Source: tiff Version: 4.0.9-6 Severity: important Tags: security upstream Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2808
Hi, The following vulnerability was published for tiff. CVE-2018-15209[0]: | ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows | remote attackers to cause a denial of service (heap-based buffer | overflow and application crash) or possibly have unspecified other | impact via a crafted TIFF file, as demonstrated by tiff2pdf. The issue is demostrable on a 32bit sid system under valgrind as well: [...] ==2695== Invalid write of size 4 ==2695== at 0x485BEF2: ChopUpSingleUncompressedStrip (tif_dirread.c:5723) ==2695== by 0x485BEF2: TIFFReadDirectory (tif_dirread.c:4186) ==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==2695== by 0x10965E: main (tiff2pdf.c:753) ==2695== Address 0x5c11028 is 0 bytes after a block of size 12,058,624 alloc'd ==2695== at 0x483019B: malloc (vg_replace_malloc.c:298) ==2695== by 0x483245C: realloc (vg_replace_malloc.c:785) ==2695== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336) ==2695== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73) ==2695== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88) ==2695== by 0x485BE87: ChopUpSingleUncompressedStrip (tif_dirread.c:5701) ==2695== by 0x485BE87: TIFFReadDirectory (tif_dirread.c:4186) ==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==2695== by 0x10965E: main (tiff2pdf.c:753) ==2695== ==2695== Invalid write of size 4 ==2695== at 0x485BEF5: ChopUpSingleUncompressedStrip (tif_dirread.c:5723) ==2695== by 0x485BEF5: TIFFReadDirectory (tif_dirread.c:4186) ==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==2695== by 0x10965E: main (tiff2pdf.c:753) ==2695== Address 0x5c1102c is 4 bytes after a block of size 12,058,624 alloc'd ==2695== at 0x483019B: malloc (vg_replace_malloc.c:298) ==2695== by 0x483245C: realloc (vg_replace_malloc.c:785) ==2695== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336) ==2695== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73) ==2695== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88) ==2695== by 0x485BE87: ChopUpSingleUncompressedStrip (tif_dirread.c:5701) ==2695== by 0x485BE87: TIFFReadDirectory (tif_dirread.c:4186) ==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==2695== by 0x10965E: main (tiff2pdf.c:753) ==2695== ==2695== Invalid write of size 4 ==2695== at 0x485BF17: ChopUpSingleUncompressedStrip (tif_dirread.c:5724) ==2695== by 0x485BF17: TIFFReadDirectory (tif_dirread.c:4186) ==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==2695== by 0x10965E: main (tiff2pdf.c:753) ==2695== Address 0x6792028 is 0 bytes after a block of size 12,058,624 alloc'd ==2695== at 0x483019B: malloc (vg_replace_malloc.c:298) ==2695== by 0x483245C: realloc (vg_replace_malloc.c:785) ==2695== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336) ==2695== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73) ==2695== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88) ==2695== by 0x485BEA7: ChopUpSingleUncompressedStrip (tif_dirread.c:5703) ==2695== by 0x485BEA7: TIFFReadDirectory (tif_dirread.c:4186) ==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==2695== by 0x10965E: main (tiff2pdf.c:753) ==2695== ==2695== Invalid write of size 4 ==2695== at 0x485BF1B: ChopUpSingleUncompressedStrip (tif_dirread.c:5724) ==2695== by 0x485BF1B: TIFFReadDirectory (tif_dirread.c:4186) ==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==2695== by 0x10965E: main (tiff2pdf.c:753) ==2695== Address 0x679202c is 4 bytes after a block of size 12,058,624 alloc'd ==2695== at 0x483019B: malloc (vg_replace_malloc.c:298) ==2695== by 0x483245C: realloc (vg_replace_malloc.c:785) ==2695== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336) ==2695== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73) ==2695== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88) ==2695== by 0x485BEA7: ChopUpSingleUncompressedStrip (tif_dirread.c:5703) ==2695== by 0x485BEA7: TIFFReadDirectory (tif_dirread.c:4186) ==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==2695== by 0x10965E: main (tiff2pdf.c:753) ==2695== ==2695== ==2695== Process terminating with default action of signal 11 (SIGSEGV) ==2695== Access not within mapped region at address 0x6793000 ==2695== at 0x485BF17: ChopUpSingleUncompressedStrip (tif_dirread.c:5724) ==2695== by 0x485BF17: TIFFReadDirectory (tif_dirread.c:4186) ==2695== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==2695== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==2695== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==2695== by 0x10965E: main (tiff2pdf.c:753) ==2695== If you believe this happened as a result of a stack ==2695== overflow in your program's main thread (unlikely but ==2695== possible), you can try to increase the size of the ==2695== main thread stack using the --main-stacksize= flag. ==2695== The main thread stack size used in this run was 8388608. ==2695== ==2695== HEAP SUMMARY: ==2695== in use at exit: 24,121,721 bytes in 13 blocks ==2695== total heap usage: 24 allocs, 11 frees, 24,122,902 bytes allocated ==2695== ==2695== LEAK SUMMARY: ==2695== definitely lost: 0 bytes in 0 blocks ==2695== indirectly lost: 0 bytes in 0 blocks ==2695== possibly lost: 0 bytes in 0 blocks ==2695== still reachable: 24,121,721 bytes in 13 blocks ==2695== suppressed: 0 bytes in 0 blocks ==2695== Rerun with --leak-check=full to see details of leaked memory ==2695== ==2695== For counts of detected and suppressed errors, rerun with: -v ==2695== ERROR SUMMARY: 2031 errors from 4 contexts (suppressed: 0 from 0) Segmentation fault [...] If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-15209 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15209 [1] http://bugzilla.maptools.org/show_bug.cgi?id=2808 Please adjust the affected versions in the BTS as needed. Regards, Salvatore