Multiple out-of-bounds writes were reported in various libtiff tools: - CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail tool http://bugzilla.maptools.org/show_bug.cgi?id=2489 - CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool http://bugzilla.maptools.org/show_bug.cgi?id=2490 - CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool http://bugzilla.maptools.org/show_bug.cgi?id=2491 - CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool http://bugzilla.maptools.org/show_bug.cgi?id=2492 - CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools http://bugzilla.maptools.org/show_bug.cgi?id=2493 - CVE-2014-8128 libtiff: Out-of-bounds Write in the tiff2pdf tool http://bugzilla.maptools.org/show_bug.cgi?id=2495 Above upstream bugs were fixed by the below commits: 2014-12-21 Even Rouault <even.rouault> * tools/thumbnail.c: fix out-of-buffer write http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128) 2014-12-21 Even Rouault <even.rouault> * libtiff/tif_next.c: check that BitsPerSample = 2. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129) 2014-12-21 Even Rouault <even.rouault> * tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128) 2014-12-21 Even Rouault <even.rouault> Fix various crasher bugs on fuzzed images. * libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or TransferFunction if BitsPerSample has not yet been read, otherwise reading it later will cause user code to crash if BitsPerSample > 1 * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB * tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight * tools/tiffdump.c: fix crash due to overflow of entry count. 2014-12-21 Even Rouault <even.rouault> * tools/tiff2pdf.c: check return code of TIFFGetField() when reading TIFFTAG_SAMPLESPERPIXEL The below bugs are not yet fixed: - CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools http://bugzilla.maptools.org/show_bug.cgi?id=2499 - CVE-2014-8128 libtiff: Out-of-bounds Writes in the tiffdither tool http://bugzilla.maptools.org/show_bug.cgi?id=2501
Patch ===== https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778923
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.