Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1319666 - (CVE-2016-3186) CVE-2016-3186 libtiff: buffer overflow in gif2tiff
CVE-2016-3186 libtiff: buffer overflow in gif2tiff
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160330,repor...
: Security
Depends On: 1322310 1322307 1322309
Blocks: 1319667
  Show dependency treegraph
 
Reported: 2016-03-21 06:01 EDT by Andrej Nemec
Modified: 2017-03-09 20:15 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch solving this buffer overflow (498 bytes, patch)
2016-04-06 10:05 EDT, Fridrich Strba 		fridrich.strba: review?
Details | Diff
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Andrej Nemec 2016-03-21 06:01:30 EDT 
A buffer overflow vulnerability was reported in libtiff library, in gif2tiff component. A maliciously crafted file could cause the application to crash.

Original bug report with reproducer:

https://bugzilla.redhat.com/show_bug.cgi?id=1319503
Comment 1 Andrej Nemec 2016-03-21 06:01:34 EDT 
Acknowledgments:

Name: Aladdin Mubaied
Comment 2 Huzaifa S. Sidhpurwala 2016-03-30 05:26:38 EDT 
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1322307]
Comment 3 Huzaifa S. Sidhpurwala 2016-03-30 05:26:44 EDT 
Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1322309]
Comment 4 Huzaifa S. Sidhpurwala 2016-03-30 05:30:18 EDT 
Created mingw-libtiff tracking bugs for this issue:

Affects: epel-7 [bug 1322310]
Comment 5 Huzaifa S. Sidhpurwala 2016-03-30 05:40:13 EDT 
Also disclosed on oss-security mailing list via:
http://www.openwall.com/lists/oss-security/2016/03/30/2
Comment 6 Fridrich Strba 2016-04-06 10:05 EDT 
Created attachment 1144235 [details]
Patch solving this buffer overflow

When getc detects that that it is at the end of file, it returns EOF which is a negative number. The exact value depends on implementation, but it is always a negative number. On Linux it is normally -1. That while loop check only if the count is <= 255. If the number count is negative, that condition is satisfied. Nonetheless, in the subsequent fread, the count is casted to size_t where it becomes a huge number, hence the buffer overflow. This patch is adding a check for the return of getc being positive, which solves the buffer overflow.
Comment 7 Henri Salo 2016-05-31 03:39:37 EDT 
For your information I noticed additional buffer overflow issue in readgifimage(), which have been reported to upstream in http://bugzilla.maptools.org/show_bug.cgi?id=2552
Comment 8 Henri Salo 2016-06-02 02:17:11 EDT 
CVE-2016-5102 has been assigned to buffer overflow issue in readgifimage(), which was reported in http://bugzilla.maptools.org/show_bug.cgi?id=2552

I am not sure how this should be reported to bugzilla.redhat.com as a separate issue.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.