tiff: CVE-2018-19210

Related Vulnerabilities: CVE-2018-19210   CVE-2018-12900   CVE-2018-17000   CVE-2019-6128  

Debian Bug report logs - #913675
tiff: CVE-2018-19210

version graph

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 13 Nov 2018 22:24:01 UTC

Severity: important

Tags: security, upstream

Found in version tiff/4.0.9+git181026-1

Fixed in version tiff/4.0.10-4

Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://bugzilla.maptools.org/show_bug.cgi?id=2820

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#913675; Package src:tiff. (Tue, 13 Nov 2018 22:24:03 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>. (Tue, 13 Nov 2018 22:24:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tiff: CVE-2018-19210
Date: Tue, 13 Nov 2018 23:21:37 +0100
Source: tiff
Version: 4.0.9+git181026-1
Severity: important
Tags: security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2820

Hi,

The following vulnerability was published for tiff.

CVE-2018-19210[0]:
| In LibTIFF 4.0.9, there is a NULL pointer dereference in the
| TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a
| denial of service attack, as demonstrated by tiffset.

The issue can be verified with the poc0 included upstream in the rar
archive attached).

==23934== Memcheck, a memory error detector
==23934== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==23934== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==23934== Command: tiffset ~/poc0
==23934==
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 390 (0x186) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3.
==23934== Invalid read of size 8
==23934==    at 0x483BA14: __memcmp_sse4_1 (vg_replace_strmem.c:1099)
==23934==    by 0x4877929: TIFFWriteDirectoryTagTransferfunction (tif_dirwrite.c:1896)
==23934==    by 0x4877929: TIFFWriteDirectorySec.part.12 (tif_dirwrite.c:628)
==23934==    by 0x4878EEF: TIFFRewriteDirectory (tif_dirwrite.c:358)
==23934==    by 0x109519: main (tiffset.c:361)
==23934==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==23934==
==23934==
==23934== Process terminating with default action of signal 11 (SIGSEGV)
==23934==  Access not within mapped region at address 0x0
==23934==    at 0x483BA14: __memcmp_sse4_1 (vg_replace_strmem.c:1099)
==23934==    by 0x4877929: TIFFWriteDirectoryTagTransferfunction (tif_dirwrite.c:1896)
==23934==    by 0x4877929: TIFFWriteDirectorySec.part.12 (tif_dirwrite.c:628)
==23934==    by 0x4878EEF: TIFFRewriteDirectory (tif_dirwrite.c:358)
==23934==    by 0x109519: main (tiffset.c:361)
==23934==  If you believe this happened as a result of a stack
==23934==  overflow in your program's main thread (unlikely but
==23934==  possible), you can try to increase the size of the
==23934==  main thread stack using the --main-stacksize= flag.
==23934==  The main thread stack size used in this run was 8388608.
==23934==
==23934== HEAP SUMMARY:
==23934==     in use at exit: 9,087 bytes in 20 blocks
==23934==   total heap usage: 47 allocs, 27 frees, 21,497 bytes allocated
==23934==
==23934== LEAK SUMMARY:
==23934==    definitely lost: 504 bytes in 1 blocks
==23934==    indirectly lost: 0 bytes in 0 blocks
==23934==      possibly lost: 0 bytes in 0 blocks
==23934==    still reachable: 8,583 bytes in 19 blocks
==23934==         suppressed: 0 bytes in 0 blocks
==23934== Rerun with --leak-check=full to see details of leaked memory
==23934==
==23934== For counts of detected and suppressed errors, rerun with: -v
==23934== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19210
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19210
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2820

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Reply sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility. (Sat, 02 Feb 2019 21:51:12 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 02 Feb 2019 21:51:12 GMT) (full text, mbox, link).


Message #10 received at 913675-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>
To: 913675-close@bugs.debian.org
Subject: Bug#913675: fixed in tiff 4.0.10-4
Date: Sat, 02 Feb 2019 21:50:25 +0000
Source: tiff
Source-Version: 4.0.10-4

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 913675@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 02 Feb 2019 18:34:29 +0000
Source: tiff
Architecture: source
Version: 4.0.10-4
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 902718 908778 913675 921157
Changes:
 tiff (4.0.10-4) unstable; urgency=high
 .
   * Backport security fixes:
     - CVE-2018-12900: heap-based buffer overflow in
       cpSeparateBufToContigBuf() cause remote DoS (closes: #902718),
     - CVE-2018-17000: NULL pointer dereference in _TIFFmemcmp() cause DoS
       (closes: #908778),
     - CVE-2018-19210: NULL pointer dereference in TIFFWriteDirectorySec()
       cause DoS (closes: #913675),
     - CVE-2019-6128: TIFFFdOpen() memory leak (closes: #921157).
   * Update watch file.
   * Update Standards-Version to 4.3.0 .
Checksums-Sha1:
 fd2d79ee73e8fda214410ba2cba13b24b848e43a 2173 tiff_4.0.10-4.dsc
 dde956fd05e3e6692415d5f20ff60ee6628d4b51 21580 tiff_4.0.10-4.debian.tar.xz
 58d0e8826c69414ada678a83b516ccbc21652b3d 12301 tiff_4.0.10-4_amd64.buildinfo
Checksums-Sha256:
 3c5d339cd5dbb59c1e97bf8687c36e0ed75aefe79fc248f749931897060a641e 2173 tiff_4.0.10-4.dsc
 eed80359456ae1437426be3894ed594ac6d6051306afee6093abdc65a07887b0 21580 tiff_4.0.10-4.debian.tar.xz
 1987e6a2a6663329e4a392520197720df46d9c0fa874080942a82f607db871af 12301 tiff_4.0.10-4_amd64.buildinfo
Files:
 686f89cb05d7cd2df787834c09cfdfbb 2173 libs optional tiff_4.0.10-4.dsc
 527aa96aafa8ef13bd81ace4b0812da6 21580 libs optional tiff_4.0.10-4.debian.tar.xz
 14f213a51a89f8e0c73d672387de1fb4 12301 libs optional tiff_4.0.10-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlxWDVIACgkQ3OMQ54ZM
yL90vA/+Oy5yQQvux23pGN5ycpEm70GouG30NvVebcy6PQM/lihu+t2u3YxJE7nj
KgtUX80p+qfBzaji9EfaI3xSW3OGa1AMfx1B0/NL8uqdm5hiGathCvLJLsXrx9Qi
CH7MleH3OzCDIlzJYAnm6/OCkw7RijBCN/1szavVjBud3f4jBVODF0/MfCHoekCm
GxbBeSLf+kgQTj1ej0s3/3rvWeoAki/wY8Ym6RuP2VEepMCbF8SbeWCHJJ6RLzze
vz2sJIxUOyg0vIeMBikDJwku6YfmyLMrM42EOxfuewUhqmyqZWUDcN0XZQmkel3u
1HfCwG7mquVF8UHJYdVbBGOKh5EOo1/2nL/vbyYhrUZyPnQl7ppZFIAYq9w/WE+8
MmJVxx2oyYI1g8GiSymEgfIWif4XfykICNcKYvdnSk1pcZD4DqI+RIiEZaPTRBqw
uqWCRSrwBC65p3YSO0tdWG7kWeZNz8YMobaoK5QXMiEm/WPFfe4T4E7DcPj7Zn68
smCxmRCG9jQSI6Vl4GT+1+v5Ibg5NE256PlgWJ3bwpUUwqjcAgBBV6Vv08iJBtxS
XkjFE5/niyssy7QpWH1M7XygIeZUe814SKMhgMhjzmxvZNQ0I+SPrzqiznRKMN1x
eBI7pQLXbBqRPg8zY1v+VtSN6LcBANzfWt5rTWVUVGArWGz/J5I=
=vejK
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 05 Mar 2019 07:30:49 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:17:33 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.