Buffer overruns, remote code execution, you know the drill
LibTIFF has three bugs that let booby-trapped files pwn a target – and only two of them have been patched.
Described by Cisco Talos’ Tyler Bohan, the bugs are a heap buffer overflow in compression tables (CVE-2016-5652), a parsing error (CVE-2016-8331), and a heap buffer overflow (CVE-2016-5875).

The Talos post says the company found the bugs in LibTiff – 4.0.6, released in September.
The parsing error (‘8331) is in LibTIFF code for use in fax system, called BadFaxLines: a crafted image triggers an out of bounds memory error, leading to remote code execution.

This hasn’t yet been patched.
‘5875 is a heap buffer overflow in PixarLogDecode discovered by Mathias Svensson, of Google’s Security Team.

There’s a fix at GitHub here by Evan Rouault of SpatialSys.
‘5652 is in the library’s Tiff2PDF tool: a crafted file can crash it with either an out-of-bounds write or a heap overflow.
So far so good, but as Threatpost notes, while fixes for two of the three bugs exist, they’re scattered around.

The long-time host for the library, remotesensing.org, no longer offers the downloads.
The CVS is at Maptools.org, here, and the GitHub repo is here. ®

Leave a Reply