Bug 1356867 (CVE-2016-6223) - CVE-2016-6223 libtiff: Out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1()
Summary: CVE-2016-6223 libtiff: Out-of-bounds read on memory-mapped files in TIFFReadR...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-6223
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1356869 1356870 1356871
Blocks: 1346703 1356874
TreeView+ depends on / blocked
 
Reported: 2016-07-15 07:39 UTC by Adam Mariš
Modified: 2019-09-29 13:52 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-27 11:51:12 UTC


Attachments (Terms of Use)

Description Adam Mariš 2016-07-15 07:39:00 UTC
An out-of-bounds read vulnerability on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond tmsize_t max value was found. The vulnerability allows an attacker to specify a negative index into the file-content buffer and copy data from that position until the end of the buffer. This will allow an attacker to crash the process by accessing unmapped memory and (depending on how LibTIFF is used) might also allow an attacker to leak sensitive information.

Fixed by commit with commitid: YhOZoKv5OA9gNNdz;

CVE assignment:

http://seclists.org/oss-sec/2016/q3/67

Comment 1 Adam Mariš 2016-07-15 07:42:38 UTC
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1356869]

Comment 2 Adam Mariš 2016-07-15 07:42:44 UTC
Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1356870]
Affects: epel-all [bug 1356871]

Comment 3 Stefan Cornelius 2016-07-25 09:37:35 UTC
Upstream patch:
https://github.com/vadz/libtiff/commit/0ba5d8814a17a64bdb8d9035f4c533f3f3f4b496


Note You need to log in before you can comment on or make changes to this bug.