Bug 1609400 – CVE-2018-14373 libtiff: NULL dereference in TIFFFindField in tif_dirinfo.c

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1609400 - (CVE-2018-14373) CVE-2018-14373 libtiff: NULL dereference in TIFFFindField in tif_dirinfo.c

Summary:	CVE-2018-14373 libtiff: NULL dereference in TIFFFindField in tif_dirinfo.c

Status:	CLOSED NOTABUG

Aliases:	CVE-2018-14373

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20180716,reported=2...
Keywords:	Security

Depends On:	1609401 1609404 1609402 1609405
Blocks:	1609415
	Show dependency tree / graph

Reported:	2018-07-27 17:54 EDT by Laura Pardo
Modified:	2018-08-09 04:35 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-08-09 04:35:57 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Laura Pardo 2018-07-27 17:54:33 EDT

An issue was discovered in LibTIFF 4.0.9. In TIFFFindField in tif_dirinfo.c, the structure tif is being dereferenced without first checking that the structure is not empty and has the requested fields (tif_foundfield). In the call sequences following from the affected library functions (TIFFVGetField, TIFFVGetFieldDefaulted, TIFFVStripSize, TIFFScanlineSize, TIFFTileSize, TIFFGetFieldDefaulted, and TIFFGetField), this sanitization of the tif structure is never being done and, hence, using them with an invalid or empty tif structure will trigger a buffer overflow, leading to a crash.


References:
http://bugzilla.maptools.org/show_bug.cgi?id=2801

Comment 1 Laura Pardo 2018-07-27 17:55:06 EDT

Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1609402]


Created mingw-libtiff tracking bugs for this issue:

Affects: epel-7 [bug 1609404]
Affects: fedora-all [bug 1609401]

Comment 3 Riccardo Schirone 2018-08-09 04:35:57 EDT

CVE rejected https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14373

Note You need to log in before you can comment on or make changes to this bug.