Bug 1326249 (CVE-2016-3991)

Summary: CVE-2016-3991 libtiff: out-of-bounds write in loadImage() function
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: erik-fedora, even.rouault, nforro, phracek, sardella, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-27 08:50:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1299920, 1299921, 1335098, 1335099    
Bug Blocks: 1316881, 1346703    

Description Andrej Nemec 2016-04-12 09:05:21 UTC 
An Out-of-bounds write vulnerability caused by heap overflow when using tiffcrop tool was found in the libtiff library. The vulnerability is in loadImage() function in tiffcrop.c. loadImage() will read the numbers of tiles by calling TIFFNumberOfTiles().

However, if the numbers of tiles is 0, loadImage() will still read tile data by calling readContigTilesIntoBuffer() from the image, regardless of the numbers. In that case, loadImage() will allocate 3 bytes in the heap to store a tile data.

This creates a potential attack vector via crafted tiff tiles, which may result in DoS or code execution.

Upstream bug report:
http://bugzilla.maptools.org/show_bug.cgi?id=2543
Comment 3 errata-xmlrpc 2016-08-02 16:42:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html
Comment 4 errata-xmlrpc 2016-08-02 17:01:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html
Comment 5 Even Rouault 2016-08-04 09:25:00 UTC 
It would have been good to attach your patch to the upstream bug instead of letting libtiff maintainers to dig into the .src.rpm
Comment 6 Stefan Cornelius 2017-06-27 08:30:17 UTC 
*** Bug 1346683 has been marked as a duplicate of this bug. ***