Debian Bug report logs -
#907795
tiff: CVE-2018-16335: heap-buffer-overflow
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#907795; Package src:tiff.
(Sun, 02 Sep 2018 09:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sun, 02 Sep 2018 09:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tiff
Version: 4.0.9-3
Severity: important
Tags: security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2809
Hi,
The following vulnerability was published for tiff.
CVE-2018-16335[0]:
| newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c
| in LibTIFF 4.0.9 allows remote attackers to cause a denial of service
| (heap-based buffer overflow and application crash) or possibly have
| unspecified other impact via a crafted TIFF file, as demonstrated by
| tiff2pdf. This is a different vulnerability than CVE-2018-15209.
Issue is demonstrable on a 32bit sid system:
valgrind tiff2pdf 2809.poc.tiff
==732== Memcheck, a memory error detector
==732== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==732== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==732== Command: tiff2pdf 2809.poc.tiff
==732==
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 65046 (0xfe16) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Software"; tag ignored.
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength.
==732== Invalid write of size 4
==732== at 0x485BEF2: ChopUpSingleUncompressedStrip (tif_dirread.c:5723)
==732== by 0x485BEF2: TIFFReadDirectory (tif_dirread.c:4186)
==732== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==732== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==732== by 0x10965E: main (tiff2pdf.c:753)
==732== Address 0x4c92aa0 is 0 bytes after a block of size 0 alloc'd
==732== at 0x483019B: malloc (vg_replace_malloc.c:298)
==732== by 0x483245C: realloc (vg_replace_malloc.c:785)
==732== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336)
==732== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73)
==732== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88)
==732== by 0x485BE87: ChopUpSingleUncompressedStrip (tif_dirread.c:5701)
==732== by 0x485BE87: TIFFReadDirectory (tif_dirread.c:4186)
==732== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==732== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==732== by 0x10965E: main (tiff2pdf.c:753)
==732==
==732== Invalid write of size 4
==732== at 0x485BEF5: ChopUpSingleUncompressedStrip (tif_dirread.c:5723)
==732== by 0x485BEF5: TIFFReadDirectory (tif_dirread.c:4186)
==732== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==732== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==732== by 0x10965E: main (tiff2pdf.c:753)
==732== Address 0x4c92aa4 is 4 bytes after a block of size 0 alloc'd
==732== at 0x483019B: malloc (vg_replace_malloc.c:298)
==732== by 0x483245C: realloc (vg_replace_malloc.c:785)
==732== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336)
==732== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73)
==732== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88)
==732== by 0x485BE87: ChopUpSingleUncompressedStrip (tif_dirread.c:5701)
==732== by 0x485BE87: TIFFReadDirectory (tif_dirread.c:4186)
==732== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==732== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==732== by 0x10965E: main (tiff2pdf.c:753)
==732==
==732== Invalid write of size 4
==732== at 0x485BF17: ChopUpSingleUncompressedStrip (tif_dirread.c:5724)
==732== by 0x485BF17: TIFFReadDirectory (tif_dirread.c:4186)
==732== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==732== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==732== by 0x10965E: main (tiff2pdf.c:753)
==732== Address 0x4c92ad0 is 0 bytes after a block of size 0 alloc'd
==732== at 0x483019B: malloc (vg_replace_malloc.c:298)
==732== by 0x483245C: realloc (vg_replace_malloc.c:785)
==732== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336)
==732== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73)
==732== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88)
==732== by 0x485BEA7: ChopUpSingleUncompressedStrip (tif_dirread.c:5703)
==732== by 0x485BEA7: TIFFReadDirectory (tif_dirread.c:4186)
==732== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==732== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==732== by 0x10965E: main (tiff2pdf.c:753)
==732==
==732== Invalid write of size 4
==732== at 0x485BF1B: ChopUpSingleUncompressedStrip (tif_dirread.c:5724)
==732== by 0x485BF1B: TIFFReadDirectory (tif_dirread.c:4186)
==732== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==732== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==732== by 0x10965E: main (tiff2pdf.c:753)
==732== Address 0x4c92ad4 is 4 bytes after a block of size 0 alloc'd
==732== at 0x483019B: malloc (vg_replace_malloc.c:298)
==732== by 0x483245C: realloc (vg_replace_malloc.c:785)
==732== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336)
==732== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73)
==732== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88)
==732== by 0x485BEA7: ChopUpSingleUncompressedStrip (tif_dirread.c:5703)
==732== by 0x485BEA7: TIFFReadDirectory (tif_dirread.c:4186)
==732== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==732== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==732== by 0x10965E: main (tiff2pdf.c:753)
==732==
==732==
==732== Process terminating with default action of signal 11 (SIGSEGV)
==732== Access not within mapped region at address 0x5091000
==732== at 0x485BF17: ChopUpSingleUncompressedStrip (tif_dirread.c:5724)
==732== by 0x485BF17: TIFFReadDirectory (tif_dirread.c:4186)
==732== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==732== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==732== by 0x10965E: main (tiff2pdf.c:753)
==732== If you believe this happened as a result of a stack
==732== overflow in your program's main thread (unlikely but
==732== possible), you can try to increase the size of the
==732== main thread stack using the --main-stacksize= flag.
==732== The main thread stack size used in this run was 8388608.
==732==
==732== HEAP SUMMARY:
==732== in use at exit: 4,482 bytes in 13 blocks
==732== total heap usage: 24 allocs, 11 frees, 5,663 bytes allocated
==732==
==732== LEAK SUMMARY:
==732== definitely lost: 0 bytes in 0 blocks
==732== indirectly lost: 0 bytes in 0 blocks
==732== possibly lost: 0 bytes in 0 blocks
==732== still reachable: 4,482 bytes in 13 blocks
==732== suppressed: 0 bytes in 0 blocks
==732== Rerun with --leak-check=full to see details of leaked memory
==732==
==732== For counts of detected and suppressed errors, rerun with: -v
==732== ERROR SUMMARY: 2093723 errors from 4 contexts (suppressed: 0 from 0)
Segmentation fault
The issue is not triggerable anymore with the poc in 4.0.9-6, but I'm unsure if
the CVE-2017-11613 / #869823 fix in 4.0.9-5 is just uncovering the issue. Thus
still filling a bug.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-16335
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16335
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as fixed in versions tiff/4.0.9-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 21 Oct 2018 19:09:06 GMT) (full text, mbox, link).
Marked as found in versions tiff/4.0.8-2+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 21 Oct 2018 19:21:09 GMT) (full text, mbox, link).
Marked as found in versions tiff/4.0.8-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 21 Oct 2018 19:21:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:32:24 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon