Bug 1265998 (CVE-2015-7313)
Summary: | CVE-2015-7313 libtiff: OOM when parsing crafted tiff files | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | carnil, erik-fedora, federicoleva, jrusnack, phracek |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-10-07 13:49:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1265999, 1266000 | ||
Bug Blocks: | 1266001 |
Description
Martin Prpič
2015-09-24 09:36:53 UTC
Created libtiff tracking bugs for this issue: Affects: fedora-all [bug 1265999] Created mingw-libtiff tracking bugs for this issue: Affects: fedora-all [bug 1266000] On Fedora and RHEL7, disabling memory overcommit (echo 2 > /proc/sys/vm/overcommit_memory) seems to "fix" this issue. Thus, there is nothing wrong with the libtiff code. Instead, the memory overcommit will prevent certain memory errors to be passed to the libtiff code, ultimately "bypassing" the libtiff error checks, leading to an OOM kill instead of a libtiff exit. On RHEL6, it detects and integer overflow and exits: TIFFReadDirectory: Warning, oom.tif: Bogus "StripByteCounts" field, ignoring and calculating from imagelength. oom.tif: Integer overflow in TIFFVStripSize. TIFFReadDirectory: oom.tif: cannot handle zero strip size. A variant with "bus error" was seen libtiff 3.4 http://markmail.org/message/igqy46wj7kzhnkjv |