Out-of-bounds write vulnerability was found in cvt_by_strip and cvt_by_tile functions in tiff2rgba, allowing attacker to cause a denial of service or command execution via a crafted TIFF image. Public via: http://seclists.org/oss-sec/2016/q2/30 Upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2545
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html
It would have been good to attach your patch to the upstream bug instead of letting libtiff maintainers to dig into the .src.rpm
Patch tiff-CVE-2016-3945.patch from libtiff-4.0.3-25.el7_2.src.rpm is incorrect. It rejects valid files. Fixed in libtiff upstream per : Fixed per: 2016-08-15 Even Rouault <even.rouault at spatialys.com> * tools/tiff2rgba.c: Fix integer overflow in size of allocated buffer, when -b mode is enabled, that could result in out-of-bounds write. Based initially on patch tiff-CVE-2016-3945.patch from libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid tests that rejected valid files. /cvs/maptools/cvsroot/libtiff/tools/tiff2rgba.c,v <-- tools/tiff2rgba.c new revision: 1.22; previous revision: 1.21 See http://bugzilla.maptools.org/show_bug.cgi?id=2545