15519 – libtiff new security issue (second issue from PoC for CVE-2015-1547)

Bug 15519 - libtiff new security issue (second issue from PoC for CVE-2015-1547)

Summary: libtiff new security issue (second issue from PoC for CVE-2015-1547)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/671915/
Whiteboard:	has_procedure advisory MGA5-64-OK MGA...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-03-18 16:48 CET by David Walser
Modified:	2017-02-02 02:12 CET (History)
CC List:	9 users (show)

See Also:
Source RPM:	libtiff-4.0.4-0.1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-03-18 16:48:21 CET

In this CVE assignment for libtiff:
http://openwall.com/lists/oss-security/2015/02/07/5

The last image linked there (libtiff5.tif) crashes ImageMagick's identify command if run as follows:
identify -verbose libtiff5.tif

Note that this is what lesspipe will do with this file if you view it with less.

The issue in libtiff was fixed in Bug 15132.

On Cauldron, none of the libtiff PoC files crash identify.

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2015-04-02 13:38:07 CEST

The issue can be demonstrated with tiffinfo from libtiff-progs, so this is actually another issue in libtiff itself.  The OpenSuSE packager was nice enough to report this upstream:
http://bugzilla.maptools.org/show_bug.cgi?id=2508

He also informed me of some issues in the non-upstream patches in the OpenSuSE update, which we also used in our update:
http://bugzilla.maptools.org/show_bug.cgi?id=2499#c11

Comment 2 Shlomi Fish 2015-05-31 18:21:19 CEST

Hi David,

(In reply to David Walser from comment #1)
> The issue can be demonstrated with tiffinfo from libtiff-progs, so this is
> actually another issue in libtiff itself.  The OpenSuSE packager was nice
> enough to report this upstream:
> http://bugzilla.maptools.org/show_bug.cgi?id=2508
> 
> He also informed me of some issues in the non-upstream patches in the
> OpenSuSE update, which we also used in our update:
> http://bugzilla.maptools.org/show_bug.cgi?id=2499#c11

so is this a problem with imagemagick or is it another problem with libtiff? Is there a patch for it?

Regards,

-- Shlomi Fish

CC: (none) => shlomif

Comment 3 David Walser 2015-05-31 19:05:32 CEST

(In reply to Shlomi Fish from comment #2)
> so is this a problem with imagemagick or is it another problem with libtiff?

Both.

> Is there a patch for it?

For ImageMagick, it's fixed in the version we have in Mageia 5, so yes.  I don't know which commit (of the thousands between it and the Mageia 4 version) fixed it.  For libtiff, it has been reported upstream but there has been no response.

Comment 4 Shlomi Fish 2015-05-31 19:42:08 CEST

(In reply to David Walser from comment #0)
> In this CVE assignment for libtiff:
> http://openwall.com/lists/oss-security/2015/02/07/5
> 
> The last image linked there (libtiff5.tif) crashes ImageMagick's identify
> command if run as follows:
> identify -verbose libtiff5.tif
> 

I cannot reproduce it on a Mageia 4 x86-64 VBox VM. I'll try it on i586 soon.

Regards,

-- Shlomi Fish

Comment 5 Shlomi Fish 2015-05-31 19:49:39 CEST

(In reply to Shlomi Fish from comment #4)
> (In reply to David Walser from comment #0)
> > In this CVE assignment for libtiff:
> > http://openwall.com/lists/oss-security/2015/02/07/5
> > 
> > The last image linked there (libtiff5.tif) crashes ImageMagick's identify
> > command if run as follows:
> > identify -verbose libtiff5.tif
> > 
> 
> I cannot reproduce it on a Mageia 4 x86-64 VBox VM. I'll try it on i586 soon.
> 

OK, I cannot reproduce it on Mageia 4 i686 either.

Comment 6 Marja Van Waes 2015-06-06 14:15:32 CEST

Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 7 Shlomi Fish 2015-06-06 15:38:22 CEST

(In reply to Marja van Waes from comment #6)
> Assigned to the package maintainer.
> 
> (Please set the status to 'assigned' if you are working on it)

Well, I don't understand how to reproduce the offending behaviour. Marking as NEEDINFO.

Keywords: (none) => NEEDINFO

Comment 8 David Walser 2015-06-06 18:04:06 CEST

Strange, imagemagick and libtiff are up to date on the VM where I found this, but I can still reproduce it there and not on my workstation at home, with identify from imagemagick.  Maybe the fix for imagemagick was in some other package that my VM doesn't have up to date.  Not sure.

I can however still reproduce it will tiffinfo from libtiff-progs, as shown in the upstream bug report:
http://bugzilla.maptools.org/show_bug.cgi?id=2508

Reassigning this bug to libtiff.

Keywords: NEEDINFO => (none)
Summary: imagemagick new security issue CVE-2015-1547 => libtiff new security issue (second issue from PoC for CVE-2015-1547)
Source RPM: imagemagick-6.8.7.0-2.3.mga4.src.rpm => libtiff-4.0.4-0.1.mga4.src.rpm

Sander Lepik 2015-06-13 17:42:21 CEST

CC: (none) => mageia
Assignee: shlomif => bugsquad

Comment 9 David Walser 2015-06-13 18:44:39 CEST

Testing using the tiffinfo command, Mageia 5 is also affected (as would be expected considering it's the same libtiff version).

Version: 4 => Cauldron
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 10 David Walser 2015-07-09 19:04:06 CEST

OpenSuSE has issued a new advisory today (July 9):
http://lists.opensuse.org/opensuse-updates/2015-07/msg00019.html

Please test the issue in this bug as well as repeating the tests from Bug 15132.

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.4-1.mga4
libtiff5-4.0.4-1.mga4
libtiff-devel-4.0.4-1.mga4
libtiff-static-devel-4.0.4-1.mga4
libtiff-progs-4.0.4-1.mga5
libtiff5-4.0.4-1.mga5
libtiff-devel-4.0.4-1.mga5
libtiff-static-devel-4.0.4-1.mga5

from libtiff-4.0.4-1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 11 Dave Hodgins 2015-07-10 04:00:34 CEST

Advisory committed to svn.

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO advisory

Comment 12 David Walser 2015-07-10 04:05:08 CEST

(In reply to Dave Hodgins from comment #11)
> Advisory committed to svn.

