Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 693394 (CVE-2019-14973)

Summary: <media-libs/tiff-4.0.10-r2: Integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour
Product: Gentoo Security Reporter: Mattias Nissler <mnissler>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal Flags: stable-bot: sanity-check+
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gitlab.com/libtiff/libtiff/commit/1b5e3b6a23827c33acf19ad50ce5ce78f12b3773
See Also: https://github.com/gentoo/gentoo/pull/12851
Whiteboard: A4 [noglsa cve]
Package list:
media-libs/tiff-4.0.10-r2
Runtime testing required: Yes
Bug Depends on:    
Bug Blocks: 639700, 690732    

Description Mattias Nissler 2019-09-03 10:31:12 UTC
Per https://gitlab.com/libtiff/libtiff/commit/1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 :

_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
signed), which was especially easily triggered on 32-bit builds (with recent
enough compilers that assume that signed multiplication cannot overflow, since
this is undefined behaviour by the C standard). The original issue which lead to
this fix was trigged from tif_fax3.c

There were also unsafe (implementation defied), and broken in practice on 64bit
builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
at that time exploits, but are better to fix in a more bullet-proof way.
Or similarly use of (int64)uint64_var <= 0.
Comment 1 Larry the Git Cow gentoo-dev 2019-09-03 19:46:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f50c6e9a116c3d950db0cd2e131893aca2f1cf2

commit 6f50c6e9a116c3d950db0cd2e131893aca2f1cf2
Author:     Mattias Nissler <mnissler@chromium.org>
AuthorDate: 2019-09-03 10:25:18 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-09-03 19:45:36 +0000

    media-libs/tiff: Pull in patch for CVE-2019-14973
    
    Bug: https://bugs.gentoo.org/693394
    
    Signed-off-by: Mattias Nissler <mnissler@chromium.org>
    Closes: https://github.com/gentoo/gentoo/pull/12851
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 ....0.10-CVE-2019-14973-fix-integer-overflow.patch | 395 +++++++++++++++++++++
 media-libs/tiff/tiff-4.0.10-r2.ebuild              |  85 +++++
 2 files changed, 480 insertions(+)
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2019-09-03 19:49:03 UTC
@arches, please stabilize.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-09-03 22:51:09 UTC
arm64 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-09-04 05:57:52 UTC
amd64 stable
Comment 5 Rolf Eike Beer archtester 2019-09-04 17:06:21 UTC
What kind of runtime testing is required here?
Comment 6 Agostino Sarubbo gentoo-dev 2019-09-05 07:44:46 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-09-05 07:46:08 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-09-05 07:46:57 UTC
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-09-05 11:35:33 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-09-05 15:14:32 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-09-13 12:05:07 UTC
ia64 stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2019-09-20 06:53:36 UTC
hppa stable
Comment 13 Matt Turner gentoo-dev 2019-09-21 07:24:02 UTC
alpha stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-03 13:42:29 UTC
arm stable
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-03 13:42:52 UTC
m68k stable
Comment 16 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-03 13:43:13 UTC
sh stable
Comment 17 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-03 13:47:44 UTC
GLSA vote: No.