Bug 1565166

Summary: libtiff: Use After Free in the t2p_writeproc function in tools/tiff2pdf.c
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: develacker, erik-fedora, mike, nforro, phracek, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 20:00:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1630005, 1630030, 1630031, 1630032, 1630033, 1911024    
Bug Blocks: 1565172    

Description Laura Pardo 2018-04-09 14:26:10 UTC 
A flaw was found in LibTIFF 4.0.9, there is a Use-After-Free(UAF)in the t2p_writeproc function in tools/tiff2pdf.c. An attacker could exploit this via crafted TIFF file to cause a denial of service or possibly have unspecified other impact.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1562824
Comment 1 Andrej Nemec 2018-07-02 14:13:48 UTC 
*** Bug 1562824 has been marked as a duplicate of this bug. ***
Comment 5 Scott Gayou 2018-09-17 20:08:57 UTC 
Looks to have very low impact.

Reported upstream, no acknowledgement from upstream as of yet. Guessing it slipped past the radar or they judged it very low priority.

Interestingly, doesn't appear to affect Fedora 28, so unclear if it was stealth patched accidentally fixed via refactoring.
Comment 6 Scott Gayou 2018-09-17 20:09:42 UTC 
Upstream Bug Report:
http://bugzilla.maptools.org/show_bug.cgi?id=2796
Comment 7 Scott Gayou 2018-09-17 20:10:20 UTC 
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1630031]


Created mingw-libtiff tracking bugs for this issue:

Affects: epel-7 [bug 1630030]
Affects: fedora-all [bug 1630032]