What advisory?  I haven't posted one for this yet.  I need the testing results to know what exactly I need to write in it.

Comment 13 Dave Hodgins 2015-07-10 04:38:25 CEST

$ cat 15519.adv 
type: security
subject: Updated libtiff5 package fixes security vulnerability
CVE:
 - CVE-2014-8127
 - CVE-2014-8128
 - CVE-2014-8129
 - CVE-2014-8130
 - CVE-2014-9655
 - CVE-2015-1547
src:
  5:
   core:
     - libtiff-4.0.4-1.mga5
description: |
  tiff was updated to version 4.0.4 to fix six security issues found by
  fuzzing initiatives.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=15519
 - http://lists.opensuse.org/opensuse-updates/2015-07/msg00019.html

Comment 14 David Walser 2015-07-10 04:49:55 CEST

Ahh I see.  That'll work for now.  I'll post an updated one later once it's tested if need be.  If all the tests check out OK, that should suffice.  The other thing I can tell you right now is it fixes regressions caused by the previous update as well.  Thanks Dave.

David Walser 2015-07-10 15:01:45 CEST

Whiteboard: MGA4TOO advisory => MGA4TOO has_procedure advisory

Comment 15 Lewis Smith 2015-07-14 21:48:33 CEST

I am having a go at this MGA4 x64, but am plagued by such things as
"TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order" and worse for *all* the images from:
 https://bugs.mageia.org/attachment.cgi?id=6038
and :
 http://openwall.com/lists/oss-security/2015/02/07/5
I can only get Herman's image to display:
 https://bugs.mageia.org/attachment.cgi?id=6057
using pre-update
 lib64tiff5-4.0.4-0.1.mga4
 libtiff-progs-4.0.4-0.1.mga4
Any ideas?

CC: (none) => lewyssmith

Comment 16 David Walser 2015-07-14 22:29:22 CEST

Most of the PoCs are not valid TIFF images, so you should get errors rather than getting them to display.  You should not get stack traces or segfaults.

Comment 17 Lewis Smith 2015-07-16 15:17:00 CEST

Tested MGA4 x64

Using:
 http://openwall.com/lists/oss-security/2015/02/07/5 (3 TIF files)
 https://bugs.mageia.org/attachment.cgi?id=6038 (19 TIF files; plus...)
 https://bugs.mageia.org/attachment.cgi?id=6041 (a list of tiff* commands to use with the 19 files above)
 $ identify -verbose ... [used with the 3 sample TIF files]
 $ tiffinfo ... [used with the 3 sample TIF files]

BEFORE the update: all these commands/files yielded error outputs, but no sign of any crash.
AFTER the update to:
 libtiff-progs-4.0.4-1.mga4
 lib64tiff5-4.0.4-1.mga4
Same results as before (not necessarily identical): error outputs, but no evidence of a crash.

This is inconclusive, but if David agrees to MGA4-64-OK this - please do.

Comment 18 David Walser 2015-07-16 15:26:53 CEST

Thanks Lewis.  As long as there's nothing that looks like a stack trace, it should be good.  I'm hoping to test i586 when I get back to work next week.

Lewis Smith 2015-07-17 08:15:33 CEST

Whiteboard: MGA4TOO has_procedure advisory => MGA4TOO has_procedure advisory MGA4-64-OK

Comment 19 William Kenney 2015-07-17 16:26:03 CEST

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
libtiff5 libtiff-progs

Tested using: https://wiki.mageia.org/en/QA_procedure:Libtiff

default install of libtiff5 & libtiff-progs

[root@localhost wilcal]# urpmi libtiff5
Package libtiff5-4.0.4-0.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libtiff-progs
Package libtiff-progs-4.0.4-0.1.mga4.i586 is already installed

bmp2tiff red_head1.bmp red_head1.tif works
tiff2pdf red_head1.tif > red_head1.pdf opens with Okular
tiffinfo red_head1.tif works
gimp red_head1.tif works

install libtiff5 & libtiff-progs from updates_testing

[root@localhost wilcal]# urpmi libtiff5
Package libtiff5-4.0.4-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libtiff-progs
Package libtiff-progs-4.0.4-1.mga4.i586 is already installed

bmp2tiff red_head2.bmp red_head2.tif works
tiff2pdf red_head2.tif > red_head2.pdf opens with Okular
tiffinfo red_head2.tif works
gimp red_head2.tif works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

CC: (none) => wilcal.int

William Kenney 2015-07-17 16:26:24 CEST

Whiteboard: MGA4TOO has_procedure advisory MGA4-64-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK

Comment 20 William Kenney 2015-07-17 16:41:56 CEST

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
libtiff5 libtiff-progs

Tested using: https://wiki.mageia.org/en/QA_procedure:Libtiff

default install of libtiff5 & libtiff-progs

[root@localhost wilcal]# urpmi libtiff5
Package libtiff5-4.0.4-0.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libtiff-progs
Package libtiff-progs-4.0.4-0.1.mga5.i586 is already installed

bmp2tiff red_head1.bmp red_head1.tif works
tiff2pdf red_head1.tif > red_head1.pdf opens with Okular
tiffinfo red_head1.tif works
gimp red_head1.tif works

install libtiff5 & libtiff-progs from updates_testing

[root@localhost wilcal]# urpmi libtiff5
Package libtiff5-4.0.4-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libtiff-progs
Package libtiff-progs-4.0.4-1.mga5.i586 is already installed

bmp2tiff red_head2.bmp red_head2.tif works
tiff2pdf red_head2.tif > red_head2.pdf opens with Okular
tiffinfo red_head2.tif works
gimp red_head2.tif works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

