http://bugzilla.opensuse.org/show_bug.cgi?id=1017688 Bug ID: 1017688 Summary: VUL-0: libtiff: NULL pointer dereference in TIFFReadRawData (tiffinfo.c) Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/8 ============================================= Description: Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. A crafted tiff file revealed a NULL pointer access. The complete ASan output: # tiffinfo -Dijr $FILE TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 384 (0x180) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1093 (0x445) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFFetchNormalTag: Warning, Incorrect count for "JpegProc"; tag ignored. TIFFReadDirectory: Warning, Photometric tag value assumed incorrect, assuming data is YCbCr instead of RGB. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. _TIFFVSetField: Warning, SamplesPerPixel tag value is changing, but SMinSampleValue tag was read with a different value. Cancelling it. ASAN:DEADLYSIGNAL ================================================================= ==15897==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000050d8ad bp 0x7ffc4a3eaf90 sp 0x7ffc4a3eaec0 T0) ==15897==The signal is caused by a READ memory access. ==15897==Hint: address points to the zero page. #0 0x50d8ac in TIFFReadRawData /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:421:29 #1 0x50b2de in tiffinfo /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:473:4 #2 0x50a999 in main /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:152:6 #3 0x7f6258f0961f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #4 0x419f38 in _init (/usr/bin/tiffinfo+0x419f38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:421:29 in TIFFReadRawData ==15897==ABORTING TIFF Directory at offset 0xc (12) Image Width: 128 Image Length: 1 Bits/Sample: 32189 Compression Scheme: Old-style JPEG Photometric Interpretation: YCbCr YCbCr Subsampling: 2, 2 Samples/Pixel: 3 Rows/Strip: 2048 Planar Configuration: single image plane DocumentName: Tag 384: 16779264 Affected version: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/c2f931bb558b9db41cb3516a6df3aa600fd85... Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00056-libtiff-nullptr-TIFFReadRa... Timeline: 2016-11-22: bug discovered and reported to upstream 2016-12-03: upstream released a patch 2017-01-01: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/01/01/libtiff-null-pointer-dereference-in-... -- Agostino Sarubbo Gentoo Linux Developer ============================================= https://software.opensuse.org/package/libtiff5 TW: 4.0.7 42.2: 4.0.6 42.1: 4.0.6 13.2: 4.0.7 -- You are receiving this mail because: You are on the CC list for the bug.