Bug 817573 - VUL-0: libtiff: CVE-2013-1960: Heap-based buffer overflow in t2_process_jpeg_strip()
VUL-0: libtiff: CVE-2013-1960: Heap-based buffer overflow in t2_process_jpeg_...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp1:52356 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-04-29 06:22 UTC by Sebastian Krahmer
Modified: 2013-11-07 12:55 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2013-1961: patch against 3.9 branch head (will work for 3.9.7) (51.93 KB, patch)
2013-05-02 08:55 UTC, Alexander Bergmann
Details | Diff
CVE-2013-1961: patch against 4.0 CVS head (51.82 KB, patch)
2013-05-02 08:56 UTC, Alexander Bergmann
Details | Diff
CVE-2013-1960: patch against 3.8.2 (5.05 KB, patch)
2013-05-02 08:57 UTC, Alexander Bergmann
Details | Diff
CVE-2013-1960: patch against CVS head (works for 3.9 too) (5.26 KB, patch)
2013-05-02 08:59 UTC, Alexander Bergmann
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2013-04-29 06:22:40 UTC
EMBARGOED:

Hello vendors,

Two issues related to tiff2pdf (part of libtiff) were reported
to us. We have assigned CVE-2013-1960 and CVE-2013-1961 to
these issues. Proposed un-embargo date is 01-May-2013.

Please mail me, if you need more details.

Thanks!

Regards,

Huzaifa Sidhpurwala / Red Hat Security Response Team.


----------8<--------

Asked for patches.
Comment 2 Swamp Workflow Management 2013-04-29 08:41:47 UTC
The SWAMPID for this issue is 52304.
This issue was rated as moderate.
Please submit fixed packages until 2013-05-13.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 3 Swamp Workflow Management 2013-04-29 22:00:14 UTC
bugbot adjusting priority
Comment 4 Petr Gajdos 2013-05-02 07:33:12 UTC
I wonder what for is for example following hunk:

    case 0x23:
-    sprintf(buffer, "#%.2X", name[i]);
+    snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
     buffer[sizeof(buffer) - 1] = '\0';
     written += t2pWriteFile(output, (tdata_t) buffer, 3);
     break;
Comment 5 Alexander Bergmann 2013-05-02 07:40:41 UTC
Now public via oss-security:

Date: Thu, 02 May 2013 09:30:26 +0530
From: Huzaifa Sidhpurwala
Subject: [oss-security] Two libtiff (tiff2pdf flaws)

Hi all,

Two flaws were reported to us in tiff2pdf utility shipped with the
libtiff library. Details as follows:

1. CVE-2013-1961 libtiff (tiff2pdf): Stack-based buffer overflow with
malformed image-length and resolution

A stack-based buffer overflow was found in the way tiff2pdf, a TIFF
image to a PDF document conversion tool, of libtiff, a library of
functions for manipulating TIFF (Tagged Image File Format) image format
files, performed write of TIFF image content into particular PDF
document file, when malformed image-length and resolution values are
used in the TIFF file. A remote attacker could provide a specially-
crafted TIFF image format file, that when processed by tiff2pdf would
lead to tiff2pdf executable crash.

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=952131

2.  CVE-2013-1960 libtiff (tiff2pdf): Heap-based buffer overflow in
t2_process_jpeg_strip()

A heap-based buffer overflow flaw was found in the way tiff2pdf, a TIFF
image to a PDF document conversion tool, of libtiff, a library of
functions for manipulating TIFF (Tagged Image File Format) image format
files, performed write of TIFF image content into particular PDF
document file, in the tp_process_jpeg_strip() function. A remote
attacker could provide a specially-crafted TIFF image format file, that
when processed by tiff2pdf would lead to tiff2pdf executable crash or,
potentially, arbitrary code execution with the privileges of the user
running the tiff2pdf binary.

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=952158

The enclosed bugs contains the relevant patches.
Comment 6 Alexander Bergmann 2013-05-02 08:55:57 UTC
Created attachment 537636 [details]
CVE-2013-1961: patch against 3.9 branch head (will work for 3.9.7)
Comment 7 Alexander Bergmann 2013-05-02 08:56:53 UTC
Created attachment 537637 [details]
CVE-2013-1961: patch against 4.0 CVS head
Comment 8 Alexander Bergmann 2013-05-02 08:57:49 UTC
Created attachment 537638 [details]
CVE-2013-1960: patch against 3.8.2
Comment 9 Alexander Bergmann 2013-05-02 08:59:17 UTC
Created attachment 537639 [details]
CVE-2013-1960: patch against CVS head (works for 3.9 too)
Comment 10 Alexander Bergmann 2013-05-02 09:32:20 UTC
CVE-2013-1961 will be tracked in bug#818117.
Comment 11 Petr Gajdos 2013-05-02 11:34:00 UTC
(In reply to comment #7)
> Created an attachment (id=537637) [details]
> CVE-2013-1961: patch against 4.0 CVS head

