Bug 1326246 (CVE-2016-3990) - CVE-2016-3990 libtiff: out-of-bounds write in horizontalDifference8()
Summary: CVE-2016-3990 libtiff: out-of-bounds write in horizontalDifference8()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-3990
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1299920 1299921 1335098 1335099
Blocks: 1316881
TreeView+ depends on / blocked
 
Reported: 2016-04-12 09:00 UTC by Andrej Nemec
Modified: 2019-09-29 13:46 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-24 08:35:09 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1546 0 normal SHIPPED_LIVE Important: libtiff security update 2016-08-02 20:59:03 UTC
Red Hat Product Errata RHSA-2016:1547 0 normal SHIPPED_LIVE Important: libtiff security update 2016-08-02 20:39:45 UTC

Description Andrej Nemec 2016-04-12 09:00:12 UTC
An out-of-bounds write flaw was found in libtiff v4.0.6 when using tiffcp command to handle malicious tiff file. The vulnerability exists in function horizontalDifference8()
An attacker could control the head data of next heap which contains pre_size field and size filed to result in DoS or potential code execution.

Vulnerable code:


Source info

============
1082           wp += n + stride - 1;     /* point to last one */
1083           ip += n + stride - 1;       /* point to last one */
1084           n -= stride;
1085           while (n > 0) {
1086              REPEAT(stride, wp[0] = CLAMP(ip[0]);
1087                            wp[stride] -= wp[0];
1088                            wp[stride] &= mask;
1089                            wp--; ip--)
1090              n -= stride;
1091           }
1092           REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)

References:

http://seclists.org/oss-sec/2016/q2/57


Upstream bug:

http://bugzilla.maptools.org/show_bug.cgi?id=2544

Comment 2 errata-xmlrpc 2016-08-02 16:41:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html

Comment 3 errata-xmlrpc 2016-08-02 17:01:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html

Comment 4 Even Rouault 2016-08-04 09:24:34 UTC
It would have been good to attach your patch to the upstream bug instead of letting libtiff maintainers to dig into the .src.rpm


Note You need to log in before you can comment on or make changes to this bug.