CVE-2016-5314: tiff: PixarLogDecode() heap-based buffer overflow

Debian Bug report logs - #830700
CVE-2016-5314: tiff: PixarLogDecode() heap-based buffer overflow

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: CVE-2016-5314: tiff: PixarLogDecode() heap-based buffer overflow

Date: Sun, 10 Jul 2016 17:53:06 +0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: tiff
Version: 4.0.6-1 
Severity: critical
Tags: security, fixed-upstream

Hi LibTIFF maintainer(s),

Kaixiang Zhang from Qihoo 36 and Mathias Svensson from Google discovered
heap-based buffer overflow vulnerability from PixarLogDecode() function in
libtiff/tif_pixarlog.c in the TIFF library, which may result in denial of
service or the execution of arbitrary code if a malformed TIFF file is
processed.

Upstream has fixed this vulnerability in following commit (repository is a
mirror of upstream CVS repository):

https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2

This was reported by several researchers simultaneously.

CVE-2016-5314 upstream bug report:
http://bugzilla.maptools.org/show_bug.cgi?id=2554

CVE-2016-5316 has been marked as duplicate of upstream bug #2554 as it is fixed
by the same commit:
http://bugzilla.maptools.org/show_bug.cgi?id=2556

http://www.openwall.com/lists/oss-security/2016/06/30/3 says:

"""I think this is a duplicate with CVE-2016-5320 and CVE-2016-5314.

CVE-2016-5875 (buffer overrun in PixarLogDecode()) is CVE-2016-5314
(PixarLogDecode() out-of-bound writes) which causes CVE-2016-5320
(rgb2ycbcr command execution)."""

Reproducers:

http://bugzilla.maptools.org/attachment.cgi?id=654
http://bugs.fi/media/afl/libtiff/CVE-2016-5875.tif
http://bugzilla.maptools.org/attachment.cgi?id=656

Please double check the situation before making changes to Debian source
package. Feel free to contact me or Debian security team in case you have any
questions.

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXgmFSAAoJECet96ROqnV0xIMP/12NuYUO3NSqPkAk3C/35go5
aTItQmBr5DqG0a/wS/R5vR0FwyLbJ8FGh46hjXHCC7VBRiQfj4t1Vq7TAFn0c3jE
pTcnxW/hzhPeRIQR7pdQkQMYQe4ODB9irL6m8EqH4uHhhE9mPJ9j6cUKGRhi25fx
TO99Mtv8Aqlb9GO1rggaAQUiRN3E4E4xVE0g5Qlw4ad8FeP1IQSPHbYyGG1pUF20
os46/ODxaDqi3QLpla3rRAJVNQoiUhYoUmVfqgN4htaSTn28b/qPdZ+oQV1cpvLo
A8g0RThuazgkRO4wGIMVsZVxFJnRPrkVZL2RW5fqF3efw39qHtopOvi5dAScyOgX
dIqFlz8Yv9Tx9DQYzfVmp1rEtZL80Xd3D6cAdFbxUwFJq4ZN2sr2RTZXufrhlMm6
+N776cbidBR8j8jPKFZxQpgQWwC+h7SJmsuiZsO8hCkZopE0DJf8O/4j2sPioG6M
ajHtlB63ed99eFb3Z+tl37z+6XogT33xslAe/Ux0muWpavoItWA9G5Kx1yBHGBVn
8k9xP889veqJVO2qzWo3r64MvTUltD7x1Y6fzOaPBUWrHU/mG+Epgk1KAEk3aGSt
L6zkKhEYq0hLERWqY2hdVYD3HfPb+jaEkEc9eJNK6mQ0yzbQxws/uaXHOvA4ZOAm
HcLaKK1BLe+6opMAZWRx
=XDbp
-----END PGP SIGNATURE-----

Message #14 received at 830700-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 830700-close@bugs.debian.org

