Bugzilla – Bug 990460
VUL-1: CVE-2016-6223: tiff: Out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1()
Last modified: 2020-07-27 02:06:51 UTC
Created attachment 685425 [details] reproducer from original reporter information leak in LibTIFF, specifically in the file libtiff/tif_read.c. The vulnerability allows an attacker to specify a negative index into the file-content buffer and copy data from that position until the end of the buffer. This will allow an attacker to crash the process by accessing unmapped memory and (depending on how LibTIFF is used) might also allow an attacker to leak sensitive information. The issue is fixed in CVS HEAD with the commit: revision 1.49 date: 2016-07-10 20:00:21 +0200; author: erouault; state: Exp; lines: +6 -3; commitid: YhOZoKv5OA9gNNdz; * libtiff/tif_read.c: Fix out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond tmsize_t max value (reported by Mathias Svensson) https://github.com/vadz/libtiff/commit/0ba5d8814a17a64bdb8d9035f4c533f3f3f4b496 The attached reproducer file is from the original reporter. References: https://bugzilla.redhat.com/show_bug.cgi?id=1356867 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6223 http://seclists.org/oss-sec/2016/q3/67 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6223.html
bugbot adjusting priority
This was fixed in 4.0.7. TW,15,12: already fixed by the version update Not sure what the command should be, but tried tiffcp, tiffinfo -D and tiff2rgba. No valgrind error observed. $ valgrind -q tiffcp -i CVE-2016-6223.tiff out.tiff CVE-2016-6223.tiff: Warning, Nonstandard tile length 559038849, convert file. TIFFFetchDirectory: Can not read TIFF directory count. TIFFReadDirectory: Failed to read directory at offset 3203334144. $ It allocates a lot of memory (0.5G), however this is bug 1003874. For 3.8.2, I do not see any issue at all running the testcase. The calculation is different there and provided we have not testcase that would exhibit the issue, I would consider it not affected.
Will submit the rpm changelog adjustment for: 15/tiff and 12/tiff.
I believe all fixed.
SUSE-SU-2018:4008-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1017693,1054594,1115717,990460 CVE References: CVE-2016-10092,CVE-2016-10093,CVE-2016-10094,CVE-2016-6223,CVE-2017-12944,CVE-2018-19210 Sources used: SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src): tiff-4.0.9-5.20.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): tiff-4.0.9-5.20.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): tiff-4.0.9-5.20.1 SUSE Linux Enterprise Module for Basesystem 15 (src): tiff-4.0.9-5.20.1
openSUSE-SU-2018:4053-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1017693,1054594,1115717,990460 CVE References: CVE-2016-10092,CVE-2016-10093,CVE-2016-10094,CVE-2016-6223,CVE-2017-12944,CVE-2018-19210 Sources used: openSUSE Leap 15.0 (src): tiff-4.0.9-lp150.4.12.1
SUSE-SU-2018:4191-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1017693,1054594,1115717,990460 CVE References: CVE-2016-10092,CVE-2016-10093,CVE-2016-10094,CVE-2016-6223,CVE-2017-12944,CVE-2018-19210 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): tiff-4.0.9-44.30.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): tiff-4.0.9-44.30.1 SUSE Linux Enterprise Server 12-SP4 (src): tiff-4.0.9-44.30.1 SUSE Linux Enterprise Server 12-SP3 (src): tiff-4.0.9-44.30.1 SUSE Linux Enterprise Desktop 12-SP4 (src): tiff-4.0.9-44.30.1 SUSE Linux Enterprise Desktop 12-SP3 (src): tiff-4.0.9-44.30.1
openSUSE-SU-2018:4256-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1017693,1054594,1115717,990460 CVE References: CVE-2016-10092,CVE-2016-10093,CVE-2016-10094,CVE-2016-6223,CVE-2017-12944,CVE-2018-19210 Sources used: openSUSE Leap 42.3 (src): tiff-4.0.9-43.1
released