(In reply to comment #9)
> Created an attachment (id=537639) [details]
> CVE-2013-1960: patch against CVS head (works for 3.9 too)

Uff. These two fortunately haven't changed, they are part of patch from comment 1. Please note I am working on port to older releases yet.
Comment 13 Petr Gajdos 2013-05-03 08:02:49 UTC
openSUSE: mr#174391
Comment 14 Petr Gajdos 2013-05-03 08:08:39 UTC
(In reply to comment #4)
> I wonder what for is for example following hunk:
> 
>     case 0x23:
> -    sprintf(buffer, "#%.2X", name[i]);
> +    snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
>      buffer[sizeof(buffer) - 1] = '\0';
>      written += t2pWriteFile(output, (tdata_t) buffer, 3);
>      break;

https://bugzilla.redhat.com/show_bug.cgi?id=952131#c7

explains it. So I used the same method while porting, even if it doesn't make sense imho :-].
Comment 15 Petr Gajdos 2013-05-03 08:11:43 UTC
I used:
patch from comment 1 for factory, 12.3, 12.2 and 12.1
part of patch from comment 1 relevant to CVE-2013-1961 for 11, 10sp3, 9sp3
patch from comment 8 (CVE-2013-1960 part) for 11, 10sp3, 9sp3
Comment 16 Petr Gajdos 2013-05-03 08:13:09 UTC
Reassigning to security team for future processing.
Comment 17 Bernhard Wiedemann 2013-05-03 09:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (817573) was mentioned in
https://build.opensuse.org/request/show/174392 Factory / tiff
Comment 19 Bernhard Wiedemann 2013-05-14 10:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (817573) was mentioned in
https://build.opensuse.org/request/show/175544 Maintenance /
Comment 20 Swamp Workflow Management 2013-05-15 14:04:28 UTC
Update released for: libtiff, tiff
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 21 Swamp Workflow Management 2013-05-15 14:04:52 UTC
Update released for: libtiff-devel, libtiff-devel-32bit, libtiff3, libtiff3-32bit, tiff, tiff-debuginfo, tiff-debugsource
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 22 Swamp Workflow Management 2013-05-15 16:10:27 UTC
Update released for: libtiff, libtiff-32bit, libtiff-64bit, libtiff-devel, libtiff-devel-32bit, libtiff-devel-64bit, libtiff-x86, tiff, tiff-debuginfo
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 23 Swamp Workflow Management 2013-05-15 16:34:38 UTC
Update released for: libtiff-devel, libtiff-devel-32bit, libtiff3, libtiff3-32bit, libtiff3-x86, tiff, tiff-debuginfo, tiff-debugsource
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 24 Swamp Workflow Management 2013-05-15 17:04:39 UTC
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 25 Bernhard Wiedemann 2013-05-20 04:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (817573) was mentioned in
https://build.opensuse.org/request/show/176109 Evergreen:11.2 / tiff
Comment 26 Swamp Workflow Management 2013-05-21 14:04:29 UTC
openSUSE-SU-2013:0812-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 817573,818117
CVE References: CVE-2013-1960,CVE-2013-1961
Sources used:
openSUSE 12.1 (src):    tiff-3.9.5-8.17.1
Comment 27 Swamp Workflow Management 2013-05-21 15:04:34 UTC
openSUSE-SU-2013:0812-2: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 817573,818117
CVE References: CVE-2013-1960,CVE-2013-1961
Sources used:
openSUSE 12.2 (src):    tiff-4.0.2-1.16.1
Comment 28 Bernhard Wiedemann 2013-05-23 06:00:58 UTC
This is an autogenerated message for OBS integration:
This bug (817573) was mentioned in
https://build.opensuse.org/request/show/176384 Evergreen:11.2 / tiff
Comment 29 Alexander Bergmann 2013-05-23 11:07:47 UTC
released
Comment 30 Swamp Workflow Management 2013-06-10 09:20:10 UTC
openSUSE-SU-2013:0922-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 817573,818117
CVE References: CVE-2013-1960,CVE-2013-1961
Sources used:
openSUSE 11.4 (src):    tiff-3.9.4-38.1
Comment 31 Swamp Workflow Management 2013-06-10 10:13:11 UTC
openSUSE-SU-2013:0944-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 817573,818117
CVE References: CVE-2013-1960,CVE-2013-1961
Sources used:
openSUSE 12.3 (src):    tiff-4.0.3-2.4.1
Comment 32 Swamp Workflow Management 2013-11-07 12:55:29 UTC
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo
Products:
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)