Subject: Bug#830700: fixed in tiff 4.0.6-2

Date: Sat, 16 Jul 2016 16:21:53 +0000

Source: tiff
Source-Version: 4.0.6-2

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 830700@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 16 Jul 2016 11:45:21 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.6-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 830700
Changes:
 tiff (4.0.6-2) unstable; urgency=high
 .
   * Backport fix for the following vulnerabilities:
     - CVE-2016-5314, PixarLogDecode() heap-based buffer overflow
       (closes: #830700),
     - CVE-2016-5316, PixarLogCleanup() Segmentation fault,
     - CVE-2016-5320, rgb2ycbcr: command excution,
     - CVE-2016-5875, heap-based buffer overflow when using the PixarLog
       compression format,
     - CVE-2016-6223, information leak in libtiff/tif_read.c ,
     - CVE-2016-5321, DumpModeDecode(): Ddos,
     - CVE-2016-5323, tiffcrop _TIFFFax3fillruns(): NULL pointer dereference.
   * Be primary maintainer and keep Ondřej as uploader.
   * Update Standards-Version to 3.9.8 .
Checksums-Sha1:
 209778ab24efc575faf168798613a343cc4d18e9 2270 tiff_4.0.6-2.dsc
 0228fe85bb6cb4c146f3bf06f3059fb72108f21a 19960 tiff_4.0.6-2.debian.tar.xz
 79da88aa90ec4e0cdfe1866f8d31ad68ff42e515 380302 libtiff-doc_4.0.6-2_all.deb
 e185661a6cecce18c7e367ae9940071e47e5999f 13626 libtiff-opengl-dbgsym_4.0.6-2_amd64.deb
 ec83d7336fd180ba52085cdcefa4cc9036dfb9ac 89054 libtiff-opengl_4.0.6-2_amd64.deb
 86df217b49ea52c7401fde3b28b9fc7713af0dbc 390170 libtiff-tools-dbgsym_4.0.6-2_amd64.deb
 47d40cbc907f18d2546668ab7ea038163cce8a95 295946 libtiff-tools_4.0.6-2_amd64.deb
 2839104678ac29cbb36c581d46c02caf008429e4 352796 libtiff5-dbgsym_4.0.6-2_amd64.deb
 766c4777c2a28261b3e3bcf807fd98949bb5e259 344390 libtiff5-dev_4.0.6-2_amd64.deb
 edcad6085c0648b3cc80cb3f037edc0bfa7c2a4d 221824 libtiff5_4.0.6-2_amd64.deb
 490d5cff0c3855068068fdf4783d1952edfa937d 17158 libtiffxx5-dbgsym_4.0.6-2_amd64.deb
 51df5634a651e273566e67f10f4b0eda0ee37a55 84350 libtiffxx5_4.0.6-2_amd64.deb
Checksums-Sha256:
 e0537b2e1ae7992f53d8bae9a0a81198cd97f2aea22862a7ffc1112b0dbde15c 2270 tiff_4.0.6-2.dsc
 82a0ef3f713d2a22d40b9be71fd121b9136657d313ae6b76b51430302a7b9f8b 19960 tiff_4.0.6-2.debian.tar.xz
 ef439b88f92d21e94afab6f54ee83803b14ddf2e52b7ca457529a9ac40eded94 380302 libtiff-doc_4.0.6-2_all.deb
 4624955f9d32e047ba679f5531e0008b99e2c94a15db70131b6afa75313b3974 13626 libtiff-opengl-dbgsym_4.0.6-2_amd64.deb
 2ccb9d53be6793c52777eb64db8197e48f5cccf859596ac003d80e0d7d950350 89054 libtiff-opengl_4.0.6-2_amd64.deb
