Bug 1177893 (CVE-2014-9330) - CVE-2014-9330 libtiff: Out-of-bounds reads followed by a crash in bmp2tiff
Summary: CVE-2014-9330 libtiff: Out-of-bounds reads followed by a crash in bmp2tiff
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-9330
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1299918 1299919 1299920 1299921 1335098 1335099
Blocks: 1174883
TreeView+ depends on / blocked
 
Reported: 2014-12-31 06:19 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-17 05:52 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was discovered in the bmp2tiff utility. By tricking a user into processing a specially crafted file, a remote attacker could exploit this flaw to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:37:17 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1546 0 normal SHIPPED_LIVE Important: libtiff security update 2016-08-02 20:59:03 UTC
Red Hat Product Errata RHSA-2016:1547 0 normal SHIPPED_LIVE Important: libtiff security update 2016-08-02 20:39:45 UTC

Description Huzaifa S. Sidhpurwala 2014-12-31 06:19:04 UTC 
An Out-of-bounds read flaw followed by a crash was found in the bmp2tiff utility (A utility used to create a TIFF file from a Microsoft Windows Device Independent Bitmap image file) shipped with libtiff. A remote attacker could provide a specially-crafted BMP (Bitmap Image) file that, when processed by bmp2tiff, would cause bmp2tiff to crash.

Upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494
Comment 1 Siddharth Sharma 2015-03-23 07:02:00 UTC 
Patch
=====

https://lists.debian.org/debian-release/2014/12/msg01782.html
Comment 2 Siddharth Sharma 2015-03-23 10:55:11 UTC 
Analysis
========

According to the file format specification of BMP

 * +---------------------+
 * | BMPFileHeader       |
 * +---------------------+
 * | BMPInfoHeader       |
 * +---------------------+
 * | BMPColorEntry array |
 * +---------------------+
 * | Colour-index array  |
 * +---------------------+

in the following code of bmp2tiff.c

struct {
...
    int32       iWidth;         /* Image width */
    int32       iHeight;        /* Image height. If positive, image has bottom
                                 * left origin, if negative --- top left. */
...
} BMPInfoHeader;

...
                if (bmp_type == BMPT_WIN4
                    || bmp_type == BMPT_WIN5
                    || bmp_type == BMPT_OS22) {
                        read(fd, &info_hdr.iWidth, 4);
...
#ifdef WORDS_BIGENDIAN
                        TIFFSwabLong((uint32*) &info_hdr.iWidth);

While reading the iWidth from BMPInfoHeader of malicious file, it does not check for the negative value of the iWidth in the following code. According to the file format specification of bmp iWidth should not be having negative value in it.

                width = info_hdr.iWidth;

Failing to sanitize the iWidth value initially and passing it to variable 'width' which is later used to encode or decode packedbits causes Out-of-bounds read flaw which leads to crash. In the libtiff only bmp2tiff seems to be having this flaw, so crash would occur only if bmp2tiff is being used by any application opening malicious file. Impact of this flaw is low
and it is bit complex to create such file.
Comment 3 Siddharth Sharma 2015-06-01 11:56:35 UTC 
Statement:

Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in libtiff.
Comment 8 errata-xmlrpc 2016-08-02 16:40:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html
Comment 9 errata-xmlrpc 2016-08-02 16:59:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html
Note You need to log in before you can comment on or make changes to this bug.