Bug 22799

Suggested advisory:
========================

The updated packages security vulnerabilities:

In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer. (CVE-2017-11613)

In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries. (CVE-2018-5784)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11613
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5784
========================

Updated package in 5/core/updates_testing:
========================
libtiff-progs-4.0.9-1.2.mga5
lib(64)tiff5-4.0.9-1.2.mga5
lib(64)tiff-devel-4.0.9-1.2.mga5
lib(64)tiff-static-devel-4.0.9-1.2.mga5

from SRPMS:
libtiff-4.0.9-1.2.mga5.src.rpm

Updated package in 6/core/updates_testing:
========================
libtiff-progs-4.0.9-1.2.mga6
lib(64)tiff5-4.0.9-1.2.mga6
lib(64)tiff-devel-4.0.9-1.2.mga6
lib(64)tiff-static-devel-4.0.9-1.2.mga6

from SRPMS:
libtiff-4.0.9-1.2.mga6.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

Mageia 6 :: x86_64

CVE-2018-5784
http://bugzilla.maptools.org/show_bug.cgi?id=2772
PoC file:
libtiff_4-0-9_tiff2pdf_uncontrolled-resource-consumption_TIFFSetDirectory.tif

Before update:
$ tiffinfo libtiff_4-0-9_tiff2pdf_uncontrolled-resource-consumption_TIFFSetDirectory.tif
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 29811 (0x7473) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 225 (0xe1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1093 (0x445) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3328 (0xd00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65522 (0xfff2) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "PhotometricInterpretation"; tag ignored.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3.
TIFF Directory at offset 0xc (12)
  Image Width: 128 Image Length: 2305
  Bits/Sample: 8
  Compression Scheme: Old-style JPEG
  Photometric Interpretation: YCbCr
  YCbCr Subsampling: 2, 2
  Samples/Pixel: 3
  Planar Configuration: single image plane

$ tiffgt $POC
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
freeglut (tiffgt):  ERROR:  Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow

$ display $POC
display: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/915.
display: Unknown field with tag 29811 (0x7473) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915.
display: Unknown field with tag 3 (0x3) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915.
display: Unknown field with tag 225 (0xe1) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915.
display: Unknown field with tag 1093 (0x445) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915.
display: Unknown field with tag 3328 (0xd00) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915.
display: Unknown field with tag 65522 (0xfff2) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915.
display: Unknown field with tag 1 (0x1) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915.
display: Incorrect count for "PhotometricInterpretation"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/915.
display: Photometric tag is missing, assuming data is YCbCr. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915.
display: BitsPerSample tag is missing, assuming 8 bits per sample. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915.
display: SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915.

A tall black rectangle is displayed using the last command.


After update:

$ tiffgt $POC
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
freeglut (tiffgt):  ERROR:  Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow

$ display $POC
<The output is identical to that in the earlier test and the black rectangle is displayed>

We cannot draw any conclusions from this -> assume that the patches work.

Leaving utility tests until tomorrow, Mageia 5 tests also.

CC: (none) => tarazed25

Installed and tested without issues.

Tests used the tools in the package libtiff-progs.
Tested using several TIFF images, some with the 16 MPixel resolution.
Also did quick tests with gimp (load/view/save) and okular (load/view).


