Bugzilla – Bug 973340
VUL-0: CVE-2016-3186: tiff: buffer overflow in gif2tiff
Last modified: 2016-10-24 10:26:46 UTC
rh#1319666 A buffer overflow vulnerability was reported in libtiff library, in gif2tiff component. A maliciously crafted file could cause the application to crash. Reproducer and crash analysis linked in https://bugzilla.redhat.com/show_bug.cgi?id=1319503 References: https://bugzilla.redhat.com/show_bug.cgi?id=1319666 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3186.html
bugbot adjusting priority
all codestreams are affected. However there isn't an available patch. Fridrich Strba could you come up with a patch?
Created attachment 671875 [details] Patch to fix the buffer overflow When getc detects that that it is at the end of file, it returns EOF which is a negative number. The exact value depends on implementation, but it is always a negative number. On Linux it is normally -1. That while loop check only if the count is <= 255. If the number count is negative, that condition is satisfied. Nonetheless, in the subsequent fread, the count is casted to size_t where it becomes a huge number, hence the buffer overflow. This patch is adding a check for the return of getc being positive, which solves the buffer overflow. I am producing packages for affected systems and will submit ASAP.
This is an autogenerated message for OBS integration: This bug (973340) was mentioned in https://build.opensuse.org/request/show/385377 Factory / tiff https://build.opensuse.org/request/show/385380 13.2 / tiff https://build.opensuse.org/request/show/385383 13.1 / tiff
openSUSE-SU-2016:1081-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 973340 CVE References: CVE-2016-3186 Sources used: openSUSE 13.2 (src): tiff-4.0.6-10.23.1
openSUSE-SU-2016:1103-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 973340 CVE References: CVE-2016-3186 Sources used: openSUSE 13.1 (src): tiff-4.0.6-8.22.1
SUSE-SU-2016:2271-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 964225,973340,984808,984831,984837,984842,987351 CVE References: CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): tiff-4.0.6-26.3 SUSE Linux Enterprise Server 12-SP1 (src): tiff-4.0.6-26.3 SUSE Linux Enterprise Desktop 12-SP1 (src): tiff-4.0.6-26.3
openSUSE-SU-2016:2321-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 964225,973340,984808,984831,984837,984842,987351 CVE References: CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875 Sources used: openSUSE Leap 42.1 (src): tiff-4.0.6-6.1
Created attachment 696137 [details] CVE-2016-3186.gif QA REPRODUCER: gif2tiff CVE-2016-3186.gif foo.tiff
SUSE-SU-2016:2527-1: An update that fixes 10 vulnerabilities is now available. Category: security (moderate) Bug References: 973340,974449,974614,974618,975069,984808,984831,984837,984842,987351 CVE References: CVE-2016-3186,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.168.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.168.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.168.1