916925 – (CVE-2015-1547) VUL-1: CVE-2015-1547: tiff: Use of uninitialized memory in NeXTDecode

Bug 916925 (CVE-2015-1547) - VUL-1: CVE-2015-1547: tiff: Use of uninitialized memory in NeXTDecode

Summary: VUL-1: CVE-2015-1547: tiff: Use of uninitialized memory in NeXTDecode

Status:	RESOLVED FIXED

Alias:	CVE-2015-1547

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Deadline:	2016-01-11
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/113620/
Whiteboard:	CVSSv2:SUSE:CVE-2016-5320:5.8:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-02-09 13:46 UTC by Johannes Segitz
Modified:	2022-12-16 14:07 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Reproducer (392 bytes, image/tiff) 2015-02-09 13:46 UTC, Johannes Segitz	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2015-02-09 13:46:48 UTC

Created attachment 622439 [details]
Reproducer

CVE-2015-1547

Discovered by Michal Zalewski <lcamtuf@coredump.cx>
Use of uninitialized memory in NeXTDecode after fixing the previous case..

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1547
http://seclists.org/oss-sec/2015/q1/454

Comment 1 Swamp Workflow Management 2015-02-09 23:05:00 UTC

bugbot adjusting priority

Comment 2 Petr Gajdos 2015-02-11 12:15:15 UTC

P4 for planned update.

Comment 3 Petr Gajdos 2015-02-12 09:13:14 UTC

In the contrast of CVE-2014-9655 (bug 916927), CVE-2014-8127, CVE-2014-8128, CVE-2014-8129 and CVE-2014-8130 (bug 914890) this one is not covered by upstream commit or by bug number at least.

Michal said on oss-security that he 'reported to them', so there will be certainly bug number assigned to this issue.

Comment 4 Johannes Segitz 2015-02-12 09:57:41 UTC

(In reply to Petr Gajdos from comment #3)
I can neither find a bug nor a matching commit. We will have to wait for a patch.

Comment 5 Petr Gajdos 2015-02-17 12:49:36 UTC

According to Michal, following entry fixes the issue:

* libtiff/tif_next.c: add new tests to check that we don't read outside of
the compressed input stream buffer.

Comment 8 Petr Gajdos 2015-02-26 14:12:24 UTC

Packages submitted.

Comment 9 Swamp Workflow Management 2015-03-09 10:05:36 UTC

openSUSE-SU-2015:0450-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 914890,916925,916927
CVE References: CVE-2014-8127,CVE-2014-8128,CVE-2014-8129,CVE-2014-8130,CVE-2014-9655,CVE-2015-1547
Sources used:
openSUSE 13.2 (src):    tiff-4.0.3-10.4.1
openSUSE 13.1 (src):    tiff-4.0.3-8.4.1

Comment 11 Swamp Workflow Management 2015-07-01 08:36:44 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-07-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62163

Comment 12 Swamp Workflow Management 2015-07-09 09:09:34 UTC

openSUSE-SU-2015:1213-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 914890,916925,916927
CVE References: CVE-2014-8127,CVE-2014-8128,CVE-2014-8129,CVE-2014-8130,CVE-2014-9655,CVE-2015-1547
Sources used:
openSUSE 13.2 (src):    tiff-4.0.4-10.10.1
openSUSE 13.1 (src):    tiff-4.0.4-8.10.1

Comment 13 Marcus Meissner 2015-08-11 16:00:40 UTC

The bug does not seem to be fixed.


http://bugzilla.maptools.org/show_bug.cgi?id=2508

can you please check Petr?

Comment 14 Petr Gajdos 2015-08-12 06:08:59 UTC

Look at the date of comment 0 of this bug and date of the Description of bug 2508.

And yes, we have 2508 tracked (in 914890 comment 45). IMHO dropping tiff tools would be the best thing if possible.

Comment 15 Marcus Meissner 2015-08-12 07:10:12 UTC

ok, thanks for the heads up.

this bug stands so far unfixed.

Comment 16 SMASH SMASH 2016-01-04 15:48:11 UTC

An update workflow for this issue was started.

This issue was rated as "low".
Please submit fixed packages until "Jan. 6, 2016".

When done, reassign the bug to "security-team@suse.de".
/update/121220/.

Comment 17 SMASH SMASH 2016-01-04 15:54:47 UTC

An update workflow for this issue was started.

This issue was rated as "low".
Please submit fixed packages until "Jan. 11, 2016".

When done, reassign the bug to "security-team@suse.de".
/update/62403/.

Comment 18 Swamp Workflow Management 2016-01-04 15:56:52 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-01-11.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62403

Comment 19 Victor Pereira 2017-09-19 08:22:05 UTC

all fixed and released.