Bug 952131 (CVE-2013-1961)

Summary: CVE-2013-1961 libtiff (tiff2pdf): Stack-based buffer overflow with malformed image-length and resolution
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hhorak, jrusnack, manu, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130502,reported=20130415,source=researcher,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,rhel-5/libtiff=affected,rhel-6/libtiff=affected,fedora-all/libtiff=affected,fedora-all/mingw-libtiff=affected,cwe=CWE-121[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-27 14:31:59 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 958609, 958610, 1063460, 1063461, 1063464, 1063465    
Bug Blocks: 994449    
Attachments:
Description Flags
patch against 4.0 CVS head
none
patch against 3.9 branch head (will work for 3.9.7) none

Description Huzaifa S. Sidhpurwala 2013-04-15 05:25:02 EDT
A stack-based buffer overflow was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, when malformed image-length and resolution values are used in the TIFF file. A remote attacker could provide a specially-crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash.

Acknowledgements:

Red Hat would like to thank Emmanuel Bouillon (NCI Agency) for reporting this issue.
Comment 1 Huzaifa S. Sidhpurwala 2013-04-15 05:41:31 EDT
Here is the affected code (in tiff2pdf.c):

4148         buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2);


t2p->pdf_imagelength is calculated as 
(float)(t2p->tiff_length))*PS_UNIT_SIZE/t2p->pdf_yres

This results in a very large number , sizeof the buffer = 16, and this results in a stack-based buffer overflow in the variable "buffer"

RHEl-6 and Fedora builds are compiled with FORTIFY_SOURCE, which results in the crash being limited to DoS and no arbitrary code execution here.
Comment 7 Tom Lane 2013-04-16 14:00:40 EDT
I believe the best response to this is to go on a search-and-destroy mission and change basically all uses of sprintf() to snprintf() in libtiff.  Attached are patches to do that.
Comment 8 Tom Lane 2013-04-16 14:01:47 EDT
Created attachment 736471 [details]
patch against 4.0 CVS head
Comment 9 Tom Lane 2013-04-16 14:02:40 EDT
Created attachment 736472 [details]
patch against 3.9 branch head (will work for 3.9.7)
Comment 12 Huzaifa S. Sidhpurwala 2013-04-16 23:57:15 EDT
This issue has been assigned CVE-2013-1961
Comment 14 Huzaifa S. Sidhpurwala 2013-05-01 23:57:01 EDT
Created libtiff tracking bugs for this issue

Affects: fedora-all [bug 958609]
Comment 15 Huzaifa S. Sidhpurwala 2013-05-01 23:57:05 EDT
Created mingw-libtiff tracking bugs for this issue

Affects: fedora-all [bug 958610]
Comment 16 Huzaifa S. Sidhpurwala 2013-05-02 00:29:51 EDT
Public via:

http://seclists.org/oss-sec/2013/q2/254
Comment 17 Tom Lane 2013-05-02 10:45:34 EDT
Patches pushed to upstream CVS.
Comment 18 Fedora Update System 2013-05-13 21:23:29 EDT
libtiff-4.0.3-6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2013-05-18 22:40:07 EDT
libtiff-3.9.7-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 errata-xmlrpc 2014-02-27 13:34:02 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0223 https://rhn.redhat.com/errata/RHSA-2014-0223.html
Comment 23 errata-xmlrpc 2014-02-27 13:35:28 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0222 https://rhn.redhat.com/errata/RHSA-2014-0222.html
Comment 24 Vincent Danen 2014-02-27 14:31:59 EST
Statement:

(none)