Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585274 (CVE-2016-3186, CVE-2016-5102) - <media-libs/tiff-4.0.6-r1: gif2tiff utility: Multiple vulnerabilities
Summary: <media-libs/tiff-4.0.6-r1: gif2tiff utility: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-3186, CVE-2016-5102
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve glsa blocked]
Keywords: PATCH
Depends on: CVE-2015-7554, CVE-2015-8665, CVE-2015-8668, CVE-2015-8683, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2016-3619, CVE-2016-3620, CVE-2016-3621, CVE-2016-3622, CVE-2016-3623, CVE-2016-3624, CVE-2016-3625, CVE-2016-3631, CVE-2016-3632, CVE-2016-3633, CVE-2016-3634, CVE-2016-3658, CVE-2016-3945, CVE-2016-3990, CVE-2016-3991, CVE-2016-5314, CVE-2016-5315, CVE-2016-5316, CVE-2016-5317, CVE-2016-5320, CVE-2016-5321, CVE-2016-5322, CVE-2016-5323, CVE-2016-5652, CVE-2016-5875, CVE-2016-6223, CVE-2016-8331, CVE-2016-9273, CVE-2016-9297, CVE-2016-9448, CVE-2016-9453, CVE-2016-9532
Blocks:
  Show dependency tree
 
Reported: 2016-06-07 11:54 UTC by Agostino Sarubbo
Modified: 2017-01-09 17:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch that also removes the test for git2tiff. (tiff-4.0.6-gif2tiff_removal.patch,1.04 KB, patch)
2016-08-07 20:56 UTC, tka
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-07 11:54:14 UTC
From ${URL} :

A vulnerability was found in libtiff. A maliciously crafted file could cause the application to 
crash via buffer overflow in gif2tiff tool.

Upstream bug:

http://bugzilla.maptools.org/show_bug.cgi?id=2552


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2016-06-07 12:35:04 UTC
Upstream removed gif2tiff entirely. Perhaps we simply revbump our package and remove the binary as well instead of waiting for the 4.0.7 upstream release?
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-11 05:24:13 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #1)
> Upstream removed gif2tiff entirely. Perhaps we simply revbump our package
> and remove the binary as well instead of waiting for the 4.0.7 upstream
> release?

That sounds like a very reasonable solution.  Let us know which version in tree has it removed if you decide to do that.  Thanks.
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2016-08-03 13:39:34 UTC
commit c833e82151f379f180b50c7dff58b8f989a9c1a9
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Aug 3 15:37:49 2016

    media-libs/tiff: Revbump for security bug #585274
    
    Removing vulnerable gif2tiff (CVE-2016-5102)
    Upstream seems to no longer ship this tool with >=tiff-4.0.7 versions.
    
    Package-Manager: portage-2.3.0
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


I'd prefer to let tiff-4.0.6-r1 settle for a while as I don't know if any third-party app makes use of gif2tiff.
Comment 4 tka 2016-08-07 20:56:13 UTC
Created attachment 442726 [details, diff]
Patch that also removes the test for git2tiff.

The original patch leaves the test for gif2tiff in place. Of course, that test fails now. Thus, also remove it for consistency and to keep the tests passing.
Comment 5 Thomas Deutschmann gentoo-dev Security 2016-11-15 02:24:06 UTC
Adding CVE-2016-3186 because same solution (removal of gif2tiff) applies:

Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-20 05:17:32 UTC
@maintainer, please patch the test issue as previously reported.  After that let us know when you are comfortable to stabilize, which may be dependent on newer bugs of course.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-01-09 17:01:18 UTC
This issue was resolved and addressed in
 GLSA 201701-16 at https://security.gentoo.org/glsa/201701-16
by GLSA coordinator Thomas Deutschmann (whissi).