Bug 1319503

Summary: buffer overflow in gif2tiff
Product: Red Hat Enterprise Linux 7 Reporter: Aladdin Mubaied <alaa.mubaied>
Component: libtiffAssignee: Nikola Forró <nforro>
Status: CLOSED ERRATA QA Contact: David Jež <djez>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4CC: djez, henri, jhouska, mhradile, security-response-team
Target Milestone: rcKeywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libtiff-4.0.3-28.el7 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:39:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1319666    
Attachments:
Description Flags
crasher none

Description Aladdin Mubaied 2016-03-20 18:11:19 UTC 
Created attachment 1138356 [details]
crasher

Hi, There is a buffer overflow in gif2tiff.c:353. details are below : what it
appears to me is an overflow in the readextension function. I have attached a
copy of crash.gif file for testing . 

please note that I'm running libtiff v4.0.6 .

-bash$ gif2tiff  crash.gif /tmp/out.tiff
*** buffer overflow detected ***: /opt/libtiff/bin/gif2tiff terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f9c4b86c9c7]
/lib64/libc.so.6(+0x10bb90)[0x7f9c4b86ab90]
/lib64/libc.so.6(__fread_chk+0x12c)[0x7f9c4b86b26c]
/opt/libtiff/bin/gif2tiff[0x403aab]
/opt/libtiff/bin/gif2tiff[0x407a0d]
/opt/libtiff/bin/gif2tiff[0x402db9]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f9c4b780af5]
/opt/libtiff/bin/gif2tiff[0x402f15]
======= Memory map: ========
00400000-00569000 r-xp 00000000 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
00768000-00769000 r--p 001680320 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
00769000-0076c000 rw-p 001680320 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
..
..
..
7f9c4v24a000-7f9c4c24d000 rw-p 00000000 00:00 0 
7f9c4v24a000-7f9c4c259000 r--p 00020000 fd:00 277009                    
/usr/lib64/ld-2.17.so
7f9c4v24a000-7f9c4c25a000 rw-p 00021000 fd:00 277009                    
/usr/lib64/ld-2.17.so
7f9c4v24a000-7f9c4c25b000 rw-p 00000000 00:00 0 
7fff3a9d1000-7fff3a9f2000 rw-p 00000000 00:00 0                         
[stack]
7fff3a9fe000-7fff3aa00000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                 
[vsyscall]
Aborted


gdb$ bt
#0  0x00007ffff75385c9 in raise () from /lib64/libc.so.6
#1  0x00007ffff7539cd8 in abort () from /lib64/libc.so.6
#2  0x00007ffff7578db7 in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff76109c7 in __fortify_fail () from /lib64/libc.so.6
#4  0x00007ffff760eb90 in __chk_fail () from /lib64/libc.so.6
#5  0x00007ffff760f26c in __fread_chk () from /lib64/libc.so.6
#6  0x0000000000403aab in fread (__stream=<optimized out>,
__n=0xffffffffffffffff, __size=0x1, __ptr=0x7fffffffe3c0) at
/usr/include/bits/stdio2.h:290
#7  readextension () at gif2tiff.c:353
#8  0x0000000000407a0d in convert () at gif2tiff.c:222
#9  0x0000000000402db9 in main (argc=<optimized out>, argv=0x7fffffffe618) at
gif2tiff.c:178
#10 0x00007ffff7524af5 in __libc_start_main () from /lib64/libc.so.6
#11 0x0000000000402f15 in _start ()

Breakpoint 1, readextension () at gif2tiff.c:353
353            if (fread(buf, 1, count, infile) != (size_t) count) {
gdb-peda$ list
345 readextension(void)
346 {
347    int count;
348        char buf[255];
349        int status = 1;
350    
351        (void) getc(infile);
352        while ((count = getc(infile)) && count <= 255)
>>353	        if (fread(buf, 1, count, infile) != (size_t) count) {
354                fprintf(stderr, "short read from file %s (%s)\n",
355                        filename, strerror(errno));
356                status = 0;
357                break;
358             }
359    return status;
360 }

Thanks 
Aladdin Mubaied
Comment 1 Aladdin Mubaied 2016-03-20 18:11:53 UTC 
the following CVE-2016-3186 is assigned for this bug.
Comment 3 Huzaifa S. Sidhpurwala 2016-03-25 06:15:16 UTC 
Aladdin,

Hi, thanks for the report, After analysis it seems this is indeed an issue with gif2tiff utility. Do you mind if i make this bug report public?
Comment 4 Aladdin Mubaied 2016-03-25 06:33:35 UTC 
Sure, you can make it public .
thanks
Comment 5 Huzaifa S. Sidhpurwala 2016-03-30 09:31:10 UTC 
This bug corresponds to the security flaw at:
https://bugzilla.redhat.com/show_bug.cgi?id=1319666
Comment 10 errata-xmlrpc 2019-08-06 12:39:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2053