Bug 1410063 (CVE-2016-10095) - CVE-2016-10095 libtiff: Stack-based buffer overflow in _TIFFVGetField
Summary: CVE-2016-10095 libtiff: Stack-based buffer overflow in _TIFFVGetField
Keywords:
Status: CLOSED DUPLICATE of bug 1294417
Alias: CVE-2016-10095
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1410125 1410123 1410124
Blocks: 1389235 1410122
TreeView+ depends on / blocked
 
Reported: 2017-01-04 11:24 UTC by Adam Mariš
Modified: 2019-09-29 14:03 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-16 06:30:18 UTC


Attachments (Terms of Use)

Description Adam Mariš 2017-01-04 11:24:07 UTC
A stack-based buffer overflow vulnerability was found in libtiff when running tiffslpit on crafted tiff file.

Reproducer:

https://github.com/asarubbo/poc/blob/master/00104-libtiff-stackoverflow-_TIFFVGetField

CVE assignment:

http://seclists.org/oss-sec/2017/q1/10

Reference:

https://blogs.gentoo.org/ago/2017/01/01/libtiff-stack-based-buffer-overflow-in-_tiffvgetfield-tif_dir-c/

Comment 1 Adam Mariš 2017-01-04 14:20:04 UTC
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1410123]

Comment 2 Adam Mariš 2017-01-04 14:20:10 UTC
Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1410124]
Affects: epel-7 [bug 1410125]

Comment 6 Huzaifa S. Sidhpurwala 2017-01-16 06:30:18 UTC

*** This bug has been marked as a duplicate of bug 1294417 ***

Comment 8 Carl Song 2017-03-28 15:17:29 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #6)
> 
> *** This bug has been marked as a duplicate of bug 1294417 ***

What is the reasoning behind this decision? Bug 1294417 references CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in libtiff 4.0.7.

Comment 9 Huzaifa S. Sidhpurwala 2017-04-03 05:49:36 UTC
(In reply to carl_song from comment #8)
> (In reply to Huzaifa S. Sidhpurwala from comment #6)
> > 
> > *** This bug has been marked as a duplicate of bug 1294417 ***
> 
> What is the reasoning behind this decision? Bug 1294417 references
> CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in
> libtiff 4.0.7.

CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.

Comment 10 Carl Song 2017-04-03 18:04:51 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #9)
> (In reply to carl_song from comment #8)
> > (In reply to Huzaifa S. Sidhpurwala from comment #6)
> > > 
> > > *** This bug has been marked as a duplicate of bug 1294417 ***
> > 
> > What is the reasoning behind this decision? Bug 1294417 references
> > CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in
> > libtiff 4.0.7.
> 
> CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.

If it's not fixed, why are the relevant tickets closed? Is there ongoing effort to remediate this vulnerability and how are you tracking it?

Comment 11 Huzaifa S. Sidhpurwala 2017-04-04 03:39:34 UTC
(In reply to carl_song from comment #10)
> (In reply to Huzaifa S. Sidhpurwala from comment #9)
> > (In reply to carl_song from comment #8)
> > > (In reply to Huzaifa S. Sidhpurwala from comment #6)
> > > > 
> > > > *** This bug has been marked as a duplicate of bug 1294417 ***
> > > 
> > > What is the reasoning behind this decision? Bug 1294417 references
> > > CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in
> > > libtiff 4.0.7.
> > 
> > CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.
> 
> If it's not fixed, why are the relevant tickets closed? Is there ongoing
> effort to remediate this vulnerability and how are you tracking it?

I am not sure if i understand your question. This bug (CVE-2016-10095) is marked as duplicate of CVE-2015-7554, which was fixed:

Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html in rhel-6
Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html in rhel-7

Comment 12 Carl Song 2017-04-04 15:40:26 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #11)
> (In reply to carl_song from comment #10)
> > (In reply to Huzaifa S. Sidhpurwala from comment #9)
> > > (In reply to carl_song from comment #8)
> > > > (In reply to Huzaifa S. Sidhpurwala from comment #6)
> > > > > 
> > > > > *** This bug has been marked as a duplicate of bug 1294417 ***
> > > > 
> > > > What is the reasoning behind this decision? Bug 1294417 references
> > > > CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in
> > > > libtiff 4.0.7.
> > > 
> > > CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.
> > 
> > If it's not fixed, why are the relevant tickets closed? Is there ongoing
> > effort to remediate this vulnerability and how are you tracking it?
> 
> I am not sure if i understand your question. This bug (CVE-2016-10095) is
> marked as duplicate of CVE-2015-7554, which was fixed:
> 
> Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html in
> rhel-6
> Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html in
> rhel-7

In consecutive statements you said:
1) CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7
2) CVE-2015-7554 was fixed

Which one is true?

Comment 13 Huzaifa S. Sidhpurwala 2017-04-05 04:54:41 UTC
(In reply to Carl Song from comment #12)

> > > > CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.
> > > 
> > > If it's not fixed, why are the relevant tickets closed? Is there ongoing
> > > effort to remediate this vulnerability and how are you tracking it?
> > 
> > I am not sure if i understand your question. This bug (CVE-2016-10095) is
> > marked as duplicate of CVE-2015-7554, which was fixed:
> > 
> > Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html in
> > rhel-6
> > Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html in
> > rhel-7
> 
> In consecutive statements you said:
> 1) CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7
> 2) CVE-2015-7554 was fixed
> 
> Which one is true?

Both :)

4.0.6 and 4.0.7 are upstream version numbers, we backport the patches to the versions shipped in Red Hat Enterprise Linux.

So though upstream may not have fixed CVE-2015-7554 in 4.0.6 and later in 4.0.7 also, we backported the fix to our versions we ship.

So versions are fixed, i am not sure about upstream versions here.


Note You need to log in before you can comment on or make changes to this bug.