Bug 1410063 - (CVE-2016-10095) CVE-2016-10095 libtiff: Stack-based buffer overflow in _TIFFVGetField
CVE-2016-10095 libtiff: Stack-based buffer overflow in _TIFFVGetField
Status: CLOSED DUPLICATE of bug 1294417
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20161204,repor...
: Security
Depends On: 1410125 1410123 1410124
Blocks: 1389235 1410122
  Show dependency treegraph
 
Reported: 2017-01-04 06:24 EST by Adam Mariš
Modified: 2017-04-05 00:54 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-01-16 01:30:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-01-04 06:24:07 EST
A stack-based buffer overflow vulnerability was found in libtiff when running tiffslpit on crafted tiff file.

Reproducer:

https://github.com/asarubbo/poc/blob/master/00104-libtiff-stackoverflow-_TIFFVGetField

CVE assignment:

http://seclists.org/oss-sec/2017/q1/10

Reference:

https://blogs.gentoo.org/ago/2017/01/01/libtiff-stack-based-buffer-overflow-in-_tiffvgetfield-tif_dir-c/
Comment 1 Adam Mariš 2017-01-04 09:20:04 EST
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1410123]
Comment 2 Adam Mariš 2017-01-04 09:20:10 EST
Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1410124]
Affects: epel-7 [bug 1410125]
Comment 6 Huzaifa S. Sidhpurwala 2017-01-16 01:30:18 EST

*** This bug has been marked as a duplicate of bug 1294417 ***
Comment 8 Carl Song 2017-03-28 11:17:29 EDT
(In reply to Huzaifa S. Sidhpurwala from comment #6)
> 
> *** This bug has been marked as a duplicate of bug 1294417 ***

What is the reasoning behind this decision? Bug 1294417 references CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in libtiff 4.0.7.
Comment 9 Huzaifa S. Sidhpurwala 2017-04-03 01:49:36 EDT
(In reply to carl_song from comment #8)
> (In reply to Huzaifa S. Sidhpurwala from comment #6)
> > 
> > *** This bug has been marked as a duplicate of bug 1294417 ***
> 
> What is the reasoning behind this decision? Bug 1294417 references
> CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in
> libtiff 4.0.7.

CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.
Comment 10 Carl Song 2017-04-03 14:04:51 EDT
(In reply to Huzaifa S. Sidhpurwala from comment #9)
> (In reply to carl_song from comment #8)
> > (In reply to Huzaifa S. Sidhpurwala from comment #6)
> > > 
> > > *** This bug has been marked as a duplicate of bug 1294417 ***
> > 
> > What is the reasoning behind this decision? Bug 1294417 references
> > CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in
> > libtiff 4.0.7.
> 
> CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.

If it's not fixed, why are the relevant tickets closed? Is there ongoing effort to remediate this vulnerability and how are you tracking it?
Comment 11 Huzaifa S. Sidhpurwala 2017-04-03 23:39:34 EDT
(In reply to carl_song from comment #10)
> (In reply to Huzaifa S. Sidhpurwala from comment #9)
> > (In reply to carl_song from comment #8)
> > > (In reply to Huzaifa S. Sidhpurwala from comment #6)
> > > > 
> > > > *** This bug has been marked as a duplicate of bug 1294417 ***
> > > 
> > > What is the reasoning behind this decision? Bug 1294417 references
> > > CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in
> > > libtiff 4.0.7.
> > 
> > CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.
> 
> If it's not fixed, why are the relevant tickets closed? Is there ongoing
> effort to remediate this vulnerability and how are you tracking it?

I am not sure if i understand your question. This bug (CVE-2016-10095) is marked as duplicate of CVE-2015-7554, which was fixed:

Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html in rhel-6
Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html in rhel-7
Comment 12 Carl Song 2017-04-04 11:40:26 EDT
(In reply to Huzaifa S. Sidhpurwala from comment #11)
> (In reply to carl_song from comment #10)
> > (In reply to Huzaifa S. Sidhpurwala from comment #9)
> > > (In reply to carl_song from comment #8)
> > > > (In reply to Huzaifa S. Sidhpurwala from comment #6)
> > > > > 
> > > > > *** This bug has been marked as a duplicate of bug 1294417 ***
> > > > 
> > > > What is the reasoning behind this decision? Bug 1294417 references
> > > > CVE-2015-7554 which affects libtiff 4.0.6. This vulnerability was found in
> > > > libtiff 4.0.7.
> > > 
> > > CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.
> > 
> > If it's not fixed, why are the relevant tickets closed? Is there ongoing
> > effort to remediate this vulnerability and how are you tracking it?
> 
> I am not sure if i understand your question. This bug (CVE-2016-10095) is
> marked as duplicate of CVE-2015-7554, which was fixed:
> 
> Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html in
> rhel-6
> Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html in
> rhel-7

In consecutive statements you said:
1) CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7
2) CVE-2015-7554 was fixed

Which one is true?
Comment 13 Huzaifa S. Sidhpurwala 2017-04-05 00:54:41 EDT
(In reply to Carl Song from comment #12)

> > > > CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7.
> > > 
> > > If it's not fixed, why are the relevant tickets closed? Is there ongoing
> > > effort to remediate this vulnerability and how are you tracking it?
> > 
> > I am not sure if i understand your question. This bug (CVE-2016-10095) is
> > marked as duplicate of CVE-2015-7554, which was fixed:
> > 
> > Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html in
> > rhel-6
> > Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html in
> > rhel-7
> 
> In consecutive statements you said:
> 1) CVE-2015-7554 was not fixed in 4.0.6 and it got rediscovered in 4.0.7
> 2) CVE-2015-7554 was fixed
> 
> Which one is true?

Both :)

4.0.6 and 4.0.7 are upstream version numbers, we backport the patches to the versions shipped in Red Hat Enterprise Linux.

So though upstream may not have fixed CVE-2015-7554 in 4.0.6 and later in 4.0.7 also, we backported the fix to our versions we ship.

So versions are fixed, i am not sure about upstream versions here.

Note You need to log in before you can comment on or make changes to this bug.