Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 599746 (CVE-2015-7554, CVE-2015-8665, CVE-2015-8668, CVE-2015-8683, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2016-3619, CVE-2016-3620, CVE-2016-3621, CVE-2016-3622, CVE-2016-3623, CVE-2016-3624, CVE-2016-3625, CVE-2016-3631, CVE-2016-3632, CVE-2016-3633, CVE-2016-3634, CVE-2016-3658, CVE-2016-3945, CVE-2016-3990, CVE-2016-3991, CVE-2016-5314, CVE-2016-5315, CVE-2016-5316, CVE-2016-5317, CVE-2016-5320, CVE-2016-5321, CVE-2016-5322, CVE-2016-5323, CVE-2016-5652, CVE-2016-5875, CVE-2016-6223, CVE-2016-8331, CVE-2016-9273, CVE-2016-9297, CVE-2016-9448, CVE-2016-9453, CVE-2016-9532) - <media-libs/tiff-4.0.7: Multiple vulnerabilities
Summary: <media-libs/tiff-4.0.7: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2015-7554, CVE-2015-8665, CVE-2015-8668, CVE-2015-8683, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2016-3619, CVE-2016-3620, CVE-2016-3621, CVE-2016-3622, CVE-2016-3623, CVE-2016-3624, CVE-2016-3625, CVE-2016-3631, CVE-2016-3632, CVE-2016-3633, CVE-2016-3634, CVE-2016-3658, CVE-2016-3945, CVE-2016-3990, CVE-2016-3991, CVE-2016-5314, CVE-2016-5315, CVE-2016-5316, CVE-2016-5317, CVE-2016-5320, CVE-2016-5321, CVE-2016-5322, CVE-2016-5323, CVE-2016-5652, CVE-2016-5875, CVE-2016-6223, CVE-2016-8331, CVE-2016-9273, CVE-2016-9297, CVE-2016-9448, CVE-2016-9453, CVE-2016-9532
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa cve]
Keywords:
: 569978 579322 (view as bug list)
Depends on:
Blocks: CVE-2015-7313 CVE-2016-3186, CVE-2016-5102
  Show dependency tree
 
Reported: 2016-11-15 02:33 UTC by Thomas Deutschmann
Modified: 2017-06-04 12:11 UTC (History)
2 users (show)

See Also:
Package list:
=media-libs/tiff-4.0.7
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2016-11-15 02:33:07 UTC
CVE-2015-8665
=============
tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image.

Source: http://www.openwall.com/lists/oss-security/2015/12/24/2

Fix: https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55


CVE-2015-8683
=============
The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image.

Source: http://www.openwall.com/lists/oss-security/2015/12/25/1

Fix: https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55


CVE-2015-8781
=============
tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782.

Source: http://www.openwall.com/lists/oss-security/2016/01/24/3

Fix: https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65


CVE-2015-8782
=============
tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781.

Source: http://www.openwall.com/lists/oss-security/2016/01/24/3

Fix: https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65


CVE-2015-8783
=============
tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image.

Source: http://www.openwall.com/lists/oss-security/2016/01/24/3

Fix: https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65


CVE-2015-7554
=============
The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image.

Source: http://www.openwall.com/lists/oss-security/2015/12/26/7

Fix: http://bugzilla.maptools.org/show_bug.cgi?id=2564#c2


CVE-2015-8668
=============
Heap-based buffer overflow in the PackBitsPreEncode function in tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote attackers to execute arbitrary code or cause a denial of service via a large width field in a BMP image.

Fix: bmp2tiff has been removed from libtiff, http://bugzilla.maptools.org/show_bug.cgi?id=2563#c4


CVE-2016-3619
=============
The DumpModeEncode function in tif_dumpmode.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c none" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image.

Source: http://www.openwall.com/lists/oss-security/2016/04/07/1

Fix: bmp2tiff utility was removed, http://bugzilla.maptools.org/show_bug.cgi?id=2567


CVE-2016-3620
=============
The ZIPEncode function in tif_zip.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c zip" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image.

Source: http://www.openwall.com/lists/oss-security/2016/04/07/2

Fix: bmp2tiff utility was removed, http://bugzilla.maptools.org/show_bug.cgi?id=2570


CVE-2016-3621
=============
The LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c lzw" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image.

Source: http://www.openwall.com/lists/oss-security/2016/04/07/3

Fix: bmp2tiff utility was removed, http://bugzilla.maptools.org/show_bug.cgi?id=2565


CVE-2016-3622
=============
The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image.

