oss-sec mailing list archives
Multiple vulnerabilities in LibTIFF and associated tools
From: William Robinet <william.robinet () conostix com>
Date: Sat, 24 Jan 2015 23:06:38 +0100
Dear oss-security list, Multiple vulnerabilities have been discovered in several tools distributed along with LibTIFF. Upstream references: - CVE-2014-8130 libtiff: Divide By Zero in the tiffdither tool http://bugzilla.maptools.org/show_bug.cgi?id=2483 - CVE-2014-8127 libtiff: Out-of-bounds Read in the thumbnail tool http://bugzilla.maptools.org/show_bug.cgi?id=2484 - CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2bw tool http://bugzilla.maptools.org/show_bug.cgi?id=2485 - CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2rgba tool http://bugzilla.maptools.org/show_bug.cgi?id=2486 - CVE-2014-8129 libtiff: Out-of-bounds Read & Write in the tiff2pdf tool http://bugzilla.maptools.org/show_bug.cgi?id=2487 - CVE-2014-8129 libtiff: Out-of-bounds Read & Write in the tiff2pdf tool http://bugzilla.maptools.org/show_bug.cgi?id=2488 - CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail tool http://bugzilla.maptools.org/show_bug.cgi?id=2489 - CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool http://bugzilla.maptools.org/show_bug.cgi?id=2490 - CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool http://bugzilla.maptools.org/show_bug.cgi?id=2491 - CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool http://bugzilla.maptools.org/show_bug.cgi?id=2492 - CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools http://bugzilla.maptools.org/show_bug.cgi?id=2493 - CVE-2014-8128 libtiff: Out-of-bounds Write in the tiff2pdf tool http://bugzilla.maptools.org/show_bug.cgi?id=2495 - CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2ps and tiffdither tools http://bugzilla.maptools.org/show_bug.cgi?id=2496 - CVE-2014-8127 libtiff: Out-of-bounds Read in the tiffmedian tool http://bugzilla.maptools.org/show_bug.cgi?id=2497 - CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools http://bugzilla.maptools.org/show_bug.cgi?id=2499 - CVE-2014-8127 libtiff: Out-of-bounds Read in the tiffset tool http://bugzilla.maptools.org/show_bug.cgi?id=2500 - CVE-2014-8128 libtiff: Out-of-bounds Writes in the tiffdither tool http://bugzilla.maptools.org/show_bug.cgi?id=2501 All the crashes were discovered with the help of afl (http://lcamtuf.coredump.cx/afl/). Advisories: - CVE-2014-8127 http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.txt - CVE-2014-8128 http://www.conostix.com/pub/adv/CVE-2014-8128-LibTIFF-Out-of-bounds_Writes.txt - CVE-2014-8129 http://www.conostix.com/pub/adv/CVE-2014-8129-LibTIFF-Out-of-bounds_Reads_and_Writes.txt - CVE-2014-8130 http://www.conostix.com/pub/adv/CVE-2014-8130-LibTIFF-Division_By_Zero.txt This was tested on Ubuntu 14.04.1 LTS (amd64) LibTIFF 4.0.3-7ubuntu0.1 . Last stable LibTIFF source release v4.0.3 is also affected. Upstream CVS HEAD contains fixes for all bugs except the following: - CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools http://bugzilla.maptools.org/show_bug.cgi?id=2499 - CVE-2014-8127 libtiff: Out-of-bounds Read in the tiffset tool http://bugzilla.maptools.org/show_bug.cgi?id=2500 - CVE-2014-8128 libtiff: Out-of-bounds Writes in the tiffdither tool http://bugzilla.maptools.org/show_bug.cgi?id=2501 Please accept my apologies for the mishandling of this report. I did not conform to the distros list policy regarding embargo time enforcement and I failed to notify oss-security before creating bug reports on public upstream's Bugzilla. Clearly, notifying the distros list before upstream was not the way to go. I take full responsibility for this. William (Please note I'm not a member of the list) -- GPG Key ID/Fingerprint: 74C7A949/B509 4137 1353 A3FC 6A87 AA06 003F A3DF 74C7 A949 Conostix S.A. 4, Rue d'Arlon L-8399 Windhof (Koerich) T. +352 26 10 30 61 F. +352 26 10 30 62
Current thread:
- Multiple vulnerabilities in LibTIFF and associated tools William Robinet (Jan 24)
- Re: Multiple vulnerabilities in LibTIFF and associated tools Michal Zalewski (Jan 24)
- Re: Multiple vulnerabilities in LibTIFF and associated tools cve-assign (Feb 07)
- Re: Multiple vulnerabilities in LibTIFF and associated tools Michal Zalewski (Jan 24)