Bug 952131 (CVE-2013-1961) - CVE-2013-1961 libtiff (tiff2pdf): Stack-based buffer overflow with malformed image-length and resolution
Summary: CVE-2013-1961 libtiff (tiff2pdf): Stack-based buffer overflow with malformed ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-1961
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 958609 958610 1063460 1063461 1063464 1063465
Blocks: 994449
TreeView+ depends on / blocked
 
Reported: 2013-04-15 09:25 UTC by Huzaifa S. Sidhpurwala
Modified: 2023-05-11 22:14 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-27 19:31:59 UTC
Embargoed:


Attachments (Terms of Use)
patch against 4.0 CVS head (51.82 KB, patch)
2013-04-16 18:01 UTC, Tom Lane
no flags Details | Diff
patch against 3.9 branch head (will work for 3.9.7) (51.93 KB, patch)
2013-04-16 18:02 UTC, Tom Lane
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0222 0 normal SHIPPED_LIVE Moderate: libtiff security update 2014-02-27 23:33:36 UTC
Red Hat Product Errata RHSA-2014:0223 0 normal SHIPPED_LIVE Moderate: libtiff security update 2014-02-27 23:33:30 UTC

Description Huzaifa S. Sidhpurwala 2013-04-15 09:25:02 UTC
A stack-based buffer overflow was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, when malformed image-length and resolution values are used in the TIFF file. A remote attacker could provide a specially-crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash.

Acknowledgements:

Red Hat would like to thank Emmanuel Bouillon (NCI Agency) for reporting this issue.

Comment 1 Huzaifa S. Sidhpurwala 2013-04-15 09:41:31 UTC
Here is the affected code (in tiff2pdf.c):

4148         buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2);


t2p->pdf_imagelength is calculated as 
(float)(t2p->tiff_length))*PS_UNIT_SIZE/t2p->pdf_yres

This results in a very large number , sizeof the buffer = 16, and this results in a stack-based buffer overflow in the variable "buffer"

RHEl-6 and Fedora builds are compiled with FORTIFY_SOURCE, which results in the crash being limited to DoS and no arbitrary code execution here.

Comment 7 Tom Lane 2013-04-16 18:00:40 UTC
I believe the best response to this is to go on a search-and-destroy mission and change basically all uses of sprintf() to snprintf() in libtiff.  Attached are patches to do that.

Comment 8 Tom Lane 2013-04-16 18:01:47 UTC
Created attachment 736471 [details]
patch against 4.0 CVS head

Comment 9 Tom Lane 2013-04-16 18:02:40 UTC
Created attachment 736472 [details]
patch against 3.9 branch head (will work for 3.9.7)

Comment 12 Huzaifa S. Sidhpurwala 2013-04-17 03:57:15 UTC
This issue has been assigned CVE-2013-1961

Comment 14 Huzaifa S. Sidhpurwala 2013-05-02 03:57:01 UTC
Created libtiff tracking bugs for this issue

Affects: fedora-all [bug 958609]

Comment 15 Huzaifa S. Sidhpurwala 2013-05-02 03:57:05 UTC
Created mingw-libtiff tracking bugs for this issue

Affects: fedora-all [bug 958610]

Comment 16 Huzaifa S. Sidhpurwala 2013-05-02 04:29:51 UTC
Public via:

http://seclists.org/oss-sec/2013/q2/254

Comment 17 Tom Lane 2013-05-02 14:45:34 UTC
Patches pushed to upstream CVS.

Comment 18 Fedora Update System 2013-05-14 01:23:29 UTC
libtiff-4.0.3-6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2013-05-19 02:40:07 UTC
libtiff-3.9.7-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 errata-xmlrpc 2014-02-27 18:34:02 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0223 https://rhn.redhat.com/errata/RHSA-2014-0223.html

Comment 23 errata-xmlrpc 2014-02-27 18:35:28 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0222 https://rhn.redhat.com/errata/RHSA-2014-0222.html

Comment 24 Vincent Danen 2014-02-27 19:31:59 UTC
Statement:

(none)


Note You need to log in before you can comment on or make changes to this bug.