.7-r1 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f61e94523aef88e99d1140307b83bd518a450a14 Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. This bug has _not_ been fixed by upstream. There are no patches. From Debian: > This is a duplicate of CVE-2015-7554, both were reported against tiffsplit > While the _TIFFVGetField function is a generic function, CVE IDs seem to be > assigned per tool using it, so CVE-2015-7554/CVE-2016-10095 refers to the > tiffsplit tool ...and Debian uses https://sources.debian.net/src/tiff/4.0.7-7/debian/patches/28-CVE-2015-7554.patch/ (similar to RH). It is only a partial fix, however Debian and RH consider the vulnerability fixed... @ Vapier: Can you please help to identify which patch from your commit should address the issue? (In reply to Thomas Deutschmann from comment #5) > From Debian: > > > This is a duplicate of CVE-2015-7554, both were reported against tiffsplit > > While the _TIFFVGetField function is a generic function, CVE IDs seem to be > > assigned per tool using it, so CVE-2015-7554/CVE-2016-10095 refers to the > > tiffsplit tool > > ...and Debian uses > https://sources.debian.net/src/tiff/4.0.7-7/debian/patches/28-CVE-2015-7554. > patch/ (similar to RH). It is only a partial fix, however Debian and RH > consider the vulnerability fixed... > > > @ Vapier: Can you please help to identify which patch from your commit > should address the issue? The patch he used is from here: http://bugzilla.maptools.org/show_bug.cgi?id=2599 +From 9bbbe303c8e5db20d7f687ee1ca19c98fb852044 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sat, 3 Dec 2016 15:30:31 +0000 +Subject: [PATCH] * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, + ) is called, limit the return number of inks to SamplesPerPixel, so that code + that parses ink names doesn't go past the end of the buffer. Reported by + Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 It is applied as Vapier said. I see nothing indicating this is a partial fix. This is also a DoS. @maintainers, please clean the vulnerable versions. <media-libs/tiff-4.0.8:0 |