Bug 1190709 (CVE-2015-1547) - CVE-2015-1547 libtiff: use of uninitialized memory in NeXTDecode
Summary: CVE-2015-1547 libtiff: use of uninitialized memory in NeXTDecode
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-1547
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1190710 1190712 1299918 1299919 1299920 1299921 1335098 1335099
Blocks: 1174883
TreeView+ depends on / blocked
 
Reported: 2015-02-09 14:07 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:40 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:38:46 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1546 0 normal SHIPPED_LIVE Important: libtiff security update 2016-08-02 20:59:03 UTC
Red Hat Product Errata RHSA-2016:1547 0 normal SHIPPED_LIVE Important: libtiff security update 2016-08-02 20:39:45 UTC

Description Vasyl Kaigorodov 2015-02-09 14:07:20 UTC
Use of uninitialized memory was reported [1] in NeXTDecode in libtiff.
The example TIFF file that triggers this behavious can be found here:
http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif

[1]: http://seclists.org/oss-sec/2015/q1/454

Comment 1 Vasyl Kaigorodov 2015-02-09 14:08:19 UTC
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1190710]

Comment 2 Vasyl Kaigorodov 2015-02-09 14:08:53 UTC
Created mingw-libtiff tracking bugs for this issue:

Affects: epel-7 [bug 1190712]

Comment 3 Siddharth Sharma 2015-03-26 07:16:44 UTC
Patch
=====

There is no proper information of fixing this flaw anywhere according to 
http://seclists.org/oss-sec/2015/q1/454

 - uninitialized memory in NeXTDecode
   Fixed in:

     2014-12-29  Even Rouault  <even.rouault () spatialys com>

     * libtiff/tif_next.c: add new tests to check that we don't read outside of
     the compressed input stream buffer.

   I don't think this had a CVE number assigned yet.


Use CVE-2014-9655 for these two issues related to access of uninitialized memory, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif.


http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif

 - another use of uninitialized memory in NeXTDecode after fixing the
previous case.
   I don't think this had a CVE number assigned yet.


Use CVE-2015-1547 for this issue. 

--------------------

Considering above part of patch that fixes CVE-2014-9655 in tif_next.c from commit https://github.com/vadz/libtiff/commit/40a5955cbf0df62b1f9e9bd7d9657b0070725d19
fixes CVE-2015-1547

libtiff/tif_next.c
 @@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
 		TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
 		return (0);
 	}
-	for (row = buf; occ > 0; occ -= scanline, row += scanline) {
+	for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
 		n = *bp++, cc--;
 		switch (n) {
 		case LITERALROW:
 @@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
 			 * The scanline has a literal span that begins at some
 			 * offset.
 			 */
+			if( cc < 4 )
+				goto bad;
 			off = (bp[0] * 256) + bp[1];
 			n = (bp[2] * 256) + bp[3];
 			if (cc < 4+n || off+n > scanline)

Comment 4 Fedora Update System 2015-05-30 15:55:33 UTC
libtiff-4.0.3-20.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Siddharth Sharma 2015-06-01 11:57:07 UTC
Statement:

Red Hat Product Security has rated this issue as having moderate security impact, a future update may address this flaw in libtiff.

Comment 16 errata-xmlrpc 2016-08-02 16:40:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html

Comment 17 errata-xmlrpc 2016-08-02 16:59:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html


Note You need to log in before you can comment on or make changes to this bug.