Bugzilla – Bug 817573
VUL-0: libtiff: CVE-2013-1960: Heap-based buffer overflow in t2_process_jpeg_strip()
Last modified: 2013-11-07 12:55:29 UTC
EMBARGOED: Hello vendors, Two issues related to tiff2pdf (part of libtiff) were reported to us. We have assigned CVE-2013-1960 and CVE-2013-1961 to these issues. Proposed un-embargo date is 01-May-2013. Please mail me, if you need more details. Thanks! Regards, Huzaifa Sidhpurwala / Red Hat Security Response Team. ----------8<-------- Asked for patches.
The SWAMPID for this issue is 52304. This issue was rated as moderate. Please submit fixed packages until 2013-05-13. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
bugbot adjusting priority
I wonder what for is for example following hunk: case 0x23: - sprintf(buffer, "#%.2X", name[i]); + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); buffer[sizeof(buffer) - 1] = '\0'; written += t2pWriteFile(output, (tdata_t) buffer, 3); break;
Now public via oss-security: Date: Thu, 02 May 2013 09:30:26 +0530 From: Huzaifa Sidhpurwala Subject: [oss-security] Two libtiff (tiff2pdf flaws) Hi all, Two flaws were reported to us in tiff2pdf utility shipped with the libtiff library. Details as follows: 1. CVE-2013-1961 libtiff (tiff2pdf): Stack-based buffer overflow with malformed image-length and resolution A stack-based buffer overflow was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, when malformed image-length and resolution values are used in the TIFF file. A remote attacker could provide a specially- crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=952131 2. CVE-2013-1960 libtiff (tiff2pdf): Heap-based buffer overflow in t2_process_jpeg_strip() A heap-based buffer overflow flaw was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, in the tp_process_jpeg_strip() function. A remote attacker could provide a specially-crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash or, potentially, arbitrary code execution with the privileges of the user running the tiff2pdf binary. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=952158 The enclosed bugs contains the relevant patches.
Created attachment 537636 [details] CVE-2013-1961: patch against 3.9 branch head (will work for 3.9.7)
Created attachment 537637 [details] CVE-2013-1961: patch against 4.0 CVS head
Created attachment 537638 [details] CVE-2013-1960: patch against 3.8.2
Created attachment 537639 [details] CVE-2013-1960: patch against CVS head (works for 3.9 too)
CVE-2013-1961 will be tracked in bug#818117.
(In reply to comment #7) > Created an attachment (id=537637) [details] > CVE-2013-1961: patch against 4.0 CVS head (In reply to comment #9) > Created an attachment (id=537639) [details] > CVE-2013-1960: patch against CVS head (works for 3.9 too) Uff. These two fortunately haven't changed, they are part of patch from comment 1. Please note I am working on port to older releases yet.
openSUSE: mr#174391
(In reply to comment #4) > I wonder what for is for example following hunk: > > case 0x23: > - sprintf(buffer, "#%.2X", name[i]); > + snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); > buffer[sizeof(buffer) - 1] = '\0'; > written += t2pWriteFile(output, (tdata_t) buffer, 3); > break; https://bugzilla.redhat.com/show_bug.cgi?id=952131#c7 explains it. So I used the same method while porting, even if it doesn't make sense imho :-].
I used: patch from comment 1 for factory, 12.3, 12.2 and 12.1 part of patch from comment 1 relevant to CVE-2013-1961 for 11, 10sp3, 9sp3 patch from comment 8 (CVE-2013-1960 part) for 11, 10sp3, 9sp3
Reassigning to security team for future processing.
This is an autogenerated message for OBS integration: This bug (817573) was mentioned in https://build.opensuse.org/request/show/174392 Factory / tiff
This is an autogenerated message for OBS integration: This bug (817573) was mentioned in https://build.opensuse.org/request/show/175544 Maintenance /
Update released for: libtiff, tiff Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
Update released for: libtiff-devel, libtiff-devel-32bit, libtiff3, libtiff3-32bit, tiff, tiff-debuginfo, tiff-debugsource Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: libtiff, libtiff-32bit, libtiff-64bit, libtiff-devel, libtiff-devel-32bit, libtiff-devel-64bit, libtiff-x86, tiff, tiff-debuginfo Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: libtiff-devel, libtiff-devel-32bit, libtiff3, libtiff3-32bit, libtiff3-x86, tiff, tiff-debuginfo, tiff-debugsource Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
This is an autogenerated message for OBS integration: This bug (817573) was mentioned in https://build.opensuse.org/request/show/176109 Evergreen:11.2 / tiff
openSUSE-SU-2013:0812-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 817573,818117 CVE References: CVE-2013-1960,CVE-2013-1961 Sources used: openSUSE 12.1 (src): tiff-3.9.5-8.17.1
openSUSE-SU-2013:0812-2: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 817573,818117 CVE References: CVE-2013-1960,CVE-2013-1961 Sources used: openSUSE 12.2 (src): tiff-4.0.2-1.16.1
This is an autogenerated message for OBS integration: This bug (817573) was mentioned in https://build.opensuse.org/request/show/176384 Evergreen:11.2 / tiff
released
openSUSE-SU-2013:0922-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 817573,818117 CVE References: CVE-2013-1960,CVE-2013-1961 Sources used: openSUSE 11.4 (src): tiff-3.9.4-38.1
openSUSE-SU-2013:0944-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 817573,818117 CVE References: CVE-2013-1960,CVE-2013-1961 Sources used: openSUSE 12.3 (src): tiff-4.0.3-2.4.1
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo Products: SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)