$ rpm -qa | egrep 'lib(64)?tiff' | sort
lib64tiff5-4.0.9-1.2.mga6
libtiff5-4.0.9-1.2.mga6
libtiff-progs-4.0.9-1.2.mga6
$
$
$ rpm -ql lib64tiff5
/usr/lib64/libtiff.so.5
/usr/lib64/libtiff.so.5.3.0
/usr/lib64/libtiffxx.so.5
/usr/lib64/libtiffxx.so.5.3.0
$
$
$ strace -o tiffinfo.strace tiffinfo test.tiff
TIFF Directory at offset 0x22d82ce (36537038)
  Subfile Type: (0 = 0x0)
  Image Width: 4200 Image Length: 4200
  Resolution: 299.999, 299.999 pixels/inch
  Bits/Sample: 8
  Compression Scheme: LZW
  Photometric Interpretation: RGB color
  Extra Samples: 1<assoc-alpha>
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 4
  Rows/Strip: 64
  Planar Configuration: single image plane
  DocumentName: /home/pclx/tmp/test.tiff
  ICC Profile: <present>, 3144 bytes
  Predictor: horizontal differencing 2 (0x2)
$ grep libtiff tiffinfo.strace 
open("/usr/lib64/tls/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3
$ okular test.tiff
$
$
$ strace -o tiffdump.strace tiffdump test.tiff
test.tiff:
Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF>
Directory 0: offset 36537038 (0x22d82ce) next 0 (0)
SubFileType (254) LONG (4) 1<0>
ImageWidth (256) SHORT (3) 1<4200>
ImageLength (257) SHORT (3) 1<4200>
BitsPerSample (258) SHORT (3) 4<8 8 8 8>
Compression (259) SHORT (3) 1<5>
Photometric (262) SHORT (3) 1<2>
DocumentName (269) ASCII (2) 26</home/pclx/tmp/test.tif ...>
StripOffsets (273) LONG (4) 66<8 100904 264983 485867 826963 1252832 1731760 2248236 2795496 3358955 3932989 4526542 5140731 5741104 6364826 7015886 7668761 8323268 8976108 9621538 10271631 10921888 11562408 12212244 ...>
Orientation (274) SHORT (3) 1<1>
SamplesPerPixel (277) SHORT (3) 1<4>
RowsPerStrip (278) SHORT (3) 1<64>
StripByteCounts (279) LONG (4) 66<100896 164079 220884 341096 425869 478928 516476 547260 563459 574034 593553 614189 600373 623722 651060 652875 654507 652840 645430 650093 650257 640520 649836 664761 ...>
XResolution (282) RATIONAL (5) 1<299.999>
YResolution (283) RATIONAL (5) 1<299.999>
PlanarConfig (284) SHORT (3) 1<1>
ResolutionUnit (296) SHORT (3) 1<2>
Predictor (317) SHORT (3) 1<2>
BadFaxLines (326) LONG (4) 1<12058626>
ExtraSamples (338) SHORT (3) 1<1>
ICC Profile (34675) UNDEFINED (7) 3144<00 00 0xc 0x48 0x4c 0x69 0x6e 0x6f 0x2 0x10 00 00 0x6d 0x6e 0x74 0x72 0x52 0x47 0x42 0x20 0x58 0x59 0x5a 0x20 ...>
$ grep libtiff tiffdump.strace 
open("/usr/lib64/tls/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3
$
$
$ strace -o tiff2pdf.strace tiff2pdf -o test.pdf test.tiff
$ grep libtiff tiff2pdf.strace 
open("/usr/lib64/tls/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3
$ okular test.pdf
$
$
$ strace -o tiff2ps.strace tiff2ps -O test.ps test.tiff
$ grep libtiff tiff2ps.strace 
open("/usr/lib64/tls/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3
$ okular test.ps

CC: (none) => mageia
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Using the PoC and test at http://bugzilla.maptools.org/show_bug.cgi?id=2772
From the time it takes, it seems the denial of service is resolved.

$ time tiff2pdf libtiff_4-0-9_tiff2pdf_uncontrolled-resource-consumption_TIFFSetDirectory.tif -o poc.pdf
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 29811 (0x7473) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 225 (0xe1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1093 (0x445) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3328 (0xd00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65522 (0xfff2) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "PhotometricInterpretation"; tag ignored.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3.
TIFFNumberOfDirectories: Directory count exceeded 65535 limit, giving up on counting..
tiff2pdf: TIFF contains too many directories, libtiff_4-0-9_tiff2pdf_uncontrolled-resource-consumption_TIFFSetDirectory.tif.
tiff2pdf: An error occurred creating output PDF file.

real    0m0.005s
user    0m0.001s
sys     0m0.004s

Thanks PC LX for those very thorough tests and helpful reports.  Adding the 64-bit OK for mga5.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK

(In reply to Len Lawrence from comment #5)
> Thanks PC LX for those very thorough tests and helpful reports.  Adding the
> 64-bit OK for mga5.
Thanks to you both. After c4, it could have been validated. The advisory will catch it up.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0180.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

This also fixed CVE-2018-16335 (same fix as CVE-2017-11613):
https://lists.opensuse.org/opensuse-updates/2018-10/msg00149.html
https://security-tracker.debian.org/tracker/CVE-2018-16335

CC: (none) => luigiwalser