Bug 952131 - (CVE-2013-1961) CVE-2013-1961 libtiff (tiff2pdf): Stack-based buffer overflow with malformed image-length and resolution
CVE-2013-1961 libtiff (tiff2pdf): Stack-based buffer overflow with malformed ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20130502,reported=2...
: Security
Depends On: 958609 958610 1063460 1063461 1063464 1063465
Blocks: 994449
  Show dependency treegraph
 
Reported: 2013-04-15 05:25 EDT by Huzaifa S. Sidhpurwala
Modified: 2016-03-04 06:03 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-27 14:31:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch against 4.0 CVS head (51.82 KB, patch)
2013-04-16 14:01 EDT, Tom Lane
no flags Details | Diff
patch against 3.9 branch head (will work for 3.9.7) (51.93 KB, patch)
2013-04-16 14:02 EDT, Tom Lane
no flags Details | Diff

  None (edit)
Description Huzaifa S. Sidhpurwala 2013-04-15 05:25:02 EDT
A stack-based buffer overflow was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, when malformed image-length and resolution values are used in the TIFF file. A remote attacker could provide a specially-crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash.

Acknowledgements:

Red Hat would like to thank Emmanuel Bouillon (NCI Agency) for reporting this issue.
Comment 1 Huzaifa S. Sidhpurwala 2013-04-15 05:41:31 EDT
Here is the affected code (in tiff2pdf.c):

4148         buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2);


t2p->pdf_imagelength is calculated as 
(float)(t2p->tiff_length))*PS_UNIT_SIZE/t2p->pdf_yres

This results in a very large number , sizeof the buffer = 16, and this results in a stack-based buffer overflow in the variable "buffer"

RHEl-6 and Fedora builds are compiled with FORTIFY_SOURCE, which results in the crash being limited to DoS and no arbitrary code execution here.
Comment 7 Tom Lane 2013-04-16 14:00:40 EDT
I believe the best response to this is to go on a search-and-destroy mission and change basically all uses of sprintf() to snprintf() in libtiff.  Attached are patches to do that.
Comment 8 Tom Lane 2013-04-16 14:01:47 EDT
Created attachment 736471 [details]
patch against 4.0 CVS head
Comment 9 Tom Lane 2013-04-16 14:02:40 EDT
Created attachment 736472 [details]
patch against 3.9 branch head (will work for 3.9.7)
Comment 12 Huzaifa S. Sidhpurwala 2013-04-16 23:57:15 EDT
This issue has been assigned CVE-2013-1961
Comment 14 Huzaifa S. Sidhpurwala 2013-05-01 23:57:01 EDT
Created libtiff tracking bugs for this issue

Affects: fedora-all [bug 958609]
Comment 15 Huzaifa S. Sidhpurwala 2013-05-01 23:57:05 EDT
Created mingw-libtiff tracking bugs for this issue

Affects: fedora-all [bug 958610]
Comment 16 Huzaifa S. Sidhpurwala 2013-05-02 00:29:51 EDT
Public via:

http://seclists.org/oss-sec/2013/q2/254
Comment 17 Tom Lane 2013-05-02 10:45:34 EDT
Patches pushed to upstream CVS.
Comment 18 Fedora Update System 2013-05-13 21:23:29 EDT
libtiff-4.0.3-6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2013-05-18 22:40:07 EDT
libtiff-3.9.7-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 errata-xmlrpc 2014-02-27 13:34:02 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0223 https://rhn.redhat.com/errata/RHSA-2014-0223.html
Comment 23 errata-xmlrpc 2014-02-27 13:35:28 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0222 https://rhn.redhat.com/errata/RHSA-2014-0222.html
Comment 24 Vincent Danen 2014-02-27 14:31:59 EST
Statement:

(none)

Note You need to log in before you can comment on or make changes to this bug.