Bug 1326249 (CVE-2016-3991) - CVE-2016-3991 libtiff: out-of-bounds write in loadImage() function
Summary: CVE-2016-3991 libtiff: out-of-bounds write in loadImage() function
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-3991
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160412,repor...
: CVE-2016-5322 (view as bug list)
Depends On: 1299920 1299921 1335098 1335099
Blocks: 1316881 1346703
TreeView+ depends on / blocked
 
Reported: 2016-04-12 09:05 UTC by Andrej Nemec
Modified: 2019-06-08 21:07 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-27 08:50:48 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1546 normal SHIPPED_LIVE Important: libtiff security update 2016-08-02 20:59:03 UTC
Red Hat Product Errata RHSA-2016:1547 normal SHIPPED_LIVE Important: libtiff security update 2016-08-02 20:39:45 UTC

Description Andrej Nemec 2016-04-12 09:05:21 UTC
An Out-of-bounds write vulnerability caused by heap overflow when using tiffcrop tool was found in the libtiff library. The vulnerability is in loadImage() function in tiffcrop.c. loadImage() will read the numbers of tiles by calling TIFFNumberOfTiles().

However, if the numbers of tiles is 0, loadImage() will still read tile data by calling readContigTilesIntoBuffer() from the image, regardless of the numbers. In that case, loadImage() will allocate 3 bytes in the heap to store a tile data.

This creates a potential attack vector via crafted tiff tiles, which may result in DoS or code execution.

Upstream bug report:
http://bugzilla.maptools.org/show_bug.cgi?id=2543

Comment 3 errata-xmlrpc 2016-08-02 16:42:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html

Comment 4 errata-xmlrpc 2016-08-02 17:01:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html

Comment 5 Even Rouault 2016-08-04 09:25:00 UTC
It would have been good to attach your patch to the upstream bug instead of letting libtiff maintainers to dig into the .src.rpm

Comment 6 Stefan Cornelius 2017-06-27 08:30:17 UTC
*** Bug 1346683 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.