Debian Bug report logs -
#905798
tiff: CVE-2018-15209
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#905798; Package src:tiff.
(Thu, 09 Aug 2018 20:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Thu, 09 Aug 2018 20:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tiff
Version: 4.0.9-6
Severity: important
Tags: security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2808
Hi,
The following vulnerability was published for tiff.
CVE-2018-15209[0]:
| ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows
| remote attackers to cause a denial of service (heap-based buffer
| overflow and application crash) or possibly have unspecified other
| impact via a crafted TIFF file, as demonstrated by tiff2pdf.
The issue is demostrable on a 32bit sid system under valgrind as well:
[...]
==2695== Invalid write of size 4
==2695== at 0x485BEF2: ChopUpSingleUncompressedStrip (tif_dirread.c:5723)
==2695== by 0x485BEF2: TIFFReadDirectory (tif_dirread.c:4186)
==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==2695== by 0x10965E: main (tiff2pdf.c:753)
==2695== Address 0x5c11028 is 0 bytes after a block of size 12,058,624 alloc'd
==2695== at 0x483019B: malloc (vg_replace_malloc.c:298)
==2695== by 0x483245C: realloc (vg_replace_malloc.c:785)
==2695== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336)
==2695== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73)
==2695== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88)
==2695== by 0x485BE87: ChopUpSingleUncompressedStrip (tif_dirread.c:5701)
==2695== by 0x485BE87: TIFFReadDirectory (tif_dirread.c:4186)
==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==2695== by 0x10965E: main (tiff2pdf.c:753)
==2695==
==2695== Invalid write of size 4
==2695== at 0x485BEF5: ChopUpSingleUncompressedStrip (tif_dirread.c:5723)
==2695== by 0x485BEF5: TIFFReadDirectory (tif_dirread.c:4186)
==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==2695== by 0x10965E: main (tiff2pdf.c:753)
==2695== Address 0x5c1102c is 4 bytes after a block of size 12,058,624 alloc'd
==2695== at 0x483019B: malloc (vg_replace_malloc.c:298)
==2695== by 0x483245C: realloc (vg_replace_malloc.c:785)
==2695== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336)
==2695== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73)
==2695== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88)
==2695== by 0x485BE87: ChopUpSingleUncompressedStrip (tif_dirread.c:5701)
==2695== by 0x485BE87: TIFFReadDirectory (tif_dirread.c:4186)
==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==2695== by 0x10965E: main (tiff2pdf.c:753)
==2695==
==2695== Invalid write of size 4
==2695== at 0x485BF17: ChopUpSingleUncompressedStrip (tif_dirread.c:5724)
==2695== by 0x485BF17: TIFFReadDirectory (tif_dirread.c:4186)
==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==2695== by 0x10965E: main (tiff2pdf.c:753)
==2695== Address 0x6792028 is 0 bytes after a block of size 12,058,624 alloc'd
==2695== at 0x483019B: malloc (vg_replace_malloc.c:298)
==2695== by 0x483245C: realloc (vg_replace_malloc.c:785)
==2695== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336)
==2695== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73)
==2695== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88)
==2695== by 0x485BEA7: ChopUpSingleUncompressedStrip (tif_dirread.c:5703)
==2695== by 0x485BEA7: TIFFReadDirectory (tif_dirread.c:4186)
==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==2695== by 0x10965E: main (tiff2pdf.c:753)
==2695==
==2695== Invalid write of size 4
==2695== at 0x485BF1B: ChopUpSingleUncompressedStrip (tif_dirread.c:5724)
==2695== by 0x485BF1B: TIFFReadDirectory (tif_dirread.c:4186)
==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==2695== by 0x10965E: main (tiff2pdf.c:753)
==2695== Address 0x679202c is 4 bytes after a block of size 12,058,624 alloc'd
==2695== at 0x483019B: malloc (vg_replace_malloc.c:298)
==2695== by 0x483245C: realloc (vg_replace_malloc.c:785)
==2695== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336)
==2695== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73)
==2695== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88)
==2695== by 0x485BEA7: ChopUpSingleUncompressedStrip (tif_dirread.c:5703)
==2695== by 0x485BEA7: TIFFReadDirectory (tif_dirread.c:4186)
==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==2695== by 0x10965E: main (tiff2pdf.c:753)
==2695==
==2695==
==2695== Process terminating with default action of signal 11 (SIGSEGV)
==2695== Access not within mapped region at address 0x6793000
==2695== at 0x485BF17: ChopUpSingleUncompressedStrip (tif_dirread.c:5724)
==2695== by 0x485BF17: TIFFReadDirectory (tif_dirread.c:4186)
==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466)
==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211)
==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250)
==2695== by 0x10965E: main (tiff2pdf.c:753)
==2695== If you believe this happened as a result of a stack
==2695== overflow in your program's main thread (unlikely but
==2695== possible), you can try to increase the size of the
==2695== main thread stack using the --main-stacksize= flag.
==2695== The main thread stack size used in this run was 8388608.
==2695==
==2695== HEAP SUMMARY:
==2695== in use at exit: 24,121,721 bytes in 13 blocks
==2695== total heap usage: 24 allocs, 11 frees, 24,122,902 bytes allocated
==2695==
==2695== LEAK SUMMARY:
==2695== definitely lost: 0 bytes in 0 blocks
==2695== indirectly lost: 0 bytes in 0 blocks
==2695== possibly lost: 0 bytes in 0 blocks
==2695== still reachable: 24,121,721 bytes in 13 blocks
==2695== suppressed: 0 bytes in 0 blocks
==2695== Rerun with --leak-check=full to see details of leaked memory
==2695==
==2695== For counts of detected and suppressed errors, rerun with: -v
==2695== ERROR SUMMARY: 2031 errors from 4 contexts (suppressed: 0 from 0)
Segmentation fault
[...]
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-15209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15209
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2808
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
No longer marked as found in versions tiff/4.0.9-6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 02 Sep 2018 09:03:03 GMT) (full text, mbox, link).
Marked as found in versions tiff/4.0.9-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 02 Sep 2018 09:03:04 GMT) (full text, mbox, link).
Marked as fixed in versions tiff/4.0.9-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 21 Oct 2018 19:09:06 GMT) (full text, mbox, link).
Marked as found in versions tiff/4.0.8-2+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 21 Oct 2018 19:21:10 GMT) (full text, mbox, link).
Marked as found in versions tiff/4.0.8-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 21 Oct 2018 19:21:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:27:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon