Debian Bug report logs -
#913675
tiff: CVE-2018-19210
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>
:
Bug#913675
; Package src:tiff
.
(Tue, 13 Nov 2018 22:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>
.
(Tue, 13 Nov 2018 22:24:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tiff
Version: 4.0.9+git181026-1
Severity: important
Tags: security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2820
Hi,
The following vulnerability was published for tiff.
CVE-2018-19210[0]:
| In LibTIFF 4.0.9, there is a NULL pointer dereference in the
| TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a
| denial of service attack, as demonstrated by tiffset.
The issue can be verified with the poc0 included upstream in the rar
archive attached).
==23934== Memcheck, a memory error detector
==23934== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==23934== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==23934== Command: tiffset ~/poc0
==23934==
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 390 (0x186) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3.
==23934== Invalid read of size 8
==23934== at 0x483BA14: __memcmp_sse4_1 (vg_replace_strmem.c:1099)
==23934== by 0x4877929: TIFFWriteDirectoryTagTransferfunction (tif_dirwrite.c:1896)
==23934== by 0x4877929: TIFFWriteDirectorySec.part.12 (tif_dirwrite.c:628)
==23934== by 0x4878EEF: TIFFRewriteDirectory (tif_dirwrite.c:358)
==23934== by 0x109519: main (tiffset.c:361)
==23934== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==23934==
==23934==
==23934== Process terminating with default action of signal 11 (SIGSEGV)
==23934== Access not within mapped region at address 0x0
==23934== at 0x483BA14: __memcmp_sse4_1 (vg_replace_strmem.c:1099)
==23934== by 0x4877929: TIFFWriteDirectoryTagTransferfunction (tif_dirwrite.c:1896)
==23934== by 0x4877929: TIFFWriteDirectorySec.part.12 (tif_dirwrite.c:628)
==23934== by 0x4878EEF: TIFFRewriteDirectory (tif_dirwrite.c:358)
==23934== by 0x109519: main (tiffset.c:361)
==23934== If you believe this happened as a result of a stack
==23934== overflow in your program's main thread (unlikely but
==23934== possible), you can try to increase the size of the
==23934== main thread stack using the --main-stacksize= flag.
==23934== The main thread stack size used in this run was 8388608.
==23934==
==23934== HEAP SUMMARY:
==23934== in use at exit: 9,087 bytes in 20 blocks
==23934== total heap usage: 47 allocs, 27 frees, 21,497 bytes allocated
==23934==
==23934== LEAK SUMMARY:
==23934== definitely lost: 504 bytes in 1 blocks
==23934== indirectly lost: 0 bytes in 0 blocks
==23934== possibly lost: 0 bytes in 0 blocks
==23934== still reachable: 8,583 bytes in 19 blocks
==23934== suppressed: 0 bytes in 0 blocks
==23934== Rerun with --leak-check=full to see details of leaked memory
==23934==
==23934== For counts of detected and suppressed errors, rerun with: -v
==23934== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-19210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19210
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2820
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>
:
You have taken responsibility.
(Sat, 02 Feb 2019 21:51:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 02 Feb 2019 21:51:12 GMT) (full text, mbox, link).
Message #10 received at 913675-close@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 4.0.10-4
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 913675@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 02 Feb 2019 18:34:29 +0000
Source: tiff
Architecture: source
Version: 4.0.10-4
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 902718 908778 913675 921157
Changes:
tiff (4.0.10-4) unstable; urgency=high
.
* Backport security fixes:
- CVE-2018-12900: heap-based buffer overflow in
cpSeparateBufToContigBuf() cause remote DoS (closes: #902718),
- CVE-2018-17000: NULL pointer dereference in _TIFFmemcmp() cause DoS
(closes: #908778),
- CVE-2018-19210: NULL pointer dereference in TIFFWriteDirectorySec()
cause DoS (closes: #913675),
- CVE-2019-6128: TIFFFdOpen() memory leak (closes: #921157).
* Update watch file.
* Update Standards-Version to 4.3.0 .
Checksums-Sha1:
fd2d79ee73e8fda214410ba2cba13b24b848e43a 2173 tiff_4.0.10-4.dsc
dde956fd05e3e6692415d5f20ff60ee6628d4b51 21580 tiff_4.0.10-4.debian.tar.xz
58d0e8826c69414ada678a83b516ccbc21652b3d 12301 tiff_4.0.10-4_amd64.buildinfo
Checksums-Sha256:
3c5d339cd5dbb59c1e97bf8687c36e0ed75aefe79fc248f749931897060a641e 2173 tiff_4.0.10-4.dsc
eed80359456ae1437426be3894ed594ac6d6051306afee6093abdc65a07887b0 21580 tiff_4.0.10-4.debian.tar.xz
1987e6a2a6663329e4a392520197720df46d9c0fa874080942a82f607db871af 12301 tiff_4.0.10-4_amd64.buildinfo
Files:
686f89cb05d7cd2df787834c09cfdfbb 2173 libs optional tiff_4.0.10-4.dsc
527aa96aafa8ef13bd81ace4b0812da6 21580 libs optional tiff_4.0.10-4.debian.tar.xz
14f213a51a89f8e0c73d672387de1fb4 12301 libs optional tiff_4.0.10-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlxWDVIACgkQ3OMQ54ZM
yL90vA/+Oy5yQQvux23pGN5ycpEm70GouG30NvVebcy6PQM/lihu+t2u3YxJE7nj
KgtUX80p+qfBzaji9EfaI3xSW3OGa1AMfx1B0/NL8uqdm5hiGathCvLJLsXrx9Qi
CH7MleH3OzCDIlzJYAnm6/OCkw7RijBCN/1szavVjBud3f4jBVODF0/MfCHoekCm
GxbBeSLf+kgQTj1ej0s3/3rvWeoAki/wY8Ym6RuP2VEepMCbF8SbeWCHJJ6RLzze
vz2sJIxUOyg0vIeMBikDJwku6YfmyLMrM42EOxfuewUhqmyqZWUDcN0XZQmkel3u
1HfCwG7mquVF8UHJYdVbBGOKh5EOo1/2nL/vbyYhrUZyPnQl7ppZFIAYq9w/WE+8
MmJVxx2oyYI1g8GiSymEgfIWif4XfykICNcKYvdnSk1pcZD4DqI+RIiEZaPTRBqw
uqWCRSrwBC65p3YSO0tdWG7kWeZNz8YMobaoK5QXMiEm/WPFfe4T4E7DcPj7Zn68
smCxmRCG9jQSI6Vl4GT+1+v5Ibg5NE256PlgWJ3bwpUUwqjcAgBBV6Vv08iJBtxS
XkjFE5/niyssy7QpWH1M7XygIeZUe814SKMhgMhjzmxvZNQ0I+SPrzqiznRKMN1x
eBI7pQLXbBqRPg8zY1v+VtSN6LcBANzfWt5rTWVUVGArWGz/J5I=
=vejK
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 05 Mar 2019 07:30:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:17:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.