CVE-2014-8128 -- LibTIFF -- Out-of-bounds Write 0. Status --------- 20150124 - Not completed 1. Description -------------- LibTIFF provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. It is composed of a library for working with TIFF files along with a small collection of tools for doing simple manipulations of TIFF images. Multiple out-of-bounds writes can be triggered with malformed TIFF images in the following LibTIFF tools: - thumbnail (3 different crashes: [0] [4] [6]) - tiffdither (4 different crashes: [1] [2] [3] [7]) - tiffcmp (2 different crashes: [4] [6]) - tiff2pdf (single crash: [5]) 2. Affected versions -------------------- Reported on Ubuntu 14.04.1 LTS (amd64) 4.0.3-7ubuntu0.1 . Last stable source release v4.0.3 is also affected. The following tools in CVS HEAD are still affected by some crashes: - thumbnail (revision 1.20) [6] - tiffcmp (revision 1.17) [6] - tiffdither (revision 1.14) [7] 3. Fix ------ Patial fix in CVS HEAD since at least 21/12/2014: - thumbnail [0] [4] - tiffdither [1] [2] [3] - tiffcmp [4] - tiff2pdf [5] 4. References ------------- - [0] thumbnail: http://bugzilla.maptools.org/show_bug.cgi?id=2489 - [1] tiffdither: http://bugzilla.maptools.org/show_bug.cgi?id=2490 - [2] tiffdither: http://bugzilla.maptools.org/show_bug.cgi?id=2491 - [3] tiffdither: http://bugzilla.maptools.org/show_bug.cgi?id=2492 - [4] thumbnail & tiffcmp: http://bugzilla.maptools.org/show_bug.cgi?id=2493 - [5] tiff2pdf: http://bugzilla.maptools.org/show_bug.cgi?id=2495 - [6] thumbnail & tiffcmp: http://bugzilla.maptools.org/show_bug.cgi?id=2499 - [7] tiffdither: http://bugzilla.maptools.org/show_bug.cgi?id=2501 5. Credits ---------- William Robinet - Conostix S.A. - william.robinet-libtiff [AT] conostix.com american fuzzy lop - http://lcamtuf.coredump.cx/afl/