Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2012-5581: libtiff: Stack based buffer overflow when handling DOTRANGE tags|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Sebastian Krahmer <krahmer>|
|Component:||Incidents||Assignee:||Security Team bot <security-team>|
|Status:||RESOLVED FIXED||QA Contact:||Security Team bot <security-team>|
|Priority:||P3 - Medium||CC:||meissner, pgajdos, security-team, sidhpurwala.huzaifa|
|Whiteboard:||maint:released:sle11-sp1:50697 maint:released:sle10-sp4:50700 maint:released:sle11-sp2:50698 maint:running:54578:moderate maint:released:sle10-sp3:54792|
|Found By:||---||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
|Attachments:||more backport-friendly patch|
Description Sebastian Krahmer 2012-11-28 08:13:41 UTC
Via OSS-sec: Date: Wed, 28 Nov 2012 11:16:14 +0530 From: Huzaifa Sidhpurwala To: oss-security Hi All, I found a stack-based buffer overflow in the way libtiff handled DOTRANGE tags. An attacker could use this flaw to create a specially- crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code. This issue is fixed in libtiff-4.0.2 We have assigned CVE-2012-5581 to this issue. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=867235
Comment 1 Petr Gajdos 2012-11-30 12:16:50 UTC
Created attachment 515249 [details] more backport-friendly patch Hope there is not change in regard what patch does.
Comment 2 Petr Gajdos 2012-11-30 12:17:29 UTC
(In reply to comment #1) > Created an attachment (id=515249) [details] > more backport-friendly patch Based on https://bugzilla.redhat.com/attachment.cgi?id=640578&action=diff
Comment 3 Petr Gajdos 2012-12-03 13:28:07 UTC
Affected versions: 12.2 have 4.0.2, so no update needed. Affected are at least 12.1, 11sp1 and 10sp3. 9sp3 have tiff 3.6.2 and different code there, so I can not confirm it needs to be patched so far.
Comment 4 Petr Gajdos 2012-12-03 13:52:52 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=867235#c11 It seems that offended code in 9sp3's tiff 3.6.2 doesn't handle PAGENUMBER, HALFTONEHINTS, YCBCRSUBSAMPLING and DOTRANGE specially 9sp3 seems not to be affected, am I right?
Comment 5 Petr Gajdos 2012-12-03 13:58:20 UTC
(It would be nice to have that crasher Huzaifa in the rh bug refers to.)
Comment 6 Petr Gajdos 2012-12-03 14:30:27 UTC
(In reply to comment #4) > https://bugzilla.redhat.com/show_bug.cgi?id=867235#c11 > > It seems that offended code in 9sp3's tiff 3.6.2 doesn't handle PAGENUMBER, > HALFTONEHINTS, YCBCRSUBSAMPLING and DOTRANGE specially 9sp3 seems not to be > affected, am I right? I assume that's correct. If you don't think so, please provide more details about the change, at least how the stack overflow happens and how it is fixed by the provided patch; test case, which exists, would be also welcome. I didn't found thise information in the rh bug.
Comment 8 Petr Gajdos 2012-12-13 07:24:45 UTC
Needinfo provided by personal mail.
Comment 9 Petr Gajdos 2012-12-13 08:02:07 UTC
Unfortunately tiff2ps on reproducer does lead to %%EOF without any crash for 12.1's 3.9.5.
Comment 10 Huzaifa Sidhpurwala 2012-12-13 09:58:58 UTC
Try tiffinfo -D
Comment 11 Petr Gajdos 2012-12-13 10:29:47 UTC
Much better, thanks!
Comment 12 Petr Gajdos 2012-12-13 10:30:03 UTC
9sp3 is not affected.
Comment 13 Petr Gajdos 2013-01-08 14:05:31 UTC
9sp3: sr#23375 10sp3: sr#23376 11: sr#23377 openSUSE: mr#147545
Comment 19 Petr Gajdos 2013-01-08 14:48:50 UTC
Comment 20 Bernhard Wiedemann 2013-01-10 14:00:52 UTC
This is an autogenerated message for OBS integration: This bug (791607) was mentioned in https://build.opensuse.org/request/show/147919 Evergreen:11.2 / tiff
Comment 21 Swamp Workflow Management 2013-01-24 19:05:02 UTC
Update released for: libtiff-devel, libtiff-devel-32bit, libtiff3, libtiff3-32bit, tiff, tiff-debuginfo, tiff-debugsource Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 22 Swamp Workflow Management 2013-01-24 21:18:06 UTC
Update released for: libtiff, libtiff-32bit, libtiff-64bit, libtiff-devel, libtiff-devel-32bit, libtiff-devel-64bit, libtiff-x86, tiff, tiff-debuginfo Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 23 Swamp Workflow Management 2013-01-24 22:05:13 UTC
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 24 Swamp Workflow Management 2013-01-24 22:14:02 UTC
Update released for: libtiff-devel, libtiff-devel-32bit, libtiff3, libtiff3-32bit, libtiff3-x86, tiff, tiff-debuginfo, tiff-debugsource Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 25 Marcus Meissner 2013-01-25 08:12:26 UTC
Comment 26 Bernhard Wiedemann 2013-05-23 06:00:51 UTC
This is an autogenerated message for OBS integration: This bug (791607) was mentioned in https://build.opensuse.org/request/show/176384 Evergreen:11.2 / tiff
Comment 27 Swamp Workflow Management 2013-11-07 12:55:58 UTC
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo Products: SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)