Bug 781995 - (CVE-2012-4447) VUL-0: CVE-2012-4447: libtiff: Heap-buffer overflow when processing a TIFF image with PixarLog Compression
(CVE-2012-4447)
VUL-0: CVE-2012-4447: libtiff: Heap-buffer overflow when processing a TIFF im...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp1:50697 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-25 09:44 UTC by Sebastian Krahmer
Modified: 2013-11-07 12:55 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
new patch (proposal) (979 bytes, patch)
2012-11-07 08:28 UTC, Matthias Weckbecker
Details | Diff
new patch (proposal) (1015 bytes, patch)
2012-11-07 11:51 UTC, Matthias Weckbecker
Details | Diff
new patch 2 (proposal) (895 bytes, patch)
2012-11-22 15:05 UTC, Matthias Weckbecker
Details | Diff
extended patch -- added hunk for PixarLogSetupEncode() (1.47 KB, text/plain)
2012-11-29 14:42 UTC, Petr Gajdos
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2012-09-25 09:44:43 UTC
public, via oss-sec:


I had a look at the libtiff-4.0.3 commit logs and found one issue which
seems to bring a possibility of heap-based buffer overflow when using a
tiff file with PixarLog compression format.

More details at:
https://bugzilla.redhat.com/show_bug.cgi?id=860198

Though memory overwrite outside the heap-buffer is only a few bytes, one
cannot really overwrite possible arbitrary code execution.

Can a CVE id be please assigned to the above flaw?

Found two other commits which seemed interesting, but i dont think
they could cause arbitrary code execution and i dont want to call
them security flaws.

1. OOB read crash tif_packbits.c
2. Memory not properly initialised in tif_fax3.c. Again this one was
partly fixed in 4.0.2 and completely fixed in 4.0.3

If anyone else wants to investigate these in more details, please be my
guest :)

Thanks!

--
Huzaifa Sidhpurwala / Red Hat Security Response Team
Comment 2 Petr Gajdos 2012-09-25 10:32:27 UTC
Should I start with update or should I wait for 

> 1. OOB read crash tif_packbits.c
> 2. Memory not properly initialised in tif_fax3.c. Again this one was

?
Comment 3 Sebastian Krahmer 2012-09-25 14:33:34 UTC
I think we can wait here. If anything comes round on the list,
we keep you updated. (needs CVE anyway)
Comment 4 Petr Gajdos 2012-09-25 14:39:55 UTC
okay, P4 for now
Comment 5 Swamp Workflow Management 2012-09-25 22:00:12 UTC
bugbot adjusting priority
Comment 6 Sebastian Krahmer 2012-09-26 06:37:46 UTC
The memory overwrite got CVE-2012-4447
Comment 7 Sebastian Krahmer 2012-09-26 06:58:00 UTC
BTW, I think their patch is broken and adds another hole since
the '+' can overflow inside malloc.
Posted to oss-sec.
Comment 8 Petr Gajdos 2012-10-09 05:26:42 UTC
Sebastian, do you know what's the progress here?
Comment 9 Sebastian Krahmer 2012-10-09 06:31:07 UTC
I mailed my concerns to oss-sec and upstream confirmed,
but no further info so far. I could either re-ping them
or we can fix the '+' ourselfs.
Comment 10 Marcus Meissner 2012-11-02 15:55:55 UTC
I tried finding the source code repository, but failed :/ 
the cvs does only result in connection refused.

Do you have the url/link/repo?
Comment 11 Matthias Weckbecker 2012-11-06 14:12:47 UTC
Note: A different flaw than 787892 / CVE-2012-4564.
Comment 12 Matthias Weckbecker 2012-11-06 14:32:36 UTC
Original report and discussion:

  http://seclists.org/oss-sec/2012/q3/101
Comment 13 Matthias Weckbecker 2012-11-06 14:41:12 UTC
Affects: SLE11-SP{1,2} + SLE10-SP{3,4} + all SLE9.
Comment 14 Matthias Weckbecker 2012-11-07 08:28:58 UTC
Created attachment 512200 [details]
new patch (proposal)

Return 0 on overflow in addition. Should be OK as long as the multiplication
is guaranteed to not overflow.
Comment 15 Matthias Weckbecker 2012-11-07 11:51:14 UTC
Created attachment 512243 [details]
new patch (proposal)

Previous patch slightly revised
Comment 16 Sebastian Krahmer 2012-11-20 13:15:54 UTC
Patch should work, even if

tbuf_size > (INT_MAX - i_stride)

is the only check that makes sense in the if(). Since sp->stride
is uint16_t, i_stride could never be < 0, and tbuf_size + i_stride
is undefined anyway if the result doesnt fit in an int.

