Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 24 Jan 2015 23:06:38 +0100
From: William Robinet <william.robinet@...ostix.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in LibTIFF and associated tools

Dear oss-security list,

Multiple vulnerabilities have been discovered in several tools distributed
along with LibTIFF.

Upstream references:
- CVE-2014-8130 libtiff: Divide By Zero in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2483
- CVE-2014-8127 libtiff: Out-of-bounds Read in the thumbnail tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2484
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2bw tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2485
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2rgba tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2486
- CVE-2014-8129 libtiff: Out-of-bounds Read & Write in the tiff2pdf tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2487
- CVE-2014-8129 libtiff: Out-of-bounds Read & Write in the tiff2pdf tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2488
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2489
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2490
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2491
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2492
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2493
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiff2pdf tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2495
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2ps and tiffdither tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2496
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiffmedian tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2497
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2499
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiffset tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2500
- CVE-2014-8128 libtiff: Out-of-bounds Writes in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2501

All the crashes were discovered with the help of afl
(http://lcamtuf.coredump.cx/afl/).

Advisories:
- CVE-2014-8127
  http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.txt
- CVE-2014-8128
  http://www.conostix.com/pub/adv/CVE-2014-8128-LibTIFF-Out-of-bounds_Writes.txt
- CVE-2014-8129
  http://www.conostix.com/pub/adv/CVE-2014-8129-LibTIFF-Out-of-bounds_Reads_and_Writes.txt
- CVE-2014-8130
  http://www.conostix.com/pub/adv/CVE-2014-8130-LibTIFF-Division_By_Zero.txt

This was tested on Ubuntu 14.04.1 LTS (amd64) LibTIFF 4.0.3-7ubuntu0.1 .

Last stable LibTIFF source release v4.0.3 is also affected.

Upstream CVS HEAD contains fixes for all bugs except the following:
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2499
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiffset tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2500
- CVE-2014-8128 libtiff: Out-of-bounds Writes in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2501

Please accept my apologies for the mishandling of this report. I did not
conform to the distros list policy regarding embargo time enforcement
and I failed to notify oss-security before creating bug reports on
public upstream's Bugzilla.
Clearly, notifying the distros list before upstream was not the way to go.
I take full responsibility for this.

William
(Please note I'm not a member of the list)

-- 
GPG Key ID/Fingerprint:
    74C7A949/B509 4137 1353 A3FC 6A87  AA06 003F A3DF 74C7 A949

Conostix S.A.
4, Rue d'Arlon
L-8399 Windhof (Koerich)
T. +352 26 10 30 61
F. +352 26 10 30 62

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.