1319503 – buffer overflow in gif2tiff

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1319503 - buffer overflow in gif2tiff

Summary: buffer overflow in gif2tiff

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libtiff
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Nikola Forró
QA Contact:	David Jež
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2016-3186
TreeView+	depends on / blocked

Reported:	2016-03-20 18:11 UTC by Aladdin Mubaied
Modified:	2019-08-06 12:39 UTC (History)
CC List:	5 users (show)
Fixed In Version:	libtiff-4.0.3-28.el7
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 12:39:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
crasher (20 bytes, image/gif) 2016-03-20 18:11 UTC, Aladdin Mubaied	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:2053	0	None	None	None	2019-08-06 12:39:42 UTC

Description Aladdin Mubaied 2016-03-20 18:11:19 UTC

Created attachment 1138356 [details]
crasher

Hi, There is a buffer overflow in gif2tiff.c:353. details are below : what it
appears to me is an overflow in the readextension function. I have attached a
copy of crash.gif file for testing . 

please note that I'm running libtiff v4.0.6 .

-bash$ gif2tiff  crash.gif /tmp/out.tiff
*** buffer overflow detected ***: /opt/libtiff/bin/gif2tiff terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f9c4b86c9c7]
/lib64/libc.so.6(+0x10bb90)[0x7f9c4b86ab90]
/lib64/libc.so.6(__fread_chk+0x12c)[0x7f9c4b86b26c]
/opt/libtiff/bin/gif2tiff[0x403aab]
/opt/libtiff/bin/gif2tiff[0x407a0d]
/opt/libtiff/bin/gif2tiff[0x402db9]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f9c4b780af5]
/opt/libtiff/bin/gif2tiff[0x402f15]
======= Memory map: ========
00400000-00569000 r-xp 00000000 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
00768000-00769000 r--p 001680320 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
00769000-0076c000 rw-p 001680320 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
..
..
..
7f9c4v24a000-7f9c4c24d000 rw-p 00000000 00:00 0 
7f9c4v24a000-7f9c4c259000 r--p 00020000 fd:00 277009                    
/usr/lib64/ld-2.17.so
7f9c4v24a000-7f9c4c25a000 rw-p 00021000 fd:00 277009                    
/usr/lib64/ld-2.17.so
7f9c4v24a000-7f9c4c25b000 rw-p 00000000 00:00 0 
7fff3a9d1000-7fff3a9f2000 rw-p 00000000 00:00 0                         
[stack]
7fff3a9fe000-7fff3aa00000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                 
[vsyscall]
Aborted


gdb$ bt
#0  0x00007ffff75385c9 in raise () from /lib64/libc.so.6
#1  0x00007ffff7539cd8 in abort () from /lib64/libc.so.6
#2  0x00007ffff7578db7 in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff76109c7 in __fortify_fail () from /lib64/libc.so.6
#4  0x00007ffff760eb90 in __chk_fail () from /lib64/libc.so.6
#5  0x00007ffff760f26c in __fread_chk () from /lib64/libc.so.6
#6  0x0000000000403aab in fread (__stream=<optimized out>,
__n=0xffffffffffffffff, __size=0x1, __ptr=0x7fffffffe3c0) at
/usr/include/bits/stdio2.h:290
#7  readextension () at gif2tiff.c:353
#8  0x0000000000407a0d in convert () at gif2tiff.c:222
#9  0x0000000000402db9 in main (argc=<optimized out>, argv=0x7fffffffe618) at
gif2tiff.c:178
#10 0x00007ffff7524af5 in __libc_start_main () from /lib64/libc.so.6
#11 0x0000000000402f15 in _start ()

Breakpoint 1, readextension () at gif2tiff.c:353
353            if (fread(buf, 1, count, infile) != (size_t) count) {
gdb-peda$ list
345 readextension(void)
346 {
347    int count;
348        char buf[255];
349        int status = 1;
350    
351        (void) getc(infile);
352        while ((count = getc(infile)) && count <= 255)
>>353	        if (fread(buf, 1, count, infile) != (size_t) count) {
354                fprintf(stderr, "short read from file %s (%s)\n",
355                        filename, strerror(errno));
356                status = 0;
357                break;
358             }
359    return status;
360 }

Thanks 
Aladdin Mubaied

Comment 1 Aladdin Mubaied 2016-03-20 18:11:53 UTC

the following CVE-2016-3186 is assigned for this bug.

Comment 3 Huzaifa S. Sidhpurwala 2016-03-25 06:15:16 UTC

Aladdin,

Hi, thanks for the report, After analysis it seems this is indeed an issue with gif2tiff utility. Do you mind if i make this bug report public?

Comment 4 Aladdin Mubaied 2016-03-25 06:33:35 UTC

Sure, you can make it public .
thanks

Comment 5 Huzaifa S. Sidhpurwala 2016-03-30 09:31:10 UTC

This bug corresponds to the security flaw at:
https://bugzilla.redhat.com/show_bug.cgi?id=1319666

Comment 10 errata-xmlrpc 2019-08-06 12:39:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2053

Note You need to log in before you can comment on or make changes to this bug.