Bug 1177893 (CVE-2014-9330)
Summary: | CVE-2014-9330 libtiff: Out-of-bounds reads followed by a crash in bmp2tiff | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | carnil, mhradile, phracek, sisharma |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
A flaw was discovered in the bmp2tiff utility. By tricking a user into processing a specially crafted file, a remote attacker could exploit this flaw to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 02:37:17 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1299918, 1299919, 1299920, 1299921, 1335098, 1335099 | ||
Bug Blocks: | 1174883 |
Description
Huzaifa S. Sidhpurwala
2014-12-31 06:19:04 UTC
Analysis ======== According to the file format specification of BMP * +---------------------+ * | BMPFileHeader | * +---------------------+ * | BMPInfoHeader | * +---------------------+ * | BMPColorEntry array | * +---------------------+ * | Colour-index array | * +---------------------+ in the following code of bmp2tiff.c struct { ... int32 iWidth; /* Image width */ int32 iHeight; /* Image height. If positive, image has bottom * left origin, if negative --- top left. */ ... } BMPInfoHeader; ... if (bmp_type == BMPT_WIN4 || bmp_type == BMPT_WIN5 || bmp_type == BMPT_OS22) { read(fd, &info_hdr.iWidth, 4); ... #ifdef WORDS_BIGENDIAN TIFFSwabLong((uint32*) &info_hdr.iWidth); While reading the iWidth from BMPInfoHeader of malicious file, it does not check for the negative value of the iWidth in the following code. According to the file format specification of bmp iWidth should not be having negative value in it. width = info_hdr.iWidth; Failing to sanitize the iWidth value initially and passing it to variable 'width' which is later used to encode or decode packedbits causes Out-of-bounds read flaw which leads to crash. In the libtiff only bmp2tiff seems to be having this flaw, so crash would occur only if bmp2tiff is being used by any application opening malicious file. Impact of this flaw is low and it is bit complex to create such file. Statement: Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in libtiff. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html |