Bug 1609400 (CVE-2018-14373)

Summary: CVE-2018-14373 libtiff: NULL dereference in TIFFFindField in tif_dirinfo.c
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: erik-fedora, mike, nforro, phracek, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-09 08:35:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1609401, 1609402, 1609404, 1609405    
Bug Blocks: 1609415    

Description Laura Pardo 2018-07-27 21:54:33 UTC 
An issue was discovered in LibTIFF 4.0.9. In TIFFFindField in tif_dirinfo.c, the structure tif is being dereferenced without first checking that the structure is not empty and has the requested fields (tif_foundfield). In the call sequences following from the affected library functions (TIFFVGetField, TIFFVGetFieldDefaulted, TIFFVStripSize, TIFFScanlineSize, TIFFTileSize, TIFFGetFieldDefaulted, and TIFFGetField), this sanitization of the tif structure is never being done and, hence, using them with an invalid or empty tif structure will trigger a buffer overflow, leading to a crash.


References:
http://bugzilla.maptools.org/show_bug.cgi?id=2801
Comment 1 Laura Pardo 2018-07-27 21:55:06 UTC 
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1609402]


Created mingw-libtiff tracking bugs for this issue:

Affects: epel-7 [bug 1609404]
Affects: fedora-all [bug 1609401]
Comment 3 Riccardo Schirone 2018-08-09 08:35:57 UTC 
CVE rejected https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14373
Comment 4 Doran Moppert 2020-02-11 00:30:40 UTC 
Statement:

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.