Mailinglist Archive: opensuse-bugs (4227 mails)

< Previous Next >
[Bug 1017692] New: VUL-0: libtiff: invalid memory READ in t2p_writeproc (tiff2pdf.c)
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Sun, 01 Jan 2017 18:02:26 +0000
  • Message-id: <bug-1017692-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1017692


Bug ID: 1017692
Summary: VUL-0: libtiff: invalid memory READ in t2p_writeproc
(tiff2pdf.c)
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: mikhail.kasimov@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Ref: http://seclists.org/oss-sec/2017/q1/4
===========================================
Description:
Libtiff is a software that provides support for the Tag Image File Format
(TIFF), a widely used format for storing image data.

A crafted tiff file revealed an invalid memory read.

The complete ASan output:

# tiff2pdf $FILE -o foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
111.crashes: Warning, Nonstandard tile length 3, convert file.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte
in value; value incorrectly truncated during reading due to implementation
limitations.
TIFFAdvanceDirectory: Error fetching directory count.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
111.crashes: Warning, Nonstandard tile length 3, convert file.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte
in value; value incorrectly truncated during reading due to implementation
limitations.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
111.crashes: Warning, Nonstandard tile length 3, convert file.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte
in value; value incorrectly truncated during reading due to implementation
limitations.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
111.crashes: Warning, Nonstandard tile length 3, convert file.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte
in value; value incorrectly truncated during reading due to implementation
limitations.
tiff2pdf: Warning, RGB image 111.crashes has 4 samples per pixel, assuming
RGBA.
TIFFReadRawTile: Read error at row 4294967295, col 4294967295, tile 0; got 0
bytes, expected 23297.
TIFFReadRawTile: Read error at row 4294967295, col 4294967295, tile 1; got 0
bytes, expected 513.
TIFFReadRawTile: Read error at row 4294967295, col 4294967295, tile 2; got 512
bytes, expected 65285.
TIFFReadRawTile: Read error at row 4294967295, col 4294967295, tile 3; got 512
bytes, expected 1535.
ASAN:DEADLYSIGNAL
=================================================================
==19864==ERROR: AddressSanitizer: SEGV on unknown address 0x61b000020000 (pc
0x7fc86d4a320b bp 0x000000000efc sp 0x7fff06650bf8 T0)
==19864==The signal is caused by a READ memory access.
#0 0x7fc86d4a320a /var/tmp/portage/sys-libs/glibc-2.22-
r4/work/glibc-2.22/string/../sysdeps/x86_64/memcpy.S:270
#1 0x7fc86d491f79 in _IO_file_xsputn /var/tmp/portage/sys-libs/glibc-2.22-
r4/work/glibc-2.22/libio/fileops.c:1319
#2 0x7fc86d487828 in fwrite /var/tmp/portage/sys-libs/glibc-2.22-
r4/work/glibc-2.22/libio/iofwrite.c:43
#3 0x50cdff in t2p_writeproc /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:405:21
#4 0x52baea in t2pWriteFile /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:379:10
#5 0x52baea in t2p_readwrite_pdf_image_tile /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:2924
#6 0x50f1dc in t2p_write_pdf /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16
#7 0x50bfee in main /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2
#8 0x7fc86d43e61f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#9 0x41a298 in _init (/usr/bin/tiff2pdf+0x41a298)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-libs/glibc-2.22-
r4/work/glibc-2.22/string/../sysdeps/x86_64/memcpy.S:270
==19864==ABORTING

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/891b1b908eb92a0e91e9012a8d32ade7088b5a3f

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00111-libtiff-invalidread-t2p_writeproc

Timeline:
2016-12-20: bug discovered and reported to upstream
2016-12-20: upstream released a patch
2017-01-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-invalid-memory-read-in-t2p_writeproc-tiff2pdf-c

--
Agostino Sarubbo
Gentoo Linux Developer
===========================================

https://software.opensuse.org/package/libtiff5

TW: 4.0.7
42.2: 4.0.6
42.1: 4.0.6
13.2: 4.0.7

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
This Thread
  • No further messages