William Kenney 2015-07-17 16:42:18 CEST

Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK

Comment 21 William Kenney 2015-07-17 16:56:52 CEST

In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
lib64tiff5 libtiff-progs

Tested using: https://wiki.mageia.org/en/QA_procedure:Libtiff

default install of libtiff5 & libtiff-progs

[root@localhost wilcal]# urpmi lib64tiff5
Package lib64tiff5-4.0.4-0.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi libtiff-progs
Package libtiff-progs-4.0.4-0.1.mga5.x86_64 is already installed

bmp2tiff red_head1.bmp red_head1.tif works
tiff2pdf red_head1.tif > red_head1.pdf opens with Okular
tiffinfo red_head1.tif works
gimp red_head1.tif works

install lib64tiff5 & libtiff-progs from updates_testing

[root@localhost wilcal]# urpmi lib64tiff5
Package lib64tiff5-4.0.4-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi libtiff-progs
Package libtiff-progs-4.0.4-1.mga5.x86_64 is already installed

bmp2tiff red_head2.bmp red_head2.tif works
tiff2pdf red_head2.tif > red_head2.pdf opens with Okular
tiffinfo red_head2.tif works
gimp red_head2.tif works

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

William Kenney 2015-07-17 16:57:20 CEST

Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK

Comment 22 William Kenney 2015-07-17 16:58:45 CEST

This update works fine.
Testing complete for MGA4 & 5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 23 David Walser 2015-07-20 15:27:02 CEST

Unvalidating for the moment, the issue I reported in Comment 0 is not fixed.

Keywords: Triaged, validated_update => (none)

Comment 24 David Walser 2015-07-20 15:36:23 CEST

Furthermore, there's a regression in one of the test cases from Bug 15132.

Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO has_procedure

Comment 25 David Walser 2015-07-20 15:37:01 CEST

(In reply to David Walser from comment #24)
> Furthermore, there's a regression in one of the test cases from Bug 15132.

$ tiffcmp 00_basefile.tiff 18_tiffcmp.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 317 (0x13d) encountered.
Segmentation fault

Comment 26 David Walser 2015-07-20 15:38:07 CEST

(In reply to David Walser from comment #25)
> (In reply to David Walser from comment #24)
> > Furthermore, there's a regression in one of the test cases from Bug 15132.
> 
> $ tiffcmp 00_basefile.tiff 18_tiffcmp.tiff
> TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
> sorted in ascending order.
> TIFFReadDirectory: Warning, Unknown field with tag 317 (0x13d) encountered.
> Segmentation fault

With the previous package it says:
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFFetchNormalTag: Warning, Incompatible type for "Predictor"; tag ignored.
XResolution: 1 0

Comment 27 David Walser 2015-07-20 15:39:28 CEST

(In reply to David Walser from comment #23)
> Unvalidating for the moment, the issue I reported in Comment 0 is not fixed.

