Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1319503

Summary:

buffer overflow in gif2tiff

Product:

Red Hat Enterprise Linux 7

Reporter:

Aladdin Mubaied <alaa.mubaied>

Component:

libtiff

Assignee:

Nikola Forró <nforro>

Status:

CLOSED ERRATA

QA Contact:

David Jež <djez>

Severity:

high

Docs Contact:

Priority:

unspecified

Version:

7.4

CC:

djez, henri, jhouska, mhradile, security-response-team

Target Milestone:

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

libtiff-4.0.3-28.el7

Doc Type:

No Doc Update

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2019-08-06 12:39:23 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1319666

Attachments:

Description	Flags
crasher	none

Description Aladdin Mubaied 2016-03-20 18:11:19 UTC

Created attachment 1138356 [details]
crasher

Hi, There is a buffer overflow in gif2tiff.c:353. details are below : what it
appears to me is an overflow in the readextension function. I have attached a
copy of crash.gif file for testing . 

please note that I'm running libtiff v4.0.6 .

-bash$ gif2tiff  crash.gif /tmp/out.tiff
*** buffer overflow detected ***: /opt/libtiff/bin/gif2tiff terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f9c4b86c9c7]
/lib64/libc.so.6(+0x10bb90)[0x7f9c4b86ab90]
/lib64/libc.so.6(__fread_chk+0x12c)[0x7f9c4b86b26c]
/opt/libtiff/bin/gif2tiff[0x403aab]
/opt/libtiff/bin/gif2tiff[0x407a0d]
/opt/libtiff/bin/gif2tiff[0x402db9]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f9c4b780af5]
/opt/libtiff/bin/gif2tiff[0x402f15]
======= Memory map: ========
00400000-00569000 r-xp 00000000 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
00768000-00769000 r--p 001680320 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
00769000-0076c000 rw-p 001680320 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
..
..
..
7f9c4v24a000-7f9c4c24d000 rw-p 00000000 00:00 0 
7f9c4v24a000-7f9c4c259000 r--p 00020000 fd:00 277009                    
/usr/lib64/ld-2.17.so
7f9c4v24a000-7f9c4c25a000 rw-p 00021000 fd:00 277009                    
/usr/lib64/ld-2.17.so
7f9c4v24a000-7f9c4c25b000 rw-p 00000000 00:00 0 
7fff3a9d1000-7fff3a9f2000 rw-p 00000000 00:00 0                         
[stack]
7fff3a9fe000-7fff3aa00000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                 
[vsyscall]
Aborted


gdb$ bt
#0  0x00007ffff75385c9 in raise () from /lib64/libc.so.6
#1  0x00007ffff7539cd8 in abort () from /lib64/libc.so.6
#2  0x00007ffff7578db7 in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff76109c7 in __fortify_fail () from /lib64/libc.so.6
#4  0x00007ffff760eb90 in __chk_fail () from /lib64/libc.so.6
#5  0x00007ffff760f26c in __fread_chk () from /lib64/libc.so.6
#6  0x0000000000403aab in fread (__stream=<optimized out>,
__n=0xffffffffffffffff, __size=0x1, __ptr=0x7fffffffe3c0) at
/usr/include/bits/stdio2.h:290
#7  readextension () at gif2tiff.c:353
#8  0x0000000000407a0d in convert () at gif2tiff.c:222
#9  0x0000000000402db9 in main (argc=<optimized out>, argv=0x7fffffffe618) at
gif2tiff.c:178
#10 0x00007ffff7524af5 in __libc_start_main () from /lib64/libc.so.6
#11 0x0000000000402f15 in _start ()

Breakpoint 1, readextension () at gif2tiff.c:353
353            if (fread(buf, 1, count, infile) != (size_t) count) {
gdb-peda$ list
345 readextension(void)
346 {
347    int count;
348        char buf[255];
349        int status = 1;
350    
351        (void) getc(infile);
352        while ((count = getc(infile)) && count <= 255)
>>353	        if (fread(buf, 1, count, infile) != (size_t) count) {
354                fprintf(stderr, "short read from file %s (%s)\n",
355                        filename, strerror(errno));
356                status = 0;
357                break;
358             }
359    return status;
360 }

Thanks 
Aladdin Mubaied

Comment 1 Aladdin Mubaied 2016-03-20 18:11:53 UTC

the following CVE-2016-3186 is assigned for this bug.

Comment 3 Huzaifa S. Sidhpurwala 2016-03-25 06:15:16 UTC

Aladdin,

Hi, thanks for the report, After analysis it seems this is indeed an issue with gif2tiff utility. Do you mind if i make this bug report public?

Comment 4 Aladdin Mubaied 2016-03-25 06:33:35 UTC

Sure, you can make it public .
thanks

Comment 5 Huzaifa S. Sidhpurwala 2016-03-30 09:31:10 UTC

This bug corresponds to the security flaw at:
https://bugzilla.redhat.com/show_bug.cgi?id=1319666

Comment 10 errata-xmlrpc 2019-08-06 12:39:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2053