Bugzilla – Bug 791607
VUL-0: CVE-2012-5581: libtiff: Stack based buffer overflow when handling DOTRANGE tags
Last modified: 2013-11-07 12:55:58 UTC
Via OSS-sec: Date: Wed, 28 Nov 2012 11:16:14 +0530 From: Huzaifa Sidhpurwala To: oss-security Hi All, I found a stack-based buffer overflow in the way libtiff handled DOTRANGE tags. An attacker could use this flaw to create a specially- crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code. This issue is fixed in libtiff-4.0.2 We have assigned CVE-2012-5581 to this issue. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=867235
Created attachment 515249 [details] more backport-friendly patch Hope there is not change in regard what patch does.
(In reply to comment #1) > Created an attachment (id=515249) [details] > more backport-friendly patch Based on https://bugzilla.redhat.com/attachment.cgi?id=640578&action=diff
Affected versions: 12.2 have 4.0.2, so no update needed. Affected are at least 12.1, 11sp1 and 10sp3. 9sp3 have tiff 3.6.2 and different code there, so I can not confirm it needs to be patched so far.
https://bugzilla.redhat.com/show_bug.cgi?id=867235#c11 It seems that offended code in 9sp3's tiff 3.6.2 doesn't handle PAGENUMBER, HALFTONEHINTS, YCBCRSUBSAMPLING and DOTRANGE specially 9sp3 seems not to be affected, am I right?
(It would be nice to have that crasher Huzaifa in the rh bug refers to.)
(In reply to comment #4) > https://bugzilla.redhat.com/show_bug.cgi?id=867235#c11 > > It seems that offended code in 9sp3's tiff 3.6.2 doesn't handle PAGENUMBER, > HALFTONEHINTS, YCBCRSUBSAMPLING and DOTRANGE specially 9sp3 seems not to be > affected, am I right? I assume that's correct. If you don't think so, please provide more details about the change, at least how the stack overflow happens and how it is fixed by the provided patch; test case, which exists, would be also welcome. I didn't found thise information in the rh bug.
Needinfo provided by personal mail.
Unfortunately tiff2ps on reproducer does lead to %%EOF without any crash for 12.1's 3.9.5.
Try tiffinfo -D
Much better, thanks!
9sp3 is not affected.
9sp3: sr#23375 10sp3: sr#23376 11: sr#23377 openSUSE: mr#147545
New mr#147552.
This is an autogenerated message for OBS integration: This bug (791607) was mentioned in https://build.opensuse.org/request/show/147919 Evergreen:11.2 / tiff
Update released for: libtiff-devel, libtiff-devel-32bit, libtiff3, libtiff3-32bit, tiff, tiff-debuginfo, tiff-debugsource Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: libtiff, libtiff-32bit, libtiff-64bit, libtiff-devel, libtiff-devel-32bit, libtiff-devel-64bit, libtiff-x86, tiff, tiff-debuginfo Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: libtiff-devel, libtiff-devel-32bit, libtiff3, libtiff3-32bit, libtiff3-x86, tiff, tiff-debuginfo, tiff-debugsource Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
all released
This is an autogenerated message for OBS integration: This bug (791607) was mentioned in https://build.opensuse.org/request/show/176384 Evergreen:11.2 / tiff
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo Products: SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)