[Bug 1017692] New: VUL-0: libtiff: invalid memory READ in t2p_writeproc (tiff2pdf.c)
http://bugzilla.opensuse.org/show_bug.cgi?id=1017692 Bug ID: 1017692 Summary: VUL-0: libtiff: invalid memory READ in t2p_writeproc (tiff2pdf.c) Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/4 =========================================== Description: Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. A crafted tiff file revealed an invalid memory read. The complete ASan output: # tiff2pdf $FILE -o foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. 111.crashes: Warning, Nonstandard tile length 3, convert file. TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored. TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFAdvanceDirectory: Error fetching directory count. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. 111.crashes: Warning, Nonstandard tile length 3, convert file. TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored. TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. 111.crashes: Warning, Nonstandard tile length 3, convert file. TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored. TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. 111.crashes: Warning, Nonstandard tile length 3, convert file. TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored. TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. tiff2pdf: Warning, RGB image 111.crashes has 4 samples per pixel, assuming RGBA. TIFFReadRawTile: Read error at row 4294967295, col 4294967295, tile 0; got 0 bytes, expected 23297. TIFFReadRawTile: Read error at row 4294967295, col 4294967295, tile 1; got 0 bytes, expected 513. TIFFReadRawTile: Read error at row 4294967295, col 4294967295, tile 2; got 512 bytes, expected 65285. TIFFReadRawTile: Read error at row 4294967295, col 4294967295, tile 3; got 512 bytes, expected 1535. ASAN:DEADLYSIGNAL ================================================================= ==19864==ERROR: AddressSanitizer: SEGV on unknown address 0x61b000020000 (pc 0x7fc86d4a320b bp 0x000000000efc sp 0x7fff06650bf8 T0) ==19864==The signal is caused by a READ memory access. #0 0x7fc86d4a320a /var/tmp/portage/sys-libs/glibc-2.22- r4/work/glibc-2.22/string/../sysdeps/x86_64/memcpy.S:270 #1 0x7fc86d491f79 in _IO_file_xsputn /var/tmp/portage/sys-libs/glibc-2.22- r4/work/glibc-2.22/libio/fileops.c:1319 #2 0x7fc86d487828 in fwrite /var/tmp/portage/sys-libs/glibc-2.22- r4/work/glibc-2.22/libio/iofwrite.c:43 #3 0x50cdff in t2p_writeproc /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:405:21 #4 0x52baea in t2pWriteFile /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:379:10 #5 0x52baea in t2p_readwrite_pdf_image_tile /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:2924 #6 0x50f1dc in t2p_write_pdf /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16 #7 0x50bfee in main /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2 #8 0x7fc86d43e61f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #9 0x41a298 in _init (/usr/bin/tiff2pdf+0x41a298) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-libs/glibc-2.22- r4/work/glibc-2.22/string/../sysdeps/x86_64/memcpy.S:270 ==19864==ABORTING Affected version: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/891b1b908eb92a0e91e9012a8d32ade7088b5... Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00111-libtiff-invalidread-t2p_wr... Timeline: 2016-12-20: bug discovered and reported to upstream 2016-12-20: upstream released a patch 2017-01-01: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/01/01/libtiff-invalid-memory-read-in-t2p_w... -- Agostino Sarubbo Gentoo Linux Developer =========================================== https://software.opensuse.org/package/libtiff5 TW: 4.0.7 42.2: 4.0.6 42.1: 4.0.6 13.2: 4.0.7 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com