Source: http://www.openwall.com/lists/oss-security/2016/04/07/5


CVE-2016-3623
=============
The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0.

Source: http://seclists.org/oss-sec/2016/q2/27


CVE-2016-3624
=============
The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the "-v" option to -1.

Source: http://seclists.org/oss-sec/2016/q2/28

Upstreams sees this as a duplicate of CVE-2016-3623.


CVE-2016-3625
=============
tif_read.c in the tiff2bw tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TIFF image.

Source: http://seclists.org/oss-sec/2016/q2/29


CVE-2016-3631
=============
The (1) cpStrips and (2) cpTiles functions in the thumbnail tool in LibTIFF 4.0.6 and earlier allow remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the bytecounts[] array variable.

Source: http://seclists.org/oss-sec/2016/q2/24

Fix: Upstream will remove thumbnail utility


CVE-2016-3632
=============
The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image.

See http://bugzilla.maptools.org/show_bug.cgi?id=2549, upstream will remove thumbnail utility in upcoming version.


CVE-2016-3633
=============
The setrow function in the thumbnail tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the src variable.

See http://bugzilla.maptools.org/show_bug.cgi?id=2548, upstream will remove thumbnail utility in upcoming version.


CVE-2016-3634
=============
The tagCompare function in tif_dirinfo.c in the thumbnail tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to field_tag matching.

See http://bugzilla.maptools.org/show_bug.cgi?id=2547, upstream will remove thumbnail utility in upcoming version.


CVE-2016-3658
=============
The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable.

Duplicate of CVE-2014-8127


CVE-2016-3945
=============
Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image, which triggers an out-of-bounds write.

Source: http://seclists.org/oss-sec/2016/q2/30


CVE-2016-3990
=============
Heap-based buffer overflow in the horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image to tiffcp.

Source: http://seclists.org/oss-sec/2016/q2/57


CVE-2016-3991
=============
Heap-based buffer overflow in the loadImage function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image with zero tiles.

See http://bugzilla.maptools.org/show_bug.cgi?id=2543


CVE-2016-5314
=============
PixarLogDecode() out-of-bound writes

Source: http://seclists.org/oss-sec/2016/q2/543

Fix: https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2


CVE-2016-5315
=============
tif_dir.c: setByteArray() Read access violation

Source: http://seclists.org/oss-sec/2016/q2/544

Upstream marked this vulnerability as duplicate of CVE-2016-5314.


CVE-2016-5316
=============
tif_pixarlog.c: PixarLogCleanup() Segmentation fault

Source: http://seclists.org/oss-sec/2016/q2/545

Fix: Should be fixed as part of CVE-2016-5875, see http://bugzilla.maptools.org/show_bug.cgi?id=2556


CVE-2016-5317
=============
GNOME nautilus: crash occurs when generating a thumbnail for a crafted TIFF image

Fix: Upstream marked this vulnerability as duplicate of CVE-2016-5875, see http://bugzilla.maptools.org/show_bug.cgi?id=2557#c3


CVE-2016-5320
=============
rgb2ycbcr: command excution

Source: http://seclists.org/oss-sec/2016/q2/551


CVE-2016-5321
=============
DumpModeDecode(): Ddos

Source: http://seclists.org/oss-sec/2016/q2/549

Fix: http://bugzilla.maptools.org/show_bug.cgi?id=2558#c2


CVE-2016-5322
=============
extractContigSamplesBytes: out-of-bounds read

Source: http://seclists.org/oss-sec/2016/q2/550

Fix: Upstream marked vulnerability as duplicate of CVE-2016-3991, see http://bugzilla.maptools.org/show_bug.cgi?id=2560#c3


CVE-2016-5323
=============
tiffcrop _TIFFFax3fillruns(): NULL pointer dereference

Source: http://seclists.org/oss-sec/2016/q2/548

Fix: http://bugzilla.maptools.org/show_bug.cgi?id=2559#c3


CVE-2016-5652
=============
heap based buffer overflow in LibTIFFs TIFF2PDF tool

Source: http://www.talosintelligence.com/reports/TALOS-2016-0187/

Fix: https://github.com/vadz/libtiff/commit/b5d6803f0898e931cf772d3d0755704ab8488e63


CVE-2016-5875
=============
tiff: heap-based buffer overflow when using the PixarLog compression format

Source: http://www.talosintelligence.com/reports/TALOS-2016-0205

Fix: https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2, duplicate with VE-2016-5320 and CVE-2016-5314, cf.
https://marc.info/?l=oss-security&m=146726894625359&w=2


CVE-2016-6223
=============
tiff: information leak in libtiff/tif_read.c

Source: http://www.openwall.com/lists/oss-security/2016/07/13/3

Fix: https://github.com/vadz/libtiff/commit/0ba5d8814a17a64bdb8d9035f4c533f3f3f4b496


CVE-2016-8331
=============
An exploitable remote code execution vulnerability exists in the handling of TIFF images in LibTIFF version 4.0.6. A crafted TIFF document can lead to a type confusion vulnerability resulting in remote code execution. This vulnerability can be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality.