$ identify -verbose libtiff5.tif 
*** Error in `identify': free(): invalid next size (fast): 0x08c43248 ***
======= Backtrace: =========
/lib/i686/libc.so.6(+0x6b053)[0xb71fb053]
/lib/i686/libc.so.6(+0x72954)[0xb7202954]
/lib/libtiff.so.5(_TIFFfree+0x1b)[0xb66679eb]
/lib/libtiff.so.5(+0x24c2e)[0xb6647c2e]
/lib/libtiff.so.5(TIFFRGBAImageGet+0x3f)[0xb664a23f]
/lib/libtiff.so.5(TIFFReadRGBATile+0x1da)[0xb664a7da]
/usr/lib/ImageMagick-6.8.7//modules-Q16/coders/tiff.so(+0x848c)[0xb773848c]
/lib/libMagickCore-6.Q16.so.1(ReadImage+0x10ab)[0xb74ef71b]
/lib/libMagickCore-6.Q16.so.1(ReadImages+0x1a8)[0xb74efd58]
/lib/libMagickWand-6.Q16.so.1(IdentifyImageCommand+0x1d86)[0xb73e05e6]
/lib/libMagickWand-6.Q16.so.1(MagickCommandGenesis+0x6f5)[0xb74126e5]
identify[0x80486e3]
/lib/i686/libc.so.6(__libc_start_main+0xf3)[0xb71a9b33]
identify[0x8048744]
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:08 144940     /usr/bin/identify
08049000-0804a000 r--p 00000000 08:08 144940     /usr/bin/identify
0804a000-0804b000 rw-p 00001000 08:08 144940     /usr/bin/identify
08c24000-08c87000 rw-p 00000000 00:00 0          [heap]
b659e000-b65b9000 r-xp 00000000 08:08 137672     /usr/lib/libgcc_s-4.8.2.so.1
b65b9000-b65ba000 r--p 0001a000 08:08 137672     /usr/lib/libgcc_s-4.8.2.so.1
b65ba000-b65bb000 rw-p 0001b000 08:08 137672     /usr/lib/libgcc_s-4.8.2.so.1
b65bb000-b6604000 r-xp 00000000 08:08 136543     /usr/lib/libjpeg.so.8.0.2
b6604000-b6605000 r--p 00048000 08:08 136543     /usr/lib/libjpeg.so.8.0.2
b6605000-b6606000 rw-p 00049000 08:08 136543     /usr/lib/libjpeg.so.8.0.2
b6606000-b6616000 rw-p 00000000 00:00 0 
b6616000-b661f000 r-xp 00000000 08:08 136694     /usr/lib/libjbig.so.1.0.0
b661f000-b6620000 r--p 00008000 08:08 136694     /usr/lib/libjbig.so.1.0.0
b6620000-b6623000 rw-p 00009000 08:08 136694     /usr/lib/libjbig.so.1.0.0
b6623000-b6694000 r-xp 00000000 08:08 144946     /usr/lib/libtiff.so.5.2.2
b6694000-b6695000 r--p 00070000 08:08 144946     /usr/lib/libtiff.so.5.2.2
b6695000-b6698000 rw-p 00071000 08:08 144946     /usr/lib/libtiff.so.5.2.2
b66af000-b681e000 r--p 00497000 08:08 276082     /usr/share/locale/locale-archive
b681e000-b6a1e000 r--p 00000000 08:08 276082     /usr/share/locale/locale-archive
b6a1e000-b6a21000 rw-p 00000000 00:00 0 
b6a21000-b6a26000 r-xp 00000000 08:08 136522     /usr/lib/libXdmcp.so.6.0.0
b6a26000-b6a27000 r--p 00004000 08:08 136522     /usr/lib/libXdmcp.so.6.0.0
b6a27000-b6a28000 rw-p 00005000 08:08 136522     /usr/lib/libXdmcp.so.6.0.0
b6a28000-b6a2a000 r-xp 00000000 08:08 136525     /usr/lib/libXau.so.6.0.0
b6a2a000-b6a2b000 r--p 00001000 08:08 136525     /usr/lib/libXau.so.6.0.0
b6a2b000-b6a2c000 rw-p 00002000 08:08 136525     /usr/lib/libXau.so.6.0.0
b6a2c000-b6a5e000 r-xp 00000000 08:08 131866     /usr/lib/liblzma.so.5.0.99
b6a5e000-b6a5f000 r--p 00031000 08:08 131866     /usr/lib/liblzma.so.5.0.99
b6a5f000-b6a60000 rw-p 00032000 08:08 131866     /usr/lib/liblzma.so.5.0.99
b6a60000-b6ac7000 r-xp 00000000 08:08 132635     /usr/lib/libpcre.so.1.2.1
b6ac7000-b6ac8000 r--p 00066000 08:08 132635     /usr/lib/libpcre.so.1.2.1
b6ac8000-b6ac9000 rw-p 00067000 08:08 132635     /usr/lib/libpcre.so.1.2.1
b6ac9000-b6aca000 rw-p 00000000 00:00 0 
b6aca000-b6acd000 r-xp 00000000 08:08 147240     /usr/lib/libdl-2.18.so
b6acd000-b6ace000 r--p 00002000 08:08 147240     /usr/lib/libdl-2.18.so
b6ace000-b6acf000 rw-p 00003000 08:08 147240     /usr/lib/libdl-2.18.so
b6acf000-b6aef000 r-xp 00000000 08:08 136527     /usr/lib/libxcb.so.1.1.0
b6aef000-b6af0000 r--p 0001f000 08:08 136527     /usr/lib/libxcb.so.1.1.0
b6af0000-b6af1000 rw-p 00020000 08:08 136527     /usr/lib/libxcb.so.1.1.0
b6af1000-b6b4a000 r-xp 00000000 08:08 131918     /usr/lib/libpng16.so.16.16.0
b6b4a000-b6b4b000 r--p 00058000 08:08 131918     /usr/lib/libpng16.so.16.16.0
b6b4b000-b6b4c000 rw-p 00059000 08:08 131918     /usr/lib/libpng16.so.16.16.0
b6b4c000-b6ca0000 r-xp 00000000 08:08 146121     /usr/lib/libxml2.so.2.9.1
b6ca0000-b6ca1000 ---p 00154000 08:08 146121     /usr/lib/libxml2.so.2.9.1
b6ca1000-b6ca5000 r--p 00154000 08:08 146121     /usr/lib/libxml2.so.2.9.1
b6ca5000-b6ca6000 rw-p 00158000 08:08 146121     /usr/lib/libxml2.so.2.9.1
b6ca6000-b6ca7000 rw-p 00000000 00:00 0 
b6ca7000-b6da9000 r-xp 00000000 08:08 132019     /usr/lib/libglib-2.0.so.0.3800.2
b6da9000-b6daa000 r--p 00101000 08:08 132019     /usr/lib/libglib-2.0.so.0.3800.2
b6daa000-b6dab000 rw-p 00102000 08:08 132019     /usr/lib/libglib-2.0.so.0.3800.2
b6dab000-b6dba000 r-xp 00000000 08:08 132147     /usr/lib/libgomp.so.1.0.0
b6dba000-b6dbb000 r--p 0000e000 08:08 132147     /usr/lib/libgomp.so.1.0.0
b6dbb000-b6dbc000 rw-p 0000f000 08:08 132147     /usr/lib/libgomp.so.1.0.0
b6dbc000-b6dbd000 rw-p 00000000 00:00 0 
