Bug 867235 (CVE-2012-5581)
Summary: | CVE-2012-5581 libtiff: Stack-based buffer overflow when reading a tiled tiff file | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | jrusnack, pmatouse, security-response-team, tgl | ||||
Target Milestone: | --- | Keywords: | Reopened, Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-12-21 09:00:39 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 880907, 885308, 885309, 885310, 885311, 889443 | ||||||
Bug Blocks: | 837581 | ||||||
Attachments: |
|
Description
Huzaifa S. Sidhpurwala
2012-10-17 06:13:21 UTC
(In reply to comment #5) > Yeah. I see that libtiff 4.0.x has completely rewritten the special cases > for DOTRANGE, but it's not clear whether that dodges this problem or not -- Turns out that indeed 4.0.3 does not crash. It looks like these upstream commits were specifically intended to repair this type of problem: 2012-06-06 00:56:01 fwarmerdam * ChangeLog, libtiff/tif_dir.c: avoid special handling of PAGENUMBER, HALFTONEHINTS, YCBCRSUBSAMPLING and DOTRANGE in non-image directories 2012-06-06 02:06:20 fwarmerdam * ChangeLog, libtiff/tif_print.c: improve handling of PAGENUMBER, HALFTONEHINTS, YCBCRSUBSAMPLING and DOTRANGE 2012-06-08 01:15:21 fwarmerdam * ChangeLog, libtiff/tif_print.c: avoid pretty printing values without proper rawdata I'm not sure about the backwards compatibility implications if we apply these patches --- it seems at least theoretically possible that some apps out there are expecting the original behavior of GetField/SetField. On the other hand, it's unclear that there is any way to fix this crash without a behavioral change. I backported the following upstream change and that seems to fix the crash. 2012-06-06 00:56:01 fwarmerdam * ChangeLog, libtiff/tif_dir.c: avoid special handling of PAGENUMBER, HALFTONEHINTS, YCBCRSUBSAMPLING and DOTRANGE in non-image directories Created attachment 640578 [details]
proposed patch
Acknowledgements: This issue was discovered by Huzaifa S. Sidhpurwala of Red Hat Security Response Team. Created libtiff tracking bugs for this issue Affects: fedora-all [bug 880907] FWIW, I'm not terribly sure that this patch won't result in any application compatibility problems. However, the only apparent alternative is to leave the bug unfixed, which is even less attractive. The saving grace is that the case where an application might have a compatibility problem would be where it had special-case code to handle DotRange or one of the other "weird" TIFF tags whose behavior has been simplified by the patch. Such applications are probably very few and far between, since these tags are little-used. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:1590 https://rhn.redhat.com/errata/RHSA-2012-1590.html Created mingw-libtiff tracking bugs for this issue Affects: fedora-all [bug 889443] libtiff-3.9.7-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. libtiff-3.9.7-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. libtiff-4.0.3-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |