Multiple vulnerabilities in LibTIFF and associated tools

[William Robinet <william.robinet () conostix com>]

Dear oss-security list,

Multiple vulnerabilities have been discovered in several tools distributed
along with LibTIFF.

Upstream references:
- CVE-2014-8130 libtiff: Divide By Zero in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2483
- CVE-2014-8127 libtiff: Out-of-bounds Read in the thumbnail tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2484
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2bw tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2485
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2rgba tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2486
- CVE-2014-8129 libtiff: Out-of-bounds Read & Write in the tiff2pdf tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2487
- CVE-2014-8129 libtiff: Out-of-bounds Read & Write in the tiff2pdf tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2488
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2489
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2490
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2491
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2492
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2493
- CVE-2014-8128 libtiff: Out-of-bounds Write in the tiff2pdf tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2495
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiff2ps and tiffdither tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2496
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiffmedian tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2497
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2499
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiffset tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2500
- CVE-2014-8128 libtiff: Out-of-bounds Writes in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2501

All the crashes were discovered with the help of afl
(http://lcamtuf.coredump.cx/afl/).

Advisories:
- CVE-2014-8127
  http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.txt
- CVE-2014-8128
  http://www.conostix.com/pub/adv/CVE-2014-8128-LibTIFF-Out-of-bounds_Writes.txt
- CVE-2014-8129
  http://www.conostix.com/pub/adv/CVE-2014-8129-LibTIFF-Out-of-bounds_Reads_and_Writes.txt
- CVE-2014-8130
  http://www.conostix.com/pub/adv/CVE-2014-8130-LibTIFF-Division_By_Zero.txt

This was tested on Ubuntu 14.04.1 LTS (amd64) LibTIFF 4.0.3-7ubuntu0.1 .

Last stable LibTIFF source release v4.0.3 is also affected.

Upstream CVS HEAD contains fixes for all bugs except the following:
- CVE-2014-8128 libtiff: Out-of-bounds Write in the thumbnail and tiffcmp tools
  http://bugzilla.maptools.org/show_bug.cgi?id=2499
- CVE-2014-8127 libtiff: Out-of-bounds Read in the tiffset tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2500
- CVE-2014-8128 libtiff: Out-of-bounds Writes in the tiffdither tool
  http://bugzilla.maptools.org/show_bug.cgi?id=2501

Please accept my apologies for the mishandling of this report. I did not
conform to the distros list policy regarding embargo time enforcement
and I failed to notify oss-security before creating bug reports on
public upstream's Bugzilla.
Clearly, notifying the distros list before upstream was not the way to go.
I take full responsibility for this.

William
(Please note I'm not a member of the list)

-- 
GPG Key ID/Fingerprint:
    74C7A949/B509 4137 1353 A3FC 6A87  AA06 003F A3DF 74C7 A949

Conostix S.A.
4, Rue d'Arlon
L-8399 Windhof (Koerich)
T. +352 26 10 30 61
F. +352 26 10 30 62