Bug 1185812 (CVE-2014-8128) - CVE-2014-8128 libtiff: out-of-bounds write in multiple tools
Summary: CVE-2014-8128 libtiff: out-of-bounds write in multiple tools
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-8128
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1174883
TreeView+ depends on / blocked
 
Reported: 2015-01-26 11:05 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:27 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 06:49:09 UTC


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-01-26 11:05:47 UTC
Multiple out-of-bounds writes were reported in various libtiff tools:

- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2489
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2490
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2491
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2492
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2493
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiff2pdf tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2495

Above upstream bugs were fixed by the below commits:

2014-12-21  Even Rouault  <even.rouault@spatialys.com>
* tools/thumbnail.c: fix out-of-buffer write http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)

2014-12-21  Even Rouault  <even.rouault@spatialys.com>
* libtiff/tif_next.c: check that BitsPerSample = 2. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)

2014-12-21  Even Rouault  <even.rouault@spatialys.com>
* tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)

2014-12-21  Even Rouault  <even.rouault@spatialys.com>
Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or TransferFunction if BitsPerSample has not yet been read, otherwise reading it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.

2014-12-21  Even Rouault  <even.rouault@spatialys.com>
* tools/tiff2pdf.c: check return code of TIFFGetField() when reading TIFFTAG_SAMPLESPERPIXEL

The below bugs are not yet fixed:

- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2499
- CVE-2014-8128 libtiff: Out-of-bounds Writes in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2501

Comment 1 Siddharth Sharma 2015-03-24 09:37:54 UTC
Patch
=====

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778923

Comment 3 Vincent Danen 2015-08-22 06:48:58 UTC
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.