Bugzilla – Bug 770816
VUL-0: tiff: CVE-2012-3401: tiff2pdf heap overflow
Last modified: 2015-02-19 00:50:41 UTC
Via distros ml: From: Huzaifa Sidhpurwala To: distros Subject: [vs] libtiff issue Date: Wed, 11 Jul 2012 Hello Vendors, I have discovered a heap-buffer overflow flaw in the tiff2pdf tool shipped with libtiff. Details of the flaw are provided below. We propose an un-embargo date of 18-July-2012 Summary: libtiff (tiff2pdf): Heap-based buffer overflow due to improper initialization of T2P context struct pointer CVE: CVE-2012-3401 CVSS2: 6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P Affected versions: 3.9.x and 4.x (latest upstream) are affected Other versions may be affected too Description: A heap-based buffer overflow flaw was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, when not properly initialized T2P context struct pointer has been provided by tiff2pdf (application requesting the conversion) as one of parameters for the routine performing the write. A remote attacker could provide a specially-crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash or, potentially, arbitrary code execution with the privileges of the user running the tiff2pdf binary. Patch (against the latest 4.x upstream version): diff -Naur tiff-4.0.2.orig/tools/tiff2pdf.c tiff-4.0.2/tools/tiff2pdf.c --- tiff-4.0.2.orig/tools/tiff2pdf.c 2012-06-15 17:51:54.000000000 -0400 +++ tiff-4.0.2/tools/tiff2pdf.c 2012-07-05 13:34:36.569691068 -0400 @@ -1066,6 +1066,7 @@ "Can't set directory %u of input file %s", i, TIFFFileName(input)); + t2p->t2p_error = T2P_ERR_ERROR; return; } if(TIFFGetField(input, TIFFTAG_PAGENUMBER, &pagen, &paged)){
NOTE that this is embargoed until 18-July-2012.
(In reply to comment #1) > NOTE that this is embargoed until 18-July-2012. Could you please create private openSUSE:Maintenance project and make me as co-maintainer then? I could prepare maintenance update for openSUSE too.
We just wait until CRD and handle it as normal then. Its not the worlds most severe issue anyway. Anything in SLE that needs fixing, e.g. do we need SWAMP?
bugbot adjusting priority
(In reply to comment #3) > We just wait until CRD and handle it as normal then. Ok. > Anything in SLE that needs fixing, e.g. do we need SWAMP? Let me check ..
(In reply to comment #5) > > Anything in SLE that needs fixing, e.g. do we need SWAMP? > Let me check .. I can confirm that error handling in t2p_read_tiff_init and t2p_write_pdf in tiff2pdf.c is the same for all distributions we maintain.
11: sr#20515 10sp3: sr#20514 9sp3: sr#20513
There is already a running SWAMP for tiff: MaintenanceTracker-48014. Should we include it there, rejecting the old submits and using these new ones?
Public now via: http://seclists.org/oss-sec/2012/q3/101
Sebastian, I have discussed this with Marcus this morning and he says we should do an additional swamp for this as QA has almost finished already.
The SWAMPID for this issue is 48375. This issue was rated as moderate. Please submit fixed packages until 2012-08-02. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
openSUSE: mr#128736
This is an autogenerated message for OBS integration: This bug (770816) was mentioned in https://build.opensuse.org/request/show/128740 Factory / tiff
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: libtiff, tiff Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
Update released for: libtiff-devel, libtiff-devel-32bit, libtiff3, libtiff3-32bit, libtiff3-x86, tiff, tiff-debuginfo, tiff-debugsource Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: libtiff, libtiff-32bit, libtiff-64bit, libtiff-devel, libtiff-devel-32bit, libtiff-devel-64bit, libtiff-x86, tiff, tiff-debuginfo Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
i think all done or readyb
openSUSE-SU-2012:0955-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 770816 CVE References: CVE-2012-3401 Sources used: openSUSE 12.1 (src): tiff-3.9.5-8.10.1 openSUSE 11.4 (src): tiff-3.9.4-31.1
This is an autogenerated message for OBS integration: This bug (770816) was mentioned in https://build.opensuse.org/request/show/130434 Evergreen:11.2 / tiff
This is an autogenerated message for OBS integration: This bug (770816) was mentioned in https://build.opensuse.org/request/show/130578 Evergreen:11.2 / tiff
Update released for: libtiff, libtiff-32bit, libtiff-devel, libtiff-devel-32bit, tiff, tiff-debuginfo Products: SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)