Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 538318 (CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130, CVE-2014-9655, CVE-2015-1547) - <media-libs/tiff-4.0.7: multiple vulnerabilities (CVE-2014-{8127,8128,8129,8130,9655},CVE-2015-1547)
Summary: <media-libs/tiff-4.0.7: multiple vulnerabilities (CVE-2014-{8127,8128,8129,81...
Status: RESOLVED FIXED
Alias: CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130, CVE-2014-9655, CVE-2015-1547
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-31 08:31 UTC by Agostino Sarubbo
Modified: 2017-01-09 17:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-31 08:31:50 UTC
From ${URL} :

Multiple vulnerabilities have been discovered in several tools distributed
along with LibTIFF.

Upstream references:
- CVE-2014-8130 libtiff: Divide By Zero in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2483
- CVE-2014-8127 libtiff: Out-of-bounds Read in the thumbnail tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2484
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2bw tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2485
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2rgba tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2486
- CVE-2014-8129 libtiff: Out-of-bounds Read & Write in the tiff2pdf tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2487
- CVE-2014-8129 libtiff: Out-of-bounds Read & Write in the tiff2pdf tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2488
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2489
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2490
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2491
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2492
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2493
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiff2pdf tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2495
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2ps and tiffdither tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2496
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiffmedian tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2497
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2499
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiffset tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2500
- CVE-2014-8128 libtiff: Out-of-bounds Writes in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2501

All the crashes were discovered with the help of afl
(http://lcamtuf.coredump.cx/afl/).

Advisories:
- CVE-2014-8127
  http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.txt
- CVE-2014-8128
  http://www.conostix.com/pub/adv/CVE-2014-8128-LibTIFF-Out-of-bounds_Writes.txt
- CVE-2014-8129
  http://www.conostix.com/pub/adv/CVE-2014-8129-LibTIFF-Out-of-bounds_Reads_and_Writes.txt
- CVE-2014-8130
  http://www.conostix.com/pub/adv/CVE-2014-8130-LibTIFF-Division_By_Zero.txt

This was tested on Ubuntu 14.04.1 LTS (amd64) LibTIFF 4.0.3-7ubuntu0.1 .

Last stable LibTIFF source release v4.0.3 is also affected.

Upstream CVS HEAD contains fixes for all bugs except the following:
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2499
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiffset tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2500
- CVE-2014-8128 libtiff: Out-of-bounds Writes in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2501

Please accept my apologies for the mishandling of this report. I did not
conform to the distros list policy regarding embargo time enforcement
and I failed to notify oss-security before creating bug reports on
public upstream's Bugzilla.
Clearly, notifying the distros list before upstream was not the way to go.
I take full responsibility for this.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-07 17:20:10 UTC
Further CVEs assigned in http://seclists.org/oss-sec/2015/q1/454
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-11-20 04:53:14 UTC
The following have been addressed in http://libtiff.maptools.org/v4.0.4beta.html

CVE-2014-{8127,8128,8129}

CVE-2014-9655 addressed in https://abi-laboratory.pro/tracker/changelog/libtiff/4.0.4/log.html

CVE-2014-8130 can no longer be reproduced by upstream http://bugzilla.maptools.org/show_bug.cgi?id=2483


CVE-2015-1547 remains unfixed.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 16:28:10 UTC
(In reply to Aaron Bauman from comment #2)
> CVE-2015-1547 remains unfixed.

Fixed in 4.0.7, from https://bugzilla.redhat.com/show_bug.cgi?id=1190709#c3:

> Considering above part of patch that fixes CVE-2014-9655 in tif_next.c from
> commit https://github.com/vadz/libtiff/commit/40a5955cbf0df62b1f9e9bd7d9657b0070725d19
> fixes CVE-2015-1547


Added to existing GLSA request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-09 17:00:55 UTC
This issue was resolved and addressed in
 GLSA 201701-16 at https://security.gentoo.org/glsa/201701-16
by GLSA coordinator Thomas Deutschmann (whissi).