New issue
Advanced search Search tips

Issue 712605 link

Starred by 1 user
Status: WontFix
Owner:
jorgelo@chromium.org
Closed: Apr 2017
Cc:
npm@chromium.org
vapier@chromium.org
js...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

CrOS: Vulnerability reported in media-libs/tiff

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Apr 18 2017 
Automated analysis has detected that the following third party packages have had vulnerabilities publicly reported. 

NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package.

Package Name: media-libs/tiff
Package Version: [cpe:/a:libtiff:libtiff:4.0.6 cpe:/a:libtiff:libtiff:4.0.7 cpe:/a:libtiff_project:libtiff:4.0.6 cpe:/a:libtiff_project:libtiff:4.0.7]

Advisory: CVE-2016-5322
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2016-5322
  CVSS severity score: 4.3/10.0
  Confidence: high
  Description:

The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tiff image.

Comment 1 by mea...@chromium.org, Apr 19 2017

Owner: js...@chromium.org
Status: Assigned (was: Untriaged)
This is a Denial of Service which we don't consider a security vulnerability.

jshin@: Do you mind if I assign this to you, as you are already handling  bug 697394 ? Thanks.

Comment 2 by mea...@chromium.org, Apr 19 2017

Labels: Security_Impact-Stable Security_Severity-Low
Re-reading the bug description, there is an out of bounds read here, so let's keep this as a security bug.

Comment 3 by mea...@chromium.org, Apr 19 2017

Cc: vapier@chromium.org js...@chromium.org
Components: Internals
Owner: npm@chromium.org
Re-assigning to npm@ per jorgelo@'s suggestion.

Comment 4 by npm@chromium.org, Apr 19 2017

Cc: npm@chromium.org
Owner: mea...@chromium.org
I'm not in the Chrome OS team. If you updated libtiff to 4.0.7 then this should already be fixed.

Comment 5 by mea...@chromium.org, Apr 19 2017

Owner: jorgelo@chromium.org
The libtiff under pdfium seems to be 4.0.7, but I'm not sure if this is the same as the one on ChromeOS.

jorgelo: Would you be able to double check? Thanks.

Comment 6 by jorgelo@chromium.org, Apr 19 2017

Status: WontFix (was: Assigned)
Yes Chrome OS is at libtiff 4.0.7. Sorry Nicolás for the noise. We should probably find out why Vomit is making our lives harder here.

Comment 7 by vapier@chromium.org, Apr 19 2017 

i think VOMIT is doing the right thing.  the upstream CVE includes version info to match <=4.0.6:
https://nvd.nist.gov/vuln/detail/CVE-2016-5322

if we look at our active branches:
ToT: tiff-4.0.7 since 19 Mar
R59: tiff-4.0.7 since branch point
R58: tiff-4.0.7 since 19 Mar
R57: tiff-4.0.3 and builds have been made as recent as 14 Apr

might be nice to get clarity as to the source of "Package Version" in comment #0 though.
Project Member

Comment 8 by sheriffbot@chromium.org, Jul 27 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment