Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624696 (CVE-2017-9935) - <media-libs/tiff-4.0.9-r2: Heap-based buffer overflow in t2p_write_pdf function
Summary: <media-libs/tiff-4.0.9-r2: Heap-based buffer overflow in t2p_write_pdf function
Status: RESOLVED FIXED
Alias: CVE-2017-9935
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://gitlab.com/libtiff/libtiff/co...
Whiteboard: A4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-12 14:51 UTC by Agostino Sarubbo
Modified: 2018-06-11 15:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-07-12 14:51:42 UTC
From ${URL} :

In LibTIFF 4.0.8, there is a heap-based buffer overflow in the
t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could
lead to different damages. For example, a crafted TIFF document can
lead to an out-of-bounds read in TIFFCleanup, an invalid free in
TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or
a double free in t2p_free. Given these possibilities, it probably could
cause arbitrary code execution.

Upstream bug:

http://bugzilla.maptools.org/show_bug.cgi?id=2704


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Larry the Git Cow gentoo-dev 2018-01-26 22:25:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb1365ccd7332af4595538bc6b2244058db7b79b

commit eb1365ccd7332af4595538bc6b2244058db7b79b
Author:     Mike Frysinger <vapier@gentoo.org>
AuthorDate: 2018-01-26 03:54:26 +0000
Commit:     Mike Frysinger <vapier@gentoo.org>
CommitDate: 2018-01-26 22:25:18 +0000

    media-libs/tiff: add upstream fix for CVE-2017-9935 #624696
    
    Also drop some pdfium patches that they dropped when moving to 4.0.8.
    
    Bug: https://bugs.gentoo.org/624696

 .../tiff/files/tiff-4.0.9-CVE-2017-9935.patch      | 153 +++++++++++++++++++++
 media-libs/tiff/tiff-4.0.9-r1.ebuild               |  79 +++++++++++
 2 files changed, 232 insertions(+)}
Comment 3 Michael Vetter 2018-02-16 14:04:21 UTC
AFAIK this is only partly the fix.

Upstream https://gitlab.com/libtiff/libtiff/commit/d4f213636b6f950498a1386083199bd7f65676b9 is also needed.
Comment 4 Larry the Git Cow gentoo-dev 2018-02-16 15:30:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88961c859ba1efbe6e3555246444dc0456bddcb8

commit 88961c859ba1efbe6e3555246444dc0456bddcb8
Author:     Michael Vetter <jubalh@iodoru.org>
AuthorDate: 2018-02-16 15:04:47 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2018-02-16 15:21:33 +0000

    media-libs/tiff: Patch to fix type (CVE-2017-9935)
    
    CVE-2017-9935 has a second commit with ID
    d4f213636b6f950498a1386083199bd7f65676b9 to fix the type of the table.
    
    Bug: https://bugs.gentoo.org/624696
    
    Package-Manager: Portage-2.3.19, Repoman-2.3.6
    Closes: https://github.com/gentoo/gentoo/pull/7204

 ...ff-4.0.9-CVE-2017-9935-fix-incorrect-type.patch | 58 ++++++++++++++++
 media-libs/tiff/tiff-4.0.9-r2.ebuild               | 80 ++++++++++++++++++++++
 2 files changed, 138 insertions(+)}
Comment 5 Larry the Git Cow gentoo-dev 2018-06-11 15:15:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37595745cfaca05f187eba0f3b9a392a79510393

commit 37595745cfaca05f187eba0f3b9a392a79510393
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-06-11 15:15:09 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-06-11 15:15:09 +0000

    media-libs/tiff: drop vulnerable
    
    Bug: https://bugs.gentoo.org/624696
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 media-libs/tiff/Manifest             |  1 -
 media-libs/tiff/tiff-4.0.8.ebuild    | 80 ------------------------------------
 media-libs/tiff/tiff-4.0.9-r1.ebuild | 75 ---------------------------------
 media-libs/tiff/tiff-4.0.9-r2.ebuild | 79 -----------------------------------
 4 files changed, 235 deletions(-)
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-06-11 15:15:52 UTC
Downgraded.

GLSA Vote: No

Tree is clean