Bug#830700: CVE-2016-5314: tiff: PixarLogDecode() heap-based buffer overflow

[Henri Salo]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: tiff
Version: 4.0.6-1 
Severity: critical
Tags: security, fixed-upstream

Hi LibTIFF maintainer(s),

Kaixiang Zhang from Qihoo 36 and Mathias Svensson from Google discovered
heap-based buffer overflow vulnerability from PixarLogDecode() function in
libtiff/tif_pixarlog.c in the TIFF library, which may result in denial of
service or the execution of arbitrary code if a malformed TIFF file is
processed.

Upstream has fixed this vulnerability in following commit (repository is a
mirror of upstream CVS repository):

https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2

This was reported by several researchers simultaneously.

CVE-2016-5314 upstream bug report:
http://bugzilla.maptools.org/show_bug.cgi?id=2554

CVE-2016-5316 has been marked as duplicate of upstream bug #2554 as it is fixed
by the same commit:
http://bugzilla.maptools.org/show_bug.cgi?id=2556

http://www.openwall.com/lists/oss-security/2016/06/30/3 says:

"""I think this is a duplicate with CVE-2016-5320 and CVE-2016-5314.

CVE-2016-5875 (buffer overrun in PixarLogDecode()) is CVE-2016-5314
(PixarLogDecode() out-of-bound writes) which causes CVE-2016-5320
(rgb2ycbcr command execution)."""

Reproducers:

http://bugzilla.maptools.org/attachment.cgi?id=654
http://bugs.fi/media/afl/libtiff/CVE-2016-5875.tif
http://bugzilla.maptools.org/attachment.cgi?id=656

Please double check the situation before making changes to Debian source
package. Feel free to contact me or Debian security team in case you have any
questions.

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXgmFSAAoJECet96ROqnV0xIMP/12NuYUO3NSqPkAk3C/35go5
aTItQmBr5DqG0a/wS/R5vR0FwyLbJ8FGh36hjXHCC7VBRiQfj4t1Vq7TAFn0c3jE
pTcnxW/hzhPeRIQR7pdQkQMYQe4ODB9irL6m8EqH4uHhhE9mPJ9j6cUKGRhi25fx
TO99Mtv8Aqlb9GO1rggaAQUiRN3E4E4xVE0g5Qlw4ad8FeP1IQSPHbYyGG1pUF20
os46/ODxaDqi3QLpla3rRAJVNQoiUhYoUmVfqgN4htaSTn28b/qPdZ+oQV1cpvLo
A8g0RThuazgkRO4wGIMVsZVxFJnRPrkVZL2RW5fqF3efw39qHtopOvi5dAScyOgX
dIqFlz8Yv9Tx9DQYzfVmp1rEtZL80Xd3D6cAdFbxUwFJq4ZN2sr2RTZXufrhlMm6
+N776cbidBR8j8jPKFZxQpgQWwC+h7SJmsuiZsO8hCkZopE0DJf8O/4j2sPioG6M
ajHtlB63ed99eFb3Z+tl37z+6XogT33xslAe/Ux0muWpavoItWA9G5Kx1yBHGBVn
8k9xP889veqJVO2qzWo3r64MvTUltD7x1Y6fzOaPBUWrHU/mG+Epgk1KAEk3aGSt
L6zkKhEYq0hLERWqY2hdVYD3HfPb+jaEkEc9eJNK6mQ0yzbQxws/uaXHOvA4ZOAm
HcLaKK1BLe+6opMAZWRx
=XDbp
-----END PGP SIGNATURE-----