b6dbd000-b6e02000 r-xp 00000000 08:08 144984     /usr/lib/i686/libm-2.18.so
b6e02000-b6e03000 r--p 00044000 08:08 144984     /usr/lib/i686/libm-2.18.so
b6e03000-b6e04000 rw-p 00045000 08:08 144984     /usr/lib/i686/libm-2.18.so
b6e04000-b6e0d000 r-xp 00000000 08:08 135306     /usr/lib/libltdl.so.7.3.0
b6e0d000-b6e0e000 r--p 00008000 08:08 135306     /usr/lib/libltdl.so.7.3.0
b6e0e000-b6e0f000 rw-p 00009000 08:08 135306     /usr/lib/libltdl.so.7.3.0
b6e0f000-b6e28000 r-xp 00000000 08:08 132035     /usr/lib/libz.so.1.2.8
b6e28000-b6e29000 r--p 00018000 08:08 132035     /usr/lib/libz.so.1.2.8
b6e29000-b6e2a000 rw-p 00019000 08:08 132035     /usr/lib/libz.so.1.2.8
b6e2a000-b6e3a000 r-xp 00000000 08:08 141737     /usr/lib/libbz2.so.1.0.6
b6e3a000-b6e3b000 r--p 0000f000 08:08 141737     /usr/lib/libbz2.so.1.0.6
b6e3b000-b6e3c000 rw-p 00010000 08:08 141737     /usr/lib/libbz2.so.1.0.6
b6e3c000-b6f70000 r-xp 00000000 08:08 136529     /usr/lib/libX11.so.6.3.0
b6f70000-b6f71000 ---p 00134000 08:08 136529     /usr/lib/libX11.so.6.3.0
b6f71000-b6f72000 r--p 00134000 08:08 136529     /usr/lib/libX11.so.6.3.0
b6f72000-b6f75000 rw-p 00135000 08:08 136529     /usr/lib/libX11.so.6.3.0
b6f75000-b6f86000 r-xp 00000000 08:08 144474     /usr/lib/libXext.so.6.4.0
b6f86000-b6f87000 r--p 00010000 08:08 144474     /usr/lib/libXext.so.6.4.0
b6f87000-b6f88000 rw-p 00011000 08:08 144474     /usr/lib/libXext.so.6.4.0
b6f88000-b6f89000 rw-p 00000000 00:00 0 
b6f89000-b7012000 r-xp 00000000 08:08 144206     /usr/lib/libfreetype.so.6.10.2
b7012000-b7016000 r--p 00088000 08:08 144206     /usr/lib/libfreetype.so.6.10.2
b7016000-b7017000 rw-p 0008c000 08:08 144206     /usr/lib/libfreetype.so.6.10.2
b7017000-b7050000 r-xp 00000000 08:08 144588     /usr/lib/libfontconfig.so.1.8.0
b7050000-b7051000 r--p 00039000 08:08 144588     /usr/lib/libfontconfig.so.1.8.0
b7051000-b7052000 rw-p 0003a000 08:08 144588     /usr/lib/libfontconfig.so.1.8.0
b7052000-b7123000 r-xp 00000000 08:08 144889     /usr/lib/libfftw3.so.3.3.2
b7123000-b7128000 r--p 000d1000 08:08 144889     /usr/lib/libfftw3.so.3.3.2
b7128000-b7129000 rw-p 000d6000 08:08 144889     /usr/lib/libfftw3.so.3.3.2
b7129000-b7137000 r-xp 00000000 08:08 144918     /usr/lib/liblqr-1.so.0.3.2
b7137000-b7138000 r--p 0000d000 08:08 144918     /usr/lib/liblqr-1.so.0.3.2
b7138000-b7139000 rw-p 0000e000 08:08 144918     /usr/lib/liblqr-1.so.0.3.2
b7139000-b7189000 r-xp 00000000 08:08 142777     /usr/lib/liblcms2.so.2.0.5
b7189000-b718a000 ---p 00050000 08:08 142777     /usr/lib/liblcms2.so.2.0.5
b718a000-b718b000 r--p 00050000 08:08 142777     /usr/lib/liblcms2.so.2.0.5
b718b000-b718f000 rw-p 00051000 08:08 142777     /usr/lib/liblcms2.so.2.0.5
b718f000-b7190000 rw-p 00000000 00:00 0 
b7190000-b7343000 r-xp 00000000 08:08 144982     /usr/lib/i686/libc-2.18.so
b7343000-b7345000 r--p 001b3000 08:08 144982     /usr/lib/i686/libc-2.18.so
b7345000-b7346000 rw-p 001b5000 08:08 144982     /usr/lib/i686/libc-2.18.so
b7346000-b7349000 rw-p 00000000 00:00 0 
b7349000-b7360000 r-xp 00000000 08:08 145173     /usr/lib/i686/libpthread-2.18.so
b7360000-b7361000 r--p 00016000 08:08 145173     /usr/lib/i686/libpthread-2.18.so
b7361000-b7362000 rw-p 00017000 08:08 145173     /usr/lib/i686/libpthread-2.18.so
b7362000-b7364000 rw-p 00000000 00:00 0 
b7364000-b747b000 r-xp 00000000 08:08 151877     /usr/lib/libMagickWand-6.Q16.so.1.0.0
b747b000-b747c000 r--p 00116000 08:08 151877     /usr/lib/libMagickWand-6.Q16.so.1.0.0
b747c000-b747e000 rw-p 00117000 08:08 151877     /usr/lib/libMagickWand-6.Q16.so.1.0.0
b747e000-b76c2000 r-xp 00000000 08:08 151875     /usr/lib/libMagickCore-6.Q16.so.1.0.0
b76c2000-b76cd000 r--p 00243000 08:08 151875     /usr/lib/libMagickCore-6.Q16.so.1.0.0
b76cd000-b770a000 rw-p 0024e000 08:08 151875     /usr/lib/libMagickCore-6.Q16.so.1.0.0
b770a000-b7728000 rw-p 00000000 00:00 0 
b772e000-b772f000 r--p 00000000 00:1e 497823422  /tmp/libtiff5.tif
b772f000-b7730000 rw-p 00000000 00:00 0 
b7730000-b773c000 r-xp 00000000 08:08 162897     /usr/lib/ImageMagick-6.8.7/modules-Q16/coders/tiff.so
b773c000-b773d000 r--p 0000c000 08:08 162897     /usr/lib/ImageMagick-6.8.7/modules-Q16/coders/tiff.so
b773d000-b773e000 rw-p 0000d000 08:08 162897     /usr/lib/ImageMagick-6.8.7/modules-Q16/coders/tiff.so
b773e000-b773f000 r--p 00a4b000 08:08 276082     /usr/share/locale/locale-archive
b773f000-b7740000 rw-p 00000000 00:00 0 
b7740000-b7741000 r-xp 00000000 00:00 0          [vdso]
b7741000-b775f000 r-xp 00000000 08:08 147040     /usr/lib/ld-2.18.so
b775f000-b7760000 r--p 0001d000 08:08 147040     /usr/lib/ld-2.18.so
b7760000-b7761000 rw-p 0001e000 08:08 147040     /usr/lib/ld-2.18.so
bff8f000-bffb1000 rw-p 00000000 00:00 0          [stack]
Aborted

