Bug 1177893 (CVE-2014-9330)

Summary: CVE-2014-9330 libtiff: Out-of-bounds reads followed by a crash in bmp2tiff
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: carnil, mhradile, phracek, sisharma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was discovered in the bmp2tiff utility. By tricking a user into processing a specially crafted file, a remote attacker could exploit this flaw to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:37:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1299918, 1299919, 1299920, 1299921, 1335098, 1335099    
Bug Blocks: 1174883    

Description Huzaifa S. Sidhpurwala 2014-12-31 06:19:04 UTC 
An Out-of-bounds read flaw followed by a crash was found in the bmp2tiff utility (A utility used to create a TIFF file from a Microsoft Windows Device Independent Bitmap image file) shipped with libtiff. A remote attacker could provide a specially-crafted BMP (Bitmap Image) file that, when processed by bmp2tiff, would cause bmp2tiff to crash.

Upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494
Comment 1 Siddharth Sharma 2015-03-23 07:02:00 UTC 
Patch
=====

https://lists.debian.org/debian-release/2014/12/msg01782.html
Comment 2 Siddharth Sharma 2015-03-23 10:55:11 UTC 
Analysis
========

According to the file format specification of BMP

 * +---------------------+
 * | BMPFileHeader       |
 * +---------------------+
 * | BMPInfoHeader       |
 * +---------------------+
 * | BMPColorEntry array |
 * +---------------------+
 * | Colour-index array  |
 * +---------------------+

in the following code of bmp2tiff.c

struct {
...
    int32       iWidth;         /* Image width */
    int32       iHeight;        /* Image height. If positive, image has bottom
                                 * left origin, if negative --- top left. */
...
} BMPInfoHeader;

...
                if (bmp_type == BMPT_WIN4
                    || bmp_type == BMPT_WIN5
                    || bmp_type == BMPT_OS22) {
                        read(fd, &info_hdr.iWidth, 4);
...
#ifdef WORDS_BIGENDIAN
                        TIFFSwabLong((uint32*) &info_hdr.iWidth);

While reading the iWidth from BMPInfoHeader of malicious file, it does not check for the negative value of the iWidth in the following code. According to the file format specification of bmp iWidth should not be having negative value in it.

                width = info_hdr.iWidth;

Failing to sanitize the iWidth value initially and passing it to variable 'width' which is later used to encode or decode packedbits causes Out-of-bounds read flaw which leads to crash. In the libtiff only bmp2tiff seems to be having this flaw, so crash would occur only if bmp2tiff is being used by any application opening malicious file. Impact of this flaw is low
and it is bit complex to create such file.
Comment 3 Siddharth Sharma 2015-06-01 11:56:35 UTC 
Statement:

Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in libtiff.
Comment 8 errata-xmlrpc 2016-08-02 16:40:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html
Comment 9 errata-xmlrpc 2016-08-02 16:59:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html