Source: tiff Version: 4.0.9-3 Severity: important Tags: security upstream Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2809
Hi, The following vulnerability was published for tiff. CVE-2018-16335[0]: | newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c | in LibTIFF 4.0.9 allows remote attackers to cause a denial of service | (heap-based buffer overflow and application crash) or possibly have | unspecified other impact via a crafted TIFF file, as demonstrated by | tiff2pdf. This is a different vulnerability than CVE-2018-15209. Issue is demonstrable on a 32bit sid system: valgrind tiff2pdf 2809.poc.tiff ==732== Memcheck, a memory error detector ==732== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==732== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==732== Command: tiff2pdf 2809.poc.tiff ==732== TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 65046 (0xfe16) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "Software"; tag ignored. TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength. ==732== Invalid write of size 4 ==732== at 0x485BEF2: ChopUpSingleUncompressedStrip (tif_dirread.c:5723) ==732== by 0x485BEF2: TIFFReadDirectory (tif_dirread.c:4186) ==732== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==732== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==732== by 0x10965E: main (tiff2pdf.c:753) ==732== Address 0x4c92aa0 is 0 bytes after a block of size 0 alloc'd ==732== at 0x483019B: malloc (vg_replace_malloc.c:298) ==732== by 0x483245C: realloc (vg_replace_malloc.c:785) ==732== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336) ==732== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73) ==732== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88) ==732== by 0x485BE87: ChopUpSingleUncompressedStrip (tif_dirread.c:5701) ==732== by 0x485BE87: TIFFReadDirectory (tif_dirread.c:4186) ==732== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==732== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==732== by 0x10965E: main (tiff2pdf.c:753) ==732== ==732== Invalid write of size 4 ==732== at 0x485BEF5: ChopUpSingleUncompressedStrip (tif_dirread.c:5723) ==732== by 0x485BEF5: TIFFReadDirectory (tif_dirread.c:4186) ==732== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==732== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==732== by 0x10965E: main (tiff2pdf.c:753) ==732== Address 0x4c92aa4 is 4 bytes after a block of size 0 alloc'd ==732== at 0x483019B: malloc (vg_replace_malloc.c:298) ==732== by 0x483245C: realloc (vg_replace_malloc.c:785) ==732== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336) ==732== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73) ==732== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88) ==732== by 0x485BE87: ChopUpSingleUncompressedStrip (tif_dirread.c:5701) ==732== by 0x485BE87: TIFFReadDirectory (tif_dirread.c:4186) ==732== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==732== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==732== by 0x10965E: main (tiff2pdf.c:753) ==732== ==732== Invalid write of size 4 ==732== at 0x485BF17: ChopUpSingleUncompressedStrip (tif_dirread.c:5724) ==732== by 0x485BF17: TIFFReadDirectory (tif_dirread.c:4186) ==732== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==732== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==732== by 0x10965E: main (tiff2pdf.c:753) ==732== Address 0x4c92ad0 is 0 bytes after a block of size 0 alloc'd ==732== at 0x483019B: malloc (vg_replace_malloc.c:298) ==732== by 0x483245C: realloc (vg_replace_malloc.c:785) ==732== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336) ==732== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73) ==732== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88) ==732== by 0x485BEA7: ChopUpSingleUncompressedStrip (tif_dirread.c:5703) ==732== by 0x485BEA7: TIFFReadDirectory (tif_dirread.c:4186) ==732== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==732== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==732== by 0x10965E: main (tiff2pdf.c:753) ==732== ==732== Invalid write of size 4 ==732== at 0x485BF1B: ChopUpSingleUncompressedStrip (tif_dirread.c:5724) ==732== by 0x485BF1B: TIFFReadDirectory (tif_dirread.c:4186) ==732== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==732== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==732== by 0x10965E: main (tiff2pdf.c:753) ==732== Address 0x4c92ad4 is 4 bytes after a block of size 0 alloc'd ==732== at 0x483019B: malloc (vg_replace_malloc.c:298) ==732== by 0x483245C: realloc (vg_replace_malloc.c:785) ==732== by 0x488E7FB: _TIFFrealloc (tif_unix.c:336) ==732== by 0x484EE57: _TIFFCheckRealloc (tif_aux.c:73) ==732== by 0x484EEC5: _TIFFCheckMalloc (tif_aux.c:88) ==732== by 0x485BEA7: ChopUpSingleUncompressedStrip (tif_dirread.c:5703) ==732== by 0x485BEA7: TIFFReadDirectory (tif_dirread.c:4186) ==732== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==732== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==732== by 0x10965E: main (tiff2pdf.c:753) ==732== ==732== ==732== Process terminating with default action of signal 11 (SIGSEGV) ==732== Access not within mapped region at address 0x5091000 ==732== at 0x485BF17: ChopUpSingleUncompressedStrip (tif_dirread.c:5724) ==732== by 0x485BF17: TIFFReadDirectory (tif_dirread.c:4186) ==732== by 0x4880257: TIFFClientOpen (tif_open.c:466) ==732== by 0x488E632: TIFFFdOpen (tif_unix.c:211) ==732== by 0x488E71D: TIFFOpen (tif_unix.c:250) ==732== by 0x10965E: main (tiff2pdf.c:753) ==732== If you believe this happened as a result of a stack ==732== overflow in your program's main thread (unlikely but ==732== possible), you can try to increase the size of the ==732== main thread stack using the --main-stacksize= flag. ==732== The main thread stack size used in this run was 8388608. ==732== ==732== HEAP SUMMARY: ==732== in use at exit: 4,482 bytes in 13 blocks ==732== total heap usage: 24 allocs, 11 frees, 5,663 bytes allocated ==732== ==732== LEAK SUMMARY: ==732== definitely lost: 0 bytes in 0 blocks ==732== indirectly lost: 0 bytes in 0 blocks ==732== possibly lost: 0 bytes in 0 blocks ==732== still reachable: 4,482 bytes in 13 blocks ==732== suppressed: 0 bytes in 0 blocks ==732== Rerun with --leak-check=full to see details of leaked memory ==732== ==732== For counts of detected and suppressed errors, rerun with: -v ==732== ERROR SUMMARY: 2093723 errors from 4 contexts (suppressed: 0 from 0) Segmentation fault The issue is not triggerable anymore with the poc in 4.0.9-6, but I'm unsure if the CVE-2017-11613 / #869823 fix in 4.0.9-5 is just uncovering the issue. Thus still filling a bug. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-16335 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16335 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