$ tiffinfo -d libtiff5.tif 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
libtiff5.tif: Warning, Nonstandard tile width 61, convert file.
TIFF Directory at offset 0xa0 (160)
  Image Width: 32 Image Length: 32
  Tile Width: 61 Tile Length: 3
  Bits/Sample: 2
  Compression Scheme: NeXT
  FillOrder: lsb-to-msb
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 1
  Rows/Strip: 3
  Planar Configuration: single image plane
  DocumentName: foo.tif
TIFFFillTile: Read error at row 4294967295, col 4294967295, tile 0; got 0 bytes, expected 8.
TIFFFillTile: 0: Invalid tile byte count, tile 1.
TIFFFillTile: 0: Invalid tile byte count, tile 2.
TIFFFillTile: 0: Invalid tile byte count, tile 3.
Tile (12,0):
 05 00 00 00 01 fc 07 0a 00 00 00 00 00 00 00 00
 aa aa aa aa 55 55 55 55 57 00 00 00 00 00 00 00
 55 55 55 55 aa aa aa aa 00 00 00 00 55 55 55 55
TIFFFillTile: Read error at row 0, col 244, tile 5; got 0 bytes, expected 1.
TIFFFillTile: 0: Invalid tile byte count, tile 6.
TIFFFillTile: 0: Invalid tile byte count, tile 7.
NeXTDecode: Not enough data for scanline 0.
NeXTDecode: Not enough data for scanline 0.
NeXTDecode: Not enough data for scanline 0.
*** Error in `tiffinfo': free(): invalid next size (fast): 0x08ee33a0 ***
======= Backtrace: =========
/lib/i686/libc.so.6(+0x6b053)[0xb7574053]
/lib/i686/libc.so.6(+0x72954)[0xb757b954]
/lib/libtiff.so.5(_TIFFfree+0x1b)[0xb77069eb]
tiffinfo[0x8049836]
tiffinfo[0x8049a9d]
tiffinfo[0x8049e55]
tiffinfo[0x8048fc8]
/lib/i686/libc.so.6(__libc_start_main+0xf3)[0xb7522b33]
tiffinfo[0x8049091]
======= Memory map: ========
08048000-0804b000 r-xp 00000000 08:08 147100     /usr/bin/tiffinfo
0804b000-0804c000 r--p 00002000 08:08 147100     /usr/bin/tiffinfo
0804c000-0804d000 rw-p 00003000 08:08 147100     /usr/bin/tiffinfo
08ee3000-08f04000 rw-p 00000000 00:00 0          [heap]
b73b9000-b73d4000 r-xp 00000000 08:08 137672     /usr/lib/libgcc_s-4.8.2.so.1
b73d4000-b73d5000 r--p 0001a000 08:08 137672     /usr/lib/libgcc_s-4.8.2.so.1
b73d5000-b73d6000 rw-p 0001b000 08:08 137672     /usr/lib/libgcc_s-4.8.2.so.1
b73ed000-b73ef000 rw-p 00000000 00:00 0 
b73ef000-b7406000 r-xp 00000000 08:08 145173     /usr/lib/i686/libpthread-2.18.so
b7406000-b7407000 r--p 00016000 08:08 145173     /usr/lib/i686/libpthread-2.18.so
b7407000-b7408000 rw-p 00017000 08:08 145173     /usr/lib/i686/libpthread-2.18.so
b7408000-b740a000 rw-p 00000000 00:00 0 
b740a000-b744f000 r-xp 00000000 08:08 144984     /usr/lib/i686/libm-2.18.so
b744f000-b7450000 r--p 00044000 08:08 144984     /usr/lib/i686/libm-2.18.so
b7450000-b7451000 rw-p 00045000 08:08 144984     /usr/lib/i686/libm-2.18.so
b7451000-b746a000 r-xp 00000000 08:08 132035     /usr/lib/libz.so.1.2.8
b746a000-b746b000 r--p 00018000 08:08 132035     /usr/lib/libz.so.1.2.8
b746b000-b746c000 rw-p 00019000 08:08 132035     /usr/lib/libz.so.1.2.8
b746c000-b74b5000 r-xp 00000000 08:08 136543     /usr/lib/libjpeg.so.8.0.2
b74b5000-b74b6000 r--p 00048000 08:08 136543     /usr/lib/libjpeg.so.8.0.2
b74b6000-b74b7000 rw-p 00049000 08:08 136543     /usr/lib/libjpeg.so.8.0.2
b74b7000-b74c8000 rw-p 00000000 00:00 0 
b74c8000-b74d1000 r-xp 00000000 08:08 136694     /usr/lib/libjbig.so.1.0.0
b74d1000-b74d2000 r--p 00008000 08:08 136694     /usr/lib/libjbig.so.1.0.0
b74d2000-b74d5000 rw-p 00009000 08:08 136694     /usr/lib/libjbig.so.1.0.0
b74d5000-b7507000 r-xp 00000000 08:08 131866     /usr/lib/liblzma.so.5.0.99
b7507000-b7508000 r--p 00031000 08:08 131866     /usr/lib/liblzma.so.5.0.99
b7508000-b7509000 rw-p 00032000 08:08 131866     /usr/lib/liblzma.so.5.0.99
b7509000-b76bc000 r-xp 00000000 08:08 144982     /usr/lib/i686/libc-2.18.so
b76bc000-b76be000 r--p 001b3000 08:08 144982     /usr/lib/i686/libc-2.18.so
b76be000-b76bf000 rw-p 001b5000 08:08 144982     /usr/lib/i686/libc-2.18.so
b76bf000-b76c2000 rw-p 00000000 00:00 0 
b76c2000-b7733000 r-xp 00000000 08:08 144946     /usr/lib/libtiff.so.5.2.2
b7733000-b7734000 r--p 00070000 08:08 144946     /usr/lib/libtiff.so.5.2.2
b7734000-b7737000 rw-p 00071000 08:08 144946     /usr/lib/libtiff.so.5.2.2
b774b000-b774d000 rw-p 00000000 00:00 0 
b774d000-b774e000 r--s 00000000 00:1e 497823422  /tmp/libtiff5.tif
b774e000-b774f000 rw-p 00000000 00:00 0 
b774f000-b7750000 r-xp 00000000 00:00 0          [vdso]
b7750000-b776e000 r-xp 00000000 08:08 147040     /usr/lib/ld-2.18.so
b776e000-b776f000 r--p 0001d000 08:08 147040     /usr/lib/ld-2.18.so
b776f000-b7770000 rw-p 0001e000 08:08 147040     /usr/lib/ld-2.18.so
bfe2b000-bfe4d000 rw-p 00000000 00:00 0          [stack]
Aborted

