Bug 65115 (CVE-2004-1307)

Summary: VUL-0: CVE-2004-1307: libtiff heap-based bufer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Vladimir Nadvornik <nadvornik>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1307: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-01-24 18:58:58 UTC 
Hello Vladimir, 
we receive the following mail from the CERT. 
 
We are investigating reports of a vulnerability in the LibTIFF library 
concerning an integer overflow in the TIFFFetchStrip() routine that 
can lead to a heap-based buffer overflow. 
 
This issue is publicly documented at: 
 
   http://www.idefense.com/application/poi/display?id=173&type=vulnerabilities 
   http://securitytracker.com/alerts/2004/Dec/1012651.html 
 
We have assigned the tracking number VU#539110 to this issue. 
 
Since this issue is public, we have already drafted a vulnerability 
note addressing it. The note is publicly available at: 
 
   http://www.kb.cert.org/vuls/id/539110 
 
iDEFENSE associates this issue with CAN-2004-1307 which doesn't 
contain 
any data. 
 
However, the iDEFENSE advisory boils down to this part from Dmitry's 
patch: 
 
@@ -62,9 +62,14 @@ 
 static void ChopUpSingleUncompressedStrip(TIFF*); 
 
 static char * 
-CheckMalloc(TIFF* tif, tsize_t n, const char* what) 
+CheckMalloc(TIFF* tif, size_t nmemb, size_t elem_size, const char* what) 
 { 
-       char *cp = (char*)_TIFFmalloc(n); 
+       char    *cp = NULL; 
+       tsize_t bytes = nmemb * elem_size; 
+ 
+       if (elem_size && bytes / elem_size == nmemb) 
+               cp = (char*)_TIFFmalloc(bytes); 
+ 
        if (cp == NULL) 
                TIFFError(tif->tif_name, "No space %s", what); 
        return (cp);
Comment 1 Thomas Biege 2005-01-24 18:58:58 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Marcus Meissner 2005-01-24 19:01:45 UTC 
this is the bug 59635 which we already fixed. 

*** This bug has been marked as a duplicate of 59635 ***
Comment 3 Thomas Biege 2009-10-13 20:12:06 UTC 
CVE-2004-1307: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)