Source: http://www.talosintelligence.com/reports/TALOS-2016-0190/

Fix: Upstream will remove thumbnail utility


CVE-2016-9273
=============
libtiff heap overflow

Source: http://www.openwall.com/lists/oss-security/2016/11/09/20


CVE-2016-9297
=============
libtiff/tif_dirread.c read outside buffer in _TIFFPrintField()

Source: http://www.openwall.com/lists/oss-security/2016/11/12/2
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-15 02:37:52 UTC
*** Bug 569978 has been marked as a duplicate of this bug. ***
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-11-15 02:39:52 UTC
*** Bug 579322 has been marked as a duplicate of this bug. ***
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-11-15 02:44:14 UTC
bmp2tiff and thumbnail utility should be dropped like we did with gif2tiff in bug 585274.

@ Maintainer(s): Last upstream release was in 2015. Due to the rating of some vulnerabilities please consider doing a snapshot release.
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-15 15:11:45 UTC
(In reply to Thomas Deutschmann from comment #3)
> bmp2tiff and thumbnail utility should be dropped like we did with gif2tiff
> in bug 585274.
> 
> @ Maintainer(s): Last upstream release was in 2015. Due to the rating of
> some vulnerabilities please consider doing a snapshot release.

I didn't analyze at all the problem but if you just remove the binary, you are removing a way to reproduce the issue, but if the issue(s) reside in the shared object, the package is still vulnerable.
Comment 5 Thomas Deutschmann gentoo-dev Security 2016-11-15 16:13:59 UTC
(In reply to Agostino Sarubbo from comment #4)
> I didn't analyze at all the problem but if you just remove the binary, you
> are removing a way to reproduce the issue, but if the issue(s) reside in the
> shared object, the package is still vulnerable.

Valid concern. All I can tell you:

Each bug listed in comment #0 affecting bmp2tiff indicates that the source file containing the problem is only used by bmp2tiff.

Upstream closed every bug affecting bmp2tiff with the comment "Closing as wontfix since bmp2tiff has been removed from libtiff".

I don't see where upstream has removed these utilities. I only find https://github.com/vadz/libtiff/commit/c421b993abe1d6792252833c3bc8b3252b015fb9 but I don't see any touched Makefile.

There were some CMakeLists.txt updates. Not sure if upstream provides a "make dist" target or similar which now doesn't contain these files/binaries.

Finally that's the way how Debian addressed the problem, see https://sources.debian.net/src/tiff/4.0.6-3/debian/rules/#L34 -- they just call rm like we already do for gif2tiff (what they also do, see line 38).

So I think we (the maintainer) should make sure that the package which will be merged doesn't contain bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr binary.
Comment 6 Thomas Deutschmann gentoo-dev Security 2016-11-18 15:31:16 UTC
CVE-2016-9297 vulnerability reported in http://bugzilla.maptools.org/show_bug.cgi?id=2590 had a regression, which is fixed in http://bugzilla.maptools.org/show_bug.cgi?id=2593 by Even Rouault.
Comment 7 Thomas Deutschmann gentoo-dev Security 2016-11-20 15:11:15 UTC
From http://seclists.org/oss-sec/2016/q4/464:

> CVE-2016-9297 vulnerability reported in http://bugzilla.maptools.org/show_bug.cgi?id=2590 had a
> regression, which is fixed in http://bugzilla.maptools.org/show_bug.cgi?id=2593
> 
>         * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference
>         NULL pointer when values of tags with TIFF_SETGET_C16_ASCII /
>         TIFF_SETGET_C32_ASCII access are 0-byte arrays.
>         Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression
>         introduced by previous fix done on 2016-11-11 for CVE-2016-9297).