Comment 28 David Walser 2015-07-20 15:45:15 CEST

I've left comments on upstream's Bugzilla about both issues.  Unassigning from QA for now.

CC: (none) => qa-bugs
Version: 5 => Cauldron
Assignee: qa-bugs => bugsquad
Whiteboard: MGA4TOO has_procedure => MGA5TOO, MGA4TOO has_procedure

Comment 29 Rémi Verschelde 2015-09-03 15:49:41 CEST

(In reply to David Walser from comment #28)
> I've left comments on upstream's Bugzilla about both issues.  Unassigning
> from QA for now.

For the reference, David's comment is in this bug report: http://bugzilla.maptools.org/show_bug.cgi?id=2508#c3
Still no reaction upstream, at least on the BR.

Comment 30 David Walser 2015-09-03 16:08:30 CEST

(In reply to Rémi Verschelde from comment #29)
> (In reply to David Walser from comment #28)
> > I've left comments on upstream's Bugzilla about both issues.  Unassigning
> > from QA for now.
> 
> For the reference, David's comment is in this bug report:
> http://bugzilla.maptools.org/show_bug.cgi?id=2508#c3
> Still no reaction upstream, at least on the BR.

And my other comment is here:
http://bugzilla.maptools.org/show_bug.cgi?id=2499#c14

Comment 31 David Walser 2015-09-04 20:04:30 CEST

Let's try libtiff 4.0.5.

Please make sure that you repeat the tests mentioned in Comments 23 through 27 if you're going to help test this.  Thanks.

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.5-1.mga4
libtiff5-4.0.5-1.mga4
libtiff-devel-4.0.5-1.mga4
libtiff-static-devel-4.0.5-1.mga4
libtiff-progs-4.0.5-1.mga5
libtiff5-4.0.5-1.mga5
libtiff-devel-4.0.5-1.mga5
libtiff-static-devel-4.0.5-1.mga5

from SRPMS:
libtiff-4.0.5-1.mga4.src.rpm
libtiff-4.0.5-1.mga5.src.rpm

CC: qa-bugs => (none)
Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO has_procedure => MGA4TOO has_procedure

Comment 32 Yann Cantin 2015-09-04 21:19:35 CEST

TLDR : Update NOT OK, thumbnail 17_thumbnail.tiff segfault.

mga5 x86_64 :
=============

Installed packages :
 lib64tiff5-4.0.5-1.mga5
 libtiff-progs-4.0.5-1.mga5

identify -verbose libtiff5.tif : no segfault
tiffinfo -d libtiff5.tif       : no segfault

Bug 15132 test cases : no segfault EXCEPT for thumbnail 17_thumbnail.tiff 

$ thumbnail 17_thumbnail.tiff out.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 328 (0x148) encountered.
rastersize=1
TIFFFillStrip: Read error on strip 0; got 18446744073709551603 bytes, expected 1.
bpr=1, sy=0, bpr*sy=0
...
bpr=1, sy=0, bpr*sy=0
Erreur de segmentation

mga4 x86_64 (VM) : Same thing
==================

Installed packages :
 libtiff-progs-4.0.5-1.mga4
 lib64tiff5-4.0.5-1.mga4

identify -verbose libtiff5.tif : no segfault
tiffinfo -d libtiff5.tif       : no segfault

Bug 15132 test cases : no segfault EXCEPT for thumbnail 17_thumbnail.tiff 

$ thumbnail 17_thumbnail.tiff out.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 328 (0x148) encountered.
rastersize=1
TIFFFillStrip: Read error on strip 0; got 18446744073709551603 bytes, expected 1.
bpr=1, sy=0, bpr*sy=0
...
bpr=1, sy=0, bpr*sy=0
Erreur de segmentation

CC: (none) => yann.cantin

Comment 33 David Walser 2015-09-04 21:57:14 CEST

thumbnail 17_thumbnail.tiff out.tiff works fine for me on Mageia 4 i586, but I get the same results on the two tests I reported in Comment 25 and Comment 27.  Sigh.

This is now WONTFIX for Mageia 4.

Thanks for testing Yann.

CC: (none) => qa-bugs
Version: 5 => Cauldron
Assignee: qa-bugs => bugsquad
Whiteboard: MGA4TOO has_procedure => MGA5TOO has_procedure

Comment 34 David Walser 2015-09-21 18:07:55 CEST

Another issue in libtiff with no fix was noted here on oss-security:
http://seclists.org/oss-sec/2015/q3/601

Comment 35 David Walser 2015-09-23 13:19:10 CEST

(In reply to David Walser from comment #34)
> Another issue in libtiff with no fix was noted here on oss-security:
> http://seclists.org/oss-sec/2015/q3/601

CVE-2015-7313 assigned:
http://openwall.com/lists/oss-security/2015/09/22/11

Comment 36 Yann Cantin 2015-10-19 13:04:35 CEST

About CVE-2015-7313 :

According to

 http://seclists.org/oss-sec/2015/q3/631 and 
 https://bugzilla.redhat.com/show_bug.cgi?id=1265998 

this may not be a libtiff bug, but an memory overcommit problem : disabling overcommit with 
 echo 2 > /proc/sys/vm/overcommit_memory
seems to fix it.

Comment 37 David Walser 2015-12-24 19:40:55 CET

Let's try libtiff 4.0.6.

Please make sure that you repeat the tests mentioned in Comments 23 through 27 if you're going to help test this.  Thanks.

Note that even 4.0.6 has an issue (CVE-2015-8665):
http://openwall.com/lists/oss-security/2015/12/24/4

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.6-1.mga5
libtiff5-4.0.6-1.mga5
libtiff-devel-4.0.6-1.mga5
libtiff-static-devel-4.0.6-1.mga5

from libtiff-4.0.6-1.mga5.src.rpm

CC: qa-bugs => (none)
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO has_procedure => has_procedure
Version: Cauldron => 5

Comment 38 David Walser 2015-12-26 13:12:55 CET

(In reply to David Walser from comment #37)
> Note that even 4.0.6 has an issue (CVE-2015-8665):
> http://openwall.com/lists/oss-security/2015/12/24/4

and CVE-2015-8683:
http://openwall.com/lists/oss-security/2015/12/26/1

Comment 39 David Walser 2015-12-27 02:22:52 CET

(In reply to David Walser from comment #38)
> (In reply to David Walser from comment #37)
> > Note that even 4.0.6 has an issue (CVE-2015-8665):
> > http://openwall.com/lists/oss-security/2015/12/24/4
> 
> and CVE-2015-8683:
> http://openwall.com/lists/oss-security/2015/12/26/1

and CVE-2015-7554:
http://openwall.com/lists/oss-security/2015/12/26/7

Comment 40 David Walser 2015-12-29 18:45:56 CET

A fix for the original issue in this bug (Comment 0, libtiff5.tif issue) has been committed in upstream CVS on December 27:
2015-12-27  Even Rouault <even.rouault at spatialys.com>

        * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
        triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
        (bugzilla #2508


I've patched the package to bring it up to date with current CVS (20151227) and built it locally and confirmed that it fixes this bug.

It also includes fixes for two of the three recent CVEs that I mentioned:
2015-12-26  Even Rouault <even.rouault at spatialys.com>

        * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
        interface in case of unsupported values of SamplesPerPixel/ExtraSamples
        for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
        TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
        CVE-2015-8683 reported by zzf of Alibaba.


