Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2013-1961 libtiff (tiff2pdf): Stack-based buffer overflow with malformed image-length and resolution|
|Product:||[Other] Security Response||Reporter:||Huzaifa S. Sidhpurwala <huzaifas>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||hhorak, jrusnack, manu, security-response-team|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-02-27 14:31:59 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||958609, 958610, 1063460, 1063461, 1063464, 1063465|
Description Huzaifa S. Sidhpurwala 2013-04-15 05:25:02 EDT
A stack-based buffer overflow was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, when malformed image-length and resolution values are used in the TIFF file. A remote attacker could provide a specially-crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash. Acknowledgements: Red Hat would like to thank Emmanuel Bouillon (NCI Agency) for reporting this issue.
Comment 1 Huzaifa S. Sidhpurwala 2013-04-15 05:41:31 EDT
Here is the affected code (in tiff2pdf.c): 4148 buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2); t2p->pdf_imagelength is calculated as (float)(t2p->tiff_length))*PS_UNIT_SIZE/t2p->pdf_yres This results in a very large number , sizeof the buffer = 16, and this results in a stack-based buffer overflow in the variable "buffer" RHEl-6 and Fedora builds are compiled with FORTIFY_SOURCE, which results in the crash being limited to DoS and no arbitrary code execution here.
Comment 7 Tom Lane 2013-04-16 14:00:40 EDT
I believe the best response to this is to go on a search-and-destroy mission and change basically all uses of sprintf() to snprintf() in libtiff. Attached are patches to do that.
Comment 8 Tom Lane 2013-04-16 14:01:47 EDT
Created attachment 736471 [details] patch against 4.0 CVS head
Comment 9 Tom Lane 2013-04-16 14:02:40 EDT
Created attachment 736472 [details] patch against 3.9 branch head (will work for 3.9.7)
Comment 12 Huzaifa S. Sidhpurwala 2013-04-16 23:57:15 EDT
This issue has been assigned CVE-2013-1961
Comment 14 Huzaifa S. Sidhpurwala 2013-05-01 23:57:01 EDT
Created libtiff tracking bugs for this issue Affects: fedora-all [bug 958609]
Comment 15 Huzaifa S. Sidhpurwala 2013-05-01 23:57:05 EDT
Created mingw-libtiff tracking bugs for this issue Affects: fedora-all [bug 958610]
Comment 16 Huzaifa S. Sidhpurwala 2013-05-02 00:29:51 EDT
Public via: http://seclists.org/oss-sec/2013/q2/254
Comment 17 Tom Lane 2013-05-02 10:45:34 EDT
Patches pushed to upstream CVS.
Comment 18 Fedora Update System 2013-05-13 21:23:29 EDT
libtiff-4.0.3-6.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2013-05-18 22:40:07 EDT
libtiff-3.9.7-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 22 errata-xmlrpc 2014-02-27 13:34:02 EST
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:0223 https://rhn.redhat.com/errata/RHSA-2014-0223.html
Comment 23 errata-xmlrpc 2014-02-27 13:35:28 EST
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0222 https://rhn.redhat.com/errata/RHSA-2014-0222.html
Comment 24 Vincent Danen 2014-02-27 14:31:59 EST