Bug 1745951 (CVE-2019-14973)

Summary: CVE-2019-14973 libtiff: integer overflow in _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhavsar, kyoshida, nforro, phracek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:34:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1745952, 1755703, 1755704, 1755705    
Bug Blocks: 1745954    

Description Dhananjay Arunesh 2019-08-27 10:14:27 UTC
A vulnerability was found in _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards. This can, for example, lead to an application crash.

Reference:
https://gitlab.com/libtiff/libtiff/merge_requests/90

Comment 1 Dhananjay Arunesh 2019-08-27 10:14:44 UTC
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1745952]

Comment 2 Huzaifa S. Sidhpurwala 2019-09-26 05:47:16 UTC
Analysis:

This is more of a hardening then a flaw. libtiff used an unsafe way to detect overflow in multiplication of signed types, which was implementation dependent. The issue is fixed by adding proper integer overflow checks.

Commit: https://gitlab.com/libtiff/libtiff/commit/2218055ca67d84be596a13080e8f50f22116555c

Comment 8 errata-xmlrpc 2020-04-28 15:40:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1688 https://access.redhat.com/errata/RHSA-2020:1688

Comment 9 Product Security DevOps Team 2020-04-28 16:34:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14973

Comment 11 errata-xmlrpc 2020-09-29 19:41:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3902 https://access.redhat.com/errata/RHSA-2020:3902