So, the if() check could be relaxed to "tbuf_size > (INT_MAX - i_stride)"
IMHO.
We should also fix it for the Encode case, there is a similar
alloc.
Comment 17 Matthias Weckbecker 2012-11-22 15:03:38 UTC
(In reply to comment #16)
> Patch should work, even if
> 
> tbuf_size > (INT_MAX - i_stride)
> 
> is the only check that makes sense in the if(). Since sp->stride
> is uint16_t, i_stride could never be < 0, and tbuf_size + i_stride
> is undefined anyway if the result doesnt fit in an int.
> 

Oops. Taking a break and re-considering it I see it too now. I will relax
the condition.

[...]
> We should also fix it for the Encode case, there is a similar
> alloc.

Which function do you have in mind?
Comment 18 Matthias Weckbecker 2012-11-22 15:05:07 UTC
Created attachment 514212 [details]
new patch 2 (proposal)
Comment 19 Matthias Weckbecker 2012-11-22 15:11:48 UTC
Gna. That makes me mad now. I could have seen it myself in the first place. Of
course a multiplication of two unsigned operands can obviously not be < 0...
Comment 20 Sebastian Krahmer 2012-11-27 12:46:39 UTC
This patch is for PixarLogSetupDecode(), but the same alloc
could be fixed in PixarLogSetupEncode().
Comment 21 Petr Gajdos 2012-11-29 14:42:14 UTC
Created attachment 515082 [details]
extended patch -- added hunk for PixarLogSetupEncode()

Identical hunk for PixarLogSetupEncode() will work?
Comment 22 Petr Gajdos 2012-12-13 08:22:02 UTC
needinfo
Comment 23 Petr Gajdos 2012-12-13 10:31:49 UTC
This one remains to make tiff update prepared.
Comment 24 Petr Gajdos 2013-01-08 12:14:59 UTC
Ping :-).
Comment 25 Sebastian Krahmer 2013-01-08 12:41:42 UTC
yes, I think the patch is correct.

Should be CVE-2012-4447
Comment 26 Swamp Workflow Management 2013-01-08 12:42:43 UTC
The SWAMPID for this issue is 50693.
This issue was rated as moderate.
Please submit fixed packages until 2013-01-22.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 27 Petr Gajdos 2013-01-08 14:06:31 UTC
9sp3:  sr#23375
10sp3: sr#23376
11:    sr#23377

openSUSE: mr#147545
Comment 28 Bernhard Wiedemann 2013-01-10 14:00:23 UTC
This is an autogenerated message for OBS integration:
This bug (781995) was mentioned in
https://build.opensuse.org/request/show/147919 Evergreen:11.2 / tiff
Comment 29 Swamp Workflow Management 2013-01-24 19:04:32 UTC
Update released for: libtiff-devel, libtiff-devel-32bit, libtiff3, libtiff3-32bit, tiff, tiff-debuginfo, tiff-debugsource
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 30 Swamp Workflow Management 2013-01-24 20:34:06 UTC
Update released for: libtiff, tiff
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 31 Swamp Workflow Management 2013-01-24 21:17:31 UTC
Update released for: libtiff, libtiff-32bit, libtiff-64bit, libtiff-devel, libtiff-devel-32bit, libtiff-devel-64bit, libtiff-x86, tiff, tiff-debuginfo
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 32 Swamp Workflow Management 2013-01-24 22:04:50 UTC
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 33 Swamp Workflow Management 2013-01-24 22:13:31 UTC
Update released for: libtiff-devel, libtiff-devel-32bit, libtiff3, libtiff3-32bit, libtiff3-x86, tiff, tiff-debuginfo, tiff-debugsource
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 34 Marcus Meissner 2013-01-25 08:15:32 UTC
all released
Comment 35 Bernhard Wiedemann 2013-05-23 06:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (781995) was mentioned in
https://build.opensuse.org/request/show/176384 Evergreen:11.2 / tiff
Comment 36 Swamp Workflow Management 2013-11-07 12:55:47 UTC
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo
Products:
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)