Bug 791607 - (CVE-2012-5581) VUL-0: CVE-2012-5581: libtiff: Stack based buffer overflow when handling DOTRANGE tags
(CVE-2012-5581)
VUL-0: CVE-2012-5581: libtiff: Stack based buffer overflow when handling DOTR...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp1:50697 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-28 08:13 UTC by Sebastian Krahmer
Modified: 2013-11-07 12:55 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
more backport-friendly patch (2.21 KB, patch)
2012-11-30 12:16 UTC, Petr Gajdos
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2012-11-28 08:13:41 UTC
Via OSS-sec:

Date: Wed, 28 Nov 2012 11:16:14 +0530
From: Huzaifa Sidhpurwala
To: oss-security


Hi All,

I found a stack-based buffer overflow in the way libtiff handled
DOTRANGE tags. An attacker could use this flaw to create a specially-
crafted TIFF file that, when opened, would cause an application linked
against libtiff to crash or, possibly, execute arbitrary code.

This issue is fixed in libtiff-4.0.2

We have assigned CVE-2012-5581 to this issue.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=867235
Comment 1 Petr Gajdos 2012-11-30 12:16:50 UTC
Created attachment 515249 [details]
more backport-friendly patch

Hope there is not change in regard what patch does.
Comment 2 Petr Gajdos 2012-11-30 12:17:29 UTC
(In reply to comment #1)
> Created an attachment (id=515249) [details]
> more backport-friendly patch

Based on 

https://bugzilla.redhat.com/attachment.cgi?id=640578&action=diff
Comment 3 Petr Gajdos 2012-12-03 13:28:07 UTC
Affected versions: 12.2 have 4.0.2, so no update needed. Affected are at least 12.1, 11sp1 and 10sp3. 9sp3 have tiff 3.6.2 and different code there, so I can not confirm it needs to be patched so far.
Comment 4 Petr Gajdos 2012-12-03 13:52:52 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=867235#c11

It seems that offended code in 9sp3's tiff 3.6.2 doesn't handle PAGENUMBER, HALFTONEHINTS, YCBCRSUBSAMPLING and DOTRANGE specially 9sp3 seems not to be affected, am I right?
Comment 5 Petr Gajdos 2012-12-03 13:58:20 UTC
(It would be nice to have that crasher Huzaifa in the rh bug refers to.)
Comment 6 Petr Gajdos 2012-12-03 14:30:27 UTC
(In reply to comment #4)
> https://bugzilla.redhat.com/show_bug.cgi?id=867235#c11
> 
> It seems that offended code in 9sp3's tiff 3.6.2 doesn't handle PAGENUMBER,
> HALFTONEHINTS, YCBCRSUBSAMPLING and DOTRANGE specially 9sp3 seems not to be
> affected, am I right?

I assume that's correct. If you don't think so, please provide more details about the change, at least how the stack overflow happens and how it is fixed by the provided patch; test case, which exists, would be also welcome. I didn't found thise information in the rh bug.
Comment 8 Petr Gajdos 2012-12-13 07:24:45 UTC
Needinfo provided by personal mail.
Comment 9 Petr Gajdos 2012-12-13 08:02:07 UTC
Unfortunately tiff2ps on reproducer does lead to %%EOF without any crash for 12.1's 3.9.5.
Comment 10 Huzaifa Sidhpurwala 2012-12-13 09:58:58 UTC
Try tiffinfo -D
Comment 11 Petr Gajdos 2012-12-13 10:29:47 UTC
Much better, thanks!
Comment 12 Petr Gajdos 2012-12-13 10:30:03 UTC
9sp3 is not affected.
Comment 13 Petr Gajdos 2013-01-08 14:05:31 UTC
9sp3:  sr#23375
10sp3: sr#23376
11:    sr#23377

openSUSE: mr#147545
Comment 19 Petr Gajdos 2013-01-08 14:48:50 UTC
New mr#147552.
Comment 20 Bernhard Wiedemann 2013-01-10 14:00:52 UTC
This is an autogenerated message for OBS integration:
This bug (791607) was mentioned in
https://build.opensuse.org/request/show/147919 Evergreen:11.2 / tiff
Comment 21 Swamp Workflow Management 2013-01-24 19:05:02 UTC
Update released for: libtiff-devel, libtiff-devel-32bit, libtiff3, libtiff3-32bit, tiff, tiff-debuginfo, tiff-debugsource
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 22 Swamp Workflow Management 2013-01-24 21:18:06 UTC
Update released for: libtiff, libtiff-32bit, libtiff-64bit, libtiff-devel, libtiff-devel-32bit, libtiff-devel-64bit, libtiff-x86, tiff, tiff-debuginfo
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 23 Swamp Workflow Management 2013-01-24 22:05:13 UTC
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 24 Swamp Workflow Management 2013-01-24 22:14:02 UTC
Update released for: libtiff-devel, libtiff-devel-32bit, libtiff3, libtiff3-32bit, libtiff3-x86, tiff, tiff-debuginfo, tiff-debugsource
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 25 Marcus Meissner 2013-01-25 08:12:26 UTC
all released
Comment 26 Bernhard Wiedemann 2013-05-23 06:00:51 UTC
This is an autogenerated message for OBS integration:
This bug (791607) was mentioned in
https://build.opensuse.org/request/show/176384 Evergreen:11.2 / tiff
Comment 27 Swamp Workflow Management 2013-11-07 12:55:58 UTC
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo
Products:
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)