Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 693394 (CVE-2019-14973)

Summary: <media-libs/tiff-4.0.10-r2: Integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour
Product: Gentoo Security Reporter: Mattias Nissler <mnissler>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: arm, m68k, sh
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
See Also:
Whiteboard: A4 [glsa? cve stable]
Package list:
Runtime testing required: Yes

Description Mattias Nissler 2019-09-03 10:31:12 UTC
Per :

_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
signed), which was especially easily triggered on 32-bit builds (with recent
enough compilers that assume that signed multiplication cannot overflow, since
this is undefined behaviour by the C standard). The original issue which lead to
this fix was trigged from tif_fax3.c

There were also unsafe (implementation defied), and broken in practice on 64bit
builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
at that time exploits, but are better to fix in a more bullet-proof way.
Or similarly use of (int64)uint64_var <= 0.
Comment 1 Larry the Git Cow gentoo-dev 2019-09-03 19:46:07 UTC
The bug has been referenced in the following commit(s):

commit 6f50c6e9a116c3d950db0cd2e131893aca2f1cf2
Author:     Mattias Nissler <>
AuthorDate: 2019-09-03 10:25:18 +0000
Commit:     Aaron Bauman <>
CommitDate: 2019-09-03 19:45:36 +0000

    media-libs/tiff: Pull in patch for CVE-2019-14973
    Signed-off-by: Mattias Nissler <>
    Signed-off-by: Aaron Bauman <>

 ....0.10-CVE-2019-14973-fix-integer-overflow.patch | 395 +++++++++++++++++++++
 media-libs/tiff/tiff-4.0.10-r2.ebuild              |  85 +++++
 2 files changed, 480 insertions(+)
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-09-03 19:49:03 UTC
@arches, please stabilize.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-09-03 22:51:09 UTC
arm64 stable
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-09-04 05:57:52 UTC
amd64 stable
Comment 5 Rolf Eike Beer 2019-09-04 17:06:21 UTC
What kind of runtime testing is required here?
Comment 6 Agostino Sarubbo gentoo-dev 2019-09-05 07:44:46 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-09-05 07:46:08 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-09-05 07:46:57 UTC
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-09-05 11:35:33 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-09-05 15:14:32 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-09-13 12:05:07 UTC
ia64 stable
Comment 12 Sergei Trofimovich gentoo-dev 2019-09-20 06:53:36 UTC
hppa stable
Comment 13 Matt Turner gentoo-dev 2019-09-21 07:24:02 UTC
alpha stable