Bug 867235 (CVE-2012-5581) - CVE-2012-5581 libtiff: Stack-based buffer overflow when reading a tiled tiff file
Summary: CVE-2012-5581 libtiff: Stack-based buffer overflow when reading a tiled tiff ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-5581
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 880907 885308 885309 885310 885311 889443
Blocks: 837581
TreeView+ depends on / blocked
 
Reported: 2012-10-17 06:13 UTC by Huzaifa S. Sidhpurwala
Modified: 2023-05-13 00:54 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-21 09:00:39 UTC
Embargoed:


Attachments (Terms of Use)
proposed patch (13.43 KB, patch)
2012-11-08 05:20 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1590 0 normal SHIPPED_LIVE Moderate: libtiff security update 2012-12-19 02:06:23 UTC

Description Huzaifa S. Sidhpurwala 2012-10-17 06:13:21 UTC
A stack-based buffer overflow was found in the way libtiff handled DOTRANGE tags. An attacker could use this flaw to create a specially-crafted TIFF file 
that, when opened, would cause an application linked against libtiff to crash 
or, possibly, execute arbitrary code. 

This issue is fixed in libtiff-4.0.2

Comment 6 Tom Lane 2012-10-30 16:23:34 UTC
(In reply to comment #5)
> Yeah.  I see that libtiff 4.0.x has completely rewritten the special cases
> for DOTRANGE, but it's not clear whether that dodges this problem or not --

Turns out that indeed 4.0.3 does not crash.  It looks like these upstream commits were specifically intended to repair this type of problem:

2012-06-06 00:56:01  fwarmerdam

	* ChangeLog, libtiff/tif_dir.c: avoid special handling of
	PAGENUMBER, HALFTONEHINTS, YCBCRSUBSAMPLING and DOTRANGE in
	non-image directories

2012-06-06 02:06:20  fwarmerdam

	* ChangeLog, libtiff/tif_print.c: improve handling of PAGENUMBER,
	HALFTONEHINTS, YCBCRSUBSAMPLING and DOTRANGE

2012-06-08 01:15:21  fwarmerdam

	* ChangeLog, libtiff/tif_print.c: avoid pretty printing values
	without proper rawdata

I'm not sure about the backwards compatibility implications if we apply these patches --- it seems at least theoretically possible that some apps out there are expecting the original behavior of GetField/SetField.  On the other hand, it's unclear that there is any way to fix this crash without a behavioral change.

Comment 11 Huzaifa S. Sidhpurwala 2012-11-08 05:19:28 UTC
I backported the following upstream change and that seems to fix the crash.

2012-06-06 00:56:01  fwarmerdam

	* ChangeLog, libtiff/tif_dir.c: avoid special handling of
	PAGENUMBER, HALFTONEHINTS, YCBCRSUBSAMPLING and DOTRANGE in
	non-image directories

Comment 12 Huzaifa S. Sidhpurwala 2012-11-08 05:20:18 UTC
Created attachment 640578 [details]
proposed patch

Comment 14 Kurt Seifried 2012-11-28 05:56:38 UTC
Acknowledgements:

This issue was discovered by Huzaifa S. Sidhpurwala of Red Hat Security Response Team.

Comment 15 Huzaifa S. Sidhpurwala 2012-11-28 06:12:37 UTC
Created libtiff tracking bugs for this issue

Affects: fedora-all [bug 880907]

Comment 17 Tom Lane 2012-12-11 00:28:37 UTC
FWIW, I'm not terribly sure that this patch won't result in any application compatibility problems.  However, the only apparent alternative is to leave the bug unfixed, which is even less attractive.

The saving grace is that the case where an application might have a compatibility problem would be where it had special-case code to handle DotRange or one of the other "weird" TIFF tags whose behavior has been simplified by the patch. Such applications are probably very few and far between, since these tags are little-used.

Comment 20 errata-xmlrpc 2012-12-18 21:10:38 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:1590 https://rhn.redhat.com/errata/RHSA-2012-1590.html

Comment 21 Huzaifa S. Sidhpurwala 2012-12-21 08:56:23 UTC
Created mingw-libtiff tracking bugs for this issue

Affects: fedora-all [bug 889443]

Comment 22 Fedora Update System 2012-12-31 03:24:09 UTC
libtiff-3.9.7-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2012-12-31 03:27:52 UTC
libtiff-3.9.7-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2013-01-12 00:27:40 UTC
libtiff-4.0.3-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.