 7f6446ba44e46cb5a12abf06170979b6c74f8e4c3f4a04194131344c1b246f88 390170 libtiff-tools-dbgsym_4.0.6-2_amd64.deb
 ba107964a048bf7eb6c7786751383f3a28d7e5929dd6559e7127079894a64aa8 295946 libtiff-tools_4.0.6-2_amd64.deb
 d5a9ca6406ef495f5a3984c8325aca2b54c13d767c118324bc07249ddb02b628 352796 libtiff5-dbgsym_4.0.6-2_amd64.deb
 c9fa2d2caabd0e9009b7e349114f0ce5ffc4e975ac609c623d6558264314a4a4 344390 libtiff5-dev_4.0.6-2_amd64.deb
 444d351644500edc250d821f200c3b0f67c459dc3199aad94abdbb494f1a73aa 221824 libtiff5_4.0.6-2_amd64.deb
 7702d22a43586673f4d97d8061edb07363f63d05a09bd05c5d20234ceeaac940 17158 libtiffxx5-dbgsym_4.0.6-2_amd64.deb
 d7a4be5acdb4da5cf0d9cedc85b0fdb88d660ab1accef444680b43d0aae239ea 84350 libtiffxx5_4.0.6-2_amd64.deb
Files:
 f30ce432e055acecd02a6bf33f93eff6 2270 libs optional tiff_4.0.6-2.dsc
 dc20f77c1797deafd0d4a6c752227777 19960 libs optional tiff_4.0.6-2.debian.tar.xz
 7721d14a1a443584d13fb15186a4f25a 380302 doc optional libtiff-doc_4.0.6-2_all.deb
 ed46d0639cb72b1e261aa1827a7a563e 13626 debug extra libtiff-opengl-dbgsym_4.0.6-2_amd64.deb
 4824ca0ed729fe6cbf10e1d29df4b111 89054 graphics optional libtiff-opengl_4.0.6-2_amd64.deb
 2cab763a1f208929f55f450641d45c4f 390170 debug extra libtiff-tools-dbgsym_4.0.6-2_amd64.deb
 0663e09ad268311bc75c0bb40e9de0df 295946 graphics optional libtiff-tools_4.0.6-2_amd64.deb
 63ab5845e13e007345828376d497e044 352796 debug extra libtiff5-dbgsym_4.0.6-2_amd64.deb
 7ef5feba77e5d14980d3c8b1df464a90 344390 libdevel optional libtiff5-dev_4.0.6-2_amd64.deb
 4ea69088a5ed4eba10158f1757193812 221824 libs optional libtiff5_4.0.6-2_amd64.deb
 c34e66b4d98c04f2e7a596c9f9bf057e 17158 debug extra libtiffxx5-dbgsym_4.0.6-2_amd64.deb
 d12accf65d37eb42da3f7b5988cb8875 84350 libs optional libtiffxx5_4.0.6-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXilRtAAoJENzjEOeGTMi/eREQAIJ+dJG5FxOIzKY6Anw0mWN/
h62u345MFWQHhmftjqvZcdVfer050D5FVA2D4eLwyBrw3NasZuvk4IHv1HkixB5w
chxOoLNKPAjEPvJIVW+OrdyX3koXDDwwYkYuFfurVFsFc/R93DRvp2rTA8zvYgaI
EDvrouojQEcoz0Rw+Pw1mCHIk3svXprBENoKyI6HkkdsTmyD9rDX2eCCbST5KbCK
f4XjpE5OrRjK3Iaw0p9VjqaIHXh9ZgUA6XzklY0DJ537Juk0MlloqQ3eFlw722Wr
78SHVfOleG7GwNGCDyYUmUkZoXTdnyHp8z4THnZI7N4lyScjNETpn0PzVwlXCVd3
2O0+dICXtA6otMPMd0kipKRKkHqgwG+JSJnEGlfYnafuHlRTo2x5Go/ySoW7ykjn
Zaa0K2euFMgVshd7jos/XuDiOAlf247w8+eBaOMKxXprYd2E9rXSW21dgLJuaLK8
T6jA9i7E+Zj+f3PUoDZnZ+w5aJIYqTNBd5K/ORbqBqXTYtMOT8DDbadiNdLIMjGZ
JJarDomNSzVYK/h5RTC9En+XmwSqdIlHgDesaN/taKRN8kHo8JJO4Lt2dRblyVzC
JLmSkgDQVi0p7DEUujyAWLODp1BKjJy2ZzB03Q79YvW1u3/WnTgG3U9+AFBPAD4C
EiBLPYdHXyK16aHo/EYj
=MXGf
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.