Bug 1410063 (CVE-2016-10095)

Summary: CVE-2016-10095 libtiff: Stack-based buffer overflow in _TIFFVGetField
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carl_song, erik-fedora, huzaifas, kabbott, nforro, phracek, sardella, security-response-team, slawomir, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-16 06:30:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1410125, 1410123, 1410124    
Bug Blocks: 1389235, 1410122    

Description Adam Mariš 2017-01-04 11:24:07 UTC
A stack-based buffer overflow vulnerability was found in libtiff when running tiffslpit on crafted tiff file.

Reproducer:

https://github.com/asarubbo/poc/blob/master/00104-libtiff-stackoverflow-_TIFFVGetField

CVE assignment:

http://seclists.org/oss-sec/2017/q1/10

Reference:

https://blogs.gentoo.org/ago/2017/01/01/libtiff-stack-based-buffer-overflow-in-_tiffvgetfield-tif_dir-c/

Comment 1 Adam Mariš 2017-01-04 14:20:04 UTC
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1410123]

Comment 2 Adam Mariš 2017-01-04 14:20:10 UTC
Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1410124]
Affects: epel-7 [bug 1410125]

Comment 6 Huzaifa S. Sidhpurwala 2017-01-16 06:30:18 UTC

*** This bug has been marked as a duplicate of bug 1294417 ***

Comment 8 Carl Song 2017-03-28 15:17:29 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #6)
> 
> *** This bug has been marked as a duplicate of bug 1294417 ***

What is the reasoning behind this decision? Bug 1294417 references CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in libtiff 4.0.7.

Comment 9 Huzaifa S. Sidhpurwala 2017-04-03 05:49:36 UTC
(In reply to carl_song from comment #8)
> (In reply to Huzaifa S. Sidhpurwala from comment #6)
> > 
> > *** This bug has been marked as a duplicate of bug 1294417 ***
> 
> What is the reasoning behind this decision? Bug 1294417 references
> CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in
> libtiff 4.0.7.

CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.

Comment 10 Carl Song 2017-04-03 18:04:51 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #9)
> (In reply to carl_song from comment #8)
> > (In reply to Huzaifa S. Sidhpurwala from comment #6)
> > > 
> > > *** This bug has been marked as a duplicate of bug 1294417 ***
> > 
> > What is the reasoning behind this decision? Bug 1294417 references
> > CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in
> > libtiff 4.0.7.
> 
> CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.

If it's not fixed, why are the relevant tickets closed? Is there ongoing effort to remediate this vulnerability and how are you tracking it?

Comment 11 Huzaifa S. Sidhpurwala 2017-04-04 03:39:34 UTC
(In reply to carl_song from comment #10)
> (In reply to Huzaifa S. Sidhpurwala from comment #9)
> > (In reply to carl_song from comment #8)
> > > (In reply to Huzaifa S. Sidhpurwala from comment #6)
> > > > 
> > > > *** This bug has been marked as a duplicate of bug 1294417 ***
> > > 
> > > What is the reasoning behind this decision? Bug 1294417 references
> > > CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in
> > > libtiff 4.0.7.
> > 
> > CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.
> 
> If it's not fixed, why are the relevant tickets closed? Is there ongoing
> effort to remediate this vulnerability and how are you tracking it?

I am not sure if i understand your question. This bug (CVE-2016-10095) is marked as duplicate of CVE-2015-7554, which was fixed:

Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html in rhel-6
Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html in rhel-7

Comment 12 Carl Song 2017-04-04 15:40:26 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #11)
> (In reply to carl_song from comment #10)
> > (In reply to Huzaifa S. Sidhpurwala from comment #9)
> > > (In reply to carl_song from comment #8)
> > > > (In reply to Huzaifa S. Sidhpurwala from comment #6)
> > > > > 
> > > > > *** This bug has been marked as a duplicate of bug 1294417 ***
> > > > 
> > > > What is the reasoning behind this decision? Bug 1294417 references
> > > > CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in
> > > > libtiff 4.0.7.
> > > 
> > > CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.
> > 
> > If it's not fixed, why are the relevant tickets closed? Is there ongoing
> > effort to remediate this vulnerability and how are you tracking it?
> 
> I am not sure if i understand your question. This bug (CVE-2016-10095) is
> marked as duplicate of CVE-2015-7554, which was fixed:
> 
> Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html in
> rhel-6
> Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html in
> rhel-7

In consecutive statements you said:
1) CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7
2) CVE-2015-7554 was fixed

Which one is true?

Comment 13 Huzaifa S. Sidhpurwala 2017-04-05 04:54:41 UTC
(In reply to Carl Song from comment #12)

> > > > CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.
> > > 
> > > If it's not fixed, why are the relevant tickets closed? Is there ongoing
> > > effort to remediate this vulnerability and how are you tracking it?
> > 
> > I am not sure if i understand your question. This bug (CVE-2016-10095) is
> > marked as duplicate of CVE-2015-7554, which was fixed:
> > 
> > Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html in
> > rhel-6
> > Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html in
> > rhel-7
> 
> In consecutive statements you said:
> 1) CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7
> 2) CVE-2015-7554 was fixed
> 
> Which one is true?

Both :)

4.0.6 and 4.0.7 are upstream version numbers, we backport the patches to the versions shipped in Red Hat Enterprise Linux.

So though upstream may not have fixed CVE-2015-7554 in 4.0.6 and later in 4.0.7 also, we backported the fix to our versions we ship.

So versions are fixed, i am not sure about upstream versions here.