Use CVE-2016-9448 for the vulnerability fixed in 2593.
Comment 8 Thomas Deutschmann gentoo-dev Security 2016-11-20 15:16:11 UTC
From http://seclists.org/oss-sec/2016/q4/466:

>> http://bugzilla.maptools.org/show_bug.cgi?id=2579
>> 
>> tools/tiff2pdf.c: fix read -largely- outsize of buffer in
>>        t2p_readwrite_pdf_image_tile(), causing crash, when reading a
>>        JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
>>        Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
>>        the MSRC Vulnerabilities & Mitigations team.
>
>>> Out-of-bounds Write Caused by memcpy and no bound check.
>
>>> will cause illegal write. An attacker may control the write address and/or
>>> value
>>> to result in denial-of-service or command execution.
>
> Use CVE-2016-9453.
Comment 9 Agostino Sarubbo gentoo-dev 2016-11-21 07:21:03 UTC
@maintainer: 4.0.7 is out. I didn't check if covers all vulnerabilities listes here and in the others our bugs.
Comment 10 Lars Wendler (Polynomial-C) gentoo-dev 2016-11-21 10:47:45 UTC
commit 2cc194a9e8b12415ed250ca3c73388e939c15fee
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Nov 21 11:46:13 2016

    media-libs/tiff: Security bump to version 4.0.7 (bug #599746).

    Package-Manager: portage-2.3.2

I haven't checked if all listed vulnerabilities are fixed in 4.0.7 but bumped it anyway.
Comment 11 Agostino Sarubbo gentoo-dev 2016-11-21 16:54:50 UTC
Arches, please test and mark stable:
=media-libs/tiff-4.0.7
Target keywords : "alpha amd64 arm arm64 hppa ia64  ppc ppc64 sparc x86"
Comment 12 Agostino Sarubbo gentoo-dev 2016-11-21 17:08:28 UTC
amd64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-11-21 17:09:11 UTC
x86 stable
Comment 14 Thomas Deutschmann gentoo-dev Security 2016-11-22 11:26:21 UTC
This one is included in 4.0.7, from http://www.openwall.com/lists/oss-security/2016/11/11/14:

>> http://bugzilla.maptools.org/show_bug.cgi?id=2592
>> 
>>         * tools/tiffcrop.c: fix multiple uint32 overflows in
>>         writeBufferToSeparateStrips(), writeBufferToContigTiles() and
>>         writeBufferToSeparateTiles() that could cause heap buffer overflows.
>>
>> Bug 2592 -
>> Summary:  Heap buffer overflow via writeBufferToSeparateStrips tiffcrop.c:1170
>>
>> AddressSanitizer: heap-buffer-overflow READ of size 223
>
> Use CVE-2016-9532 for this integer overflow report with resultant
> buffer over-read.
Comment 15 Tobias Klausmann gentoo-dev 2016-11-23 09:21:13 UTC
Stable on alpha.
Comment 16 Markus Meier gentoo-dev 2016-11-29 17:44:17 UTC
arm stable
Comment 17 Agostino Sarubbo gentoo-dev 2016-12-19 14:39:53 UTC
sparc stable
Comment 18 Agostino Sarubbo gentoo-dev 2016-12-19 15:16:22 UTC
ia64 stable
Comment 19 Agostino Sarubbo gentoo-dev 2016-12-20 09:49:22 UTC
ppc stable
Comment 20 Agostino Sarubbo gentoo-dev 2016-12-22 09:37:58 UTC
ppc64 stable
Comment 21 Jeroen Roovers gentoo-dev 2017-01-09 13:45:04 UTC
Stable for HPPA.
Comment 22 Thomas Deutschmann gentoo-dev Security 2017-01-09 16:39:21 UTC
Lowering rating from A1 to A2. Not sure why I initially rated this as A1.

Added to existing GLSA request.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2017-01-09 17:01:34 UTC
This issue was resolved and addressed in
 GLSA 201701-16 at https://security.gentoo.org/glsa/201701-16
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 24 Thomas Deutschmann gentoo-dev Security 2017-01-09 17:03:52 UTC
Re-opening for cleanup.

@ Maintainer(s): Please cleanup <media-libs/tiff-4.0.7!
Comment 25 Joseph 2017-03-11 05:34:54 UTC
You folks stabilized media-libs/tiff-4.0.7 (too fast)

but this tiff-4.0.7 is causing hylafaxplus-5.5.5 "faxq" to jam and CPU goes 100%
the modem never dial out.
See bug: 612172

So either Hylafaxplus will need to be fix or tiff-4.0.7
Comment 26 Thomas Deutschmann gentoo-dev Security 2017-06-04 12:11:10 UTC
Repository is now clean, all done.