Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 610330 (CVE-2017-5225) - <media-libs/tiff-4.0.7-r1: Heap-buffer overflow in tools/tiffcp via crafted BitsPerSample value (CVE-2017-5225)
Summary: <media-libs/tiff-4.0.7-r1: Heap-buffer overflow in tools/tiffcp via crafted B...
Status: RESOLVED FIXED
Alias: CVE-2017-5225
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/vadz/libtiff/commi...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on: CVE-2017-7592, CVE-2017-7593, CVE-2017-7594
Blocks:
  Show dependency tree
 
Reported: 2017-02-21 00:53 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-09-26 22:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-21 00:53:33 UTC 
A heap-buffer overflow vulnerability was found in libtiff in the tools/tiffcp. Using a maliciously crafted BitsPerSample value could cause the application to crash or possibly allow code execution.

Upstream bugs:

http://bugzilla.maptools.org/show_bug.cgi?id=2656
http://bugzilla.maptools.org/show_bug.cgi?id=2657

Upstream patch:

https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 00:54:00 UTC 
CVE-2017-5225 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5225):
  LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the
  tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample
  value.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-09-26 22:11:30 UTC 
This issue was resolved and addressed in
 GLSA 201709-27 at https://security.gentoo.org/glsa/201709-27
by GLSA coordinator Aaron Bauman (b-man).