1326249 – (CVE-2016-3991) CVE-2016-3991 libtiff: out-of-bounds write in loadImage() function

Bug 1326249 (CVE-2016-3991) - CVE-2016-3991 libtiff: out-of-bounds write in loadImage() function

Summary: CVE-2016-3991 libtiff: out-of-bounds write in loadImage() function

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-3991
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	CVE-2016-5322 (view as bug list)
Depends On:	1299920 1299921 1335098 1335099
Blocks:	1316881 1346703
TreeView+	depends on / blocked

Reported:	2016-04-12 09:05 UTC by Andrej Nemec
Modified:	2019-09-29 13:46 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-06-27 08:50:48 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1546	0	normal	SHIPPED_LIVE	Important: libtiff security update	2016-08-02 20:59:03 UTC
Red Hat Product Errata	RHSA-2016:1547	0	normal	SHIPPED_LIVE	Important: libtiff security update	2016-08-02 20:39:45 UTC

Description Andrej Nemec 2016-04-12 09:05:21 UTC

An Out-of-bounds write vulnerability caused by heap overflow when using tiffcrop tool was found in the libtiff library. The vulnerability is in loadImage() function in tiffcrop.c. loadImage() will read the numbers of tiles by calling TIFFNumberOfTiles().

However, if the numbers of tiles is 0, loadImage() will still read tile data by calling readContigTilesIntoBuffer() from the image, regardless of the numbers. In that case, loadImage() will allocate 3 bytes in the heap to store a tile data.

This creates a potential attack vector via crafted tiff tiles, which may result in DoS or code execution.

Upstream bug report:
http://bugzilla.maptools.org/show_bug.cgi?id=2543

Comment 3 errata-xmlrpc 2016-08-02 16:42:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html

Comment 4 errata-xmlrpc 2016-08-02 17:01:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html

Comment 5 Even Rouault 2016-08-04 09:25:00 UTC

It would have been good to attach your patch to the upstream bug instead of letting libtiff maintainers to dig into the .src.rpm

Comment 6 Stefan Cornelius 2017-06-27 08:30:17 UTC

*** Bug 1346683 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.