Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1177893 - (CVE-2014-9330) CVE-2014-9330 libtiff: Out-of-bounds reads followed by a crash in bmp2tiff
CVE-2014-9330 libtiff: Out-of-bounds reads followed by a crash in bmp2tiff
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20141222,reported=2...
: Security
Depends On: 1299918 1299919 1299920 1299921 1335098 1335099
Blocks: 1174883
  Show dependency treegraph
 
Reported: 2014-12-31 01:19 EST by Huzaifa S. Sidhpurwala
Modified: 2016-08-04 07:17 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was discovered in the bmp2tiff utility. By tricking a user into processing a specially crafted file, a remote attacker could exploit this flaw to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1546 normal SHIPPED_LIVE Important: libtiff security update 2016-08-02 16:59:03 EDT
Red Hat Product Errata RHSA-2016:1547 normal SHIPPED_LIVE Important: libtiff security update 2016-08-02 16:39:45 EDT

  None (edit)
Description Huzaifa S. Sidhpurwala 2014-12-31 01:19:04 EST 
An Out-of-bounds read flaw followed by a crash was found in the bmp2tiff utility (A utility used to create a TIFF file from a Microsoft Windows Device Independent Bitmap image file) shipped with libtiff. A remote attacker could provide a specially-crafted BMP (Bitmap Image) file that, when processed by bmp2tiff, would cause bmp2tiff to crash.

Upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494
Comment 1 Siddharth Sharma 2015-03-23 03:02:00 EDT 
Patch
=====

https://lists.debian.org/debian-release/2014/12/msg01782.html
Comment 2 Siddharth Sharma 2015-03-23 06:55:11 EDT 
Analysis
========

According to the file format specification of BMP

 * +---------------------+
 * | BMPFileHeader       |
 * +---------------------+
 * | BMPInfoHeader       |
 * +---------------------+
 * | BMPColorEntry array |
 * +---------------------+
 * | Colour-index array  |
 * +---------------------+

in the following code of bmp2tiff.c

struct {
...
    int32       iWidth;         /* Image width */
    int32       iHeight;        /* Image height. If positive, image has bottom
                                 * left origin, if negative --- top left. */
...
} BMPInfoHeader;

...
                if (bmp_type == BMPT_WIN4
                    || bmp_type == BMPT_WIN5
                    || bmp_type == BMPT_OS22) {
                        read(fd, &info_hdr.iWidth, 4);
...
#ifdef WORDS_BIGENDIAN
                        TIFFSwabLong((uint32*) &info_hdr.iWidth);

While reading the iWidth from BMPInfoHeader of malicious file, it does not check for the negative value of the iWidth in the following code. According to the file format specification of bmp iWidth should not be having negative value in it.

                width = info_hdr.iWidth;

Failing to sanitize the iWidth value initially and passing it to variable 'width' which is later used to encode or decode packedbits causes Out-of-bounds read flaw which leads to crash. In the libtiff only bmp2tiff seems to be having this flaw, so crash would occur only if bmp2tiff is being used by any application opening malicious file. Impact of this flaw is low
and it is bit complex to create such file.
Comment 3 Siddharth Sharma 2015-06-01 07:56:35 EDT 
Statement:

Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in libtiff.
Comment 8 errata-xmlrpc 2016-08-02 12:40:13 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html
Comment 9 errata-xmlrpc 2016-08-02 12:59:19 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.