Unfortunately, the regression mentioned in Comments 24 through 26 still exists.  I've posted another comment on upstream's Bugzilla about that.

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.6-1.1.mga5
libtiff5-4.0.6-1.1.mga5
libtiff-devel-4.0.6-1.1.mga5
libtiff-static-devel-4.0.6-1.1.mga5

from libtiff-4.0.6-1.1.mga5.src.rpm

Comment 41 William Kenney 2016-01-01 00:01:56 CET

In Whiteboard: MGA5-32-OK

In VirtualBox and KDE

Packages under test:
libtiff libtiff-progs

[root@localhost wilcal]# urpmi libtiff
Package libtiff5-4.0.4-0.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libtiff-progs
Package libtiff-progs-4.0.4-0.1.mga5.i586 is already installed

bmp2tiff pic1.bmp pic1.tif  works
tiff2pdf pic1.tif > pic1.pdf  works
[wilcal@localhost libtiff_test]$ tiffinfo pic1.tif
TIFF Directory at offset 0xee13e (975166)
  Image Width: 640 Image Length: 504
  Bits/Sample: 8
  Compression Scheme: PackBits
  Photometric Interpretation: RGB color
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 3
  Rows/Strip: 4
  Planar Configuration: single image plane
pic1.tif opens successfully with Gimp
tiffinfo -d pic1.tif > testinfo1.txt  ( generates a mountain of info )

Install updates from core updates_testing

[root@localhost libtiff_test]# urpmi libtiff
Package libtiff5-4.0.6-1.1.mga5.i586 is already installed
[root@localhost libtiff_test]# urpmi libtiff-progs
Package libtiff-progs-4.0.6-1.1.mga5.i586 is already installed

bmp2tiff pic2.bmp pic2.tif  works
tiff2pdf pic2.tif > pic2.pdf  works
[wilcal@localhost libtiff_test]$ tiffinfo pic2.tif
TIFF Directory at offset 0xaffe (45054)
  Image Width: 124 Image Length: 124
  Bits/Sample: 8
  Compression Scheme: PackBits
  Photometric Interpretation: RGB color
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 3
  Rows/Strip: 22
  Planar Configuration: single image plane
tiffinfo -d pic2.tif > testinfo2.txt  ( generates a mountain of info )

Comment 42 William Kenney 2016-01-01 00:17:12 CET

In Whiteboard: MGA5-64-OK

In VirtualBox and KDE

Packages under test:
libtiff libtiff-progs

[root@localhost wilcal]# urpmi libtiff
Package lib64tiff5-4.0.4-0.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi libtiff-progs
Package libtiff-progs-4.0.4-0.1.mga5.x86_64 is already installed

bmp2tiff pic1.bmp pic1.tif  works
tiff2pdf pic1.tif > pic1.pdf  works
[wilcal@localhost Pictures]$ tiffinfo pic1.tif
TIFF Directory at offset 0xee13e (975166)
  Image Width: 640 Image Length: 504
  Bits/Sample: 8
  Compression Scheme: PackBits
  Photometric Interpretation: RGB color
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 3
  Rows/Strip: 4
  Planar Configuration: single image plane
pic1.tif opens successfully with Gimp
tiffinfo -d pic1.tif > testinfo1.txt  ( generates a mountain of info )

Install libtiff & libtiff-progs from core updates_testing

[root@localhost wilcal]# urpmi libtiff
Package lib64tiff5-4.0.6-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi libtiff-progs
Package libtiff-progs-4.0.6-1.1.mga5.x86_64 is already installed

bmp2tiff pic2.bmp pic2.tif  works
tiff2pdf pic2.tif > pic2.pdf  works
[wilcal@localhost Pictures]$ tiffinfo pic2.tif
TIFF Directory at offset 0x1f80f0 (2064624)
  Image Width: 640 Image Length: 1067
  Bits/Sample: 8
  Compression Scheme: PackBits
  Photometric Interpretation: RGB color
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 3
  Rows/Strip: 4
  Planar Configuration: single image plane
pic2.tif opens successfully with Gimp
tiffinfo -d pic2.tif > testinfo2.txt  ( generates a mountain of info )

Comment 43 William Kenney 2016-01-01 00:17:55 CET

Are we good here now?

Comment 44 David Walser 2016-01-01 00:20:56 CET

(In reply to William Kenney from comment #43)
> Are we good here now?

No, we still have the regression I mentioned.  You could run through the rest of the tests from Bug 15132 to make sure there aren't any other regressions (not that I expect any).

We *could* release this since it fixes the original bug in this report and two additional CVEs.  I'm not sure how "bad" the regression is, just that there is one.  I guess we can wait a little longer to see what happens with the third unfixed CVE and the regression.

Comment 45 Brian Rockwell 2016-01-09 15:52:53 CET

I ran through the following on MGA32 - i586


[root@localhost Pictures]# urpmi libtiff
Package libtiff5-4.0.6-1.1.mga5.i586 is already installed
Marking libtiff5 as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list


brian@localhost Pictures]$ tiffinfo M_2016.tif
TIFF Directory at offset 0x75308 (480008)
  Image Width: 400 Image Length: 300
  Resolution: 96, 96 pixels/inch
  Bits/Sample: 8
  Compression Scheme: None
  Photometric Interpretation: RGB color
  Samples/Pixel: 4
  Planar Configuration: single image plane
[brian@localhost Pictures]$ convert M_2016.tif M_2017.tif
[brian@localhost Pictures]$ ls
M_2016.tif*  M_2017.tif
[brian@localhost Pictures]$ convert M_2016.tif M_2016.png
[brian@localhost Pictures]$ ls
M_2016.png  M_2016.tif*  M_2017.tif
[brian@localhost Pictures]$ ls -a
./  ../  .directory  M_2016.png  M_2016.tif*  M_2017.tif
[brian@localhost Pictures]$ ls -l
total 712
-rw-r--r-- 1 brian brian   2183 Jan  9 08:39 M_2016.png
-rwxrwx--- 1 brian brian 480182 Jan  9 08:17 M_2016.tif*
-rw-r--r-- 1 brian brian 240562 Jan  9 08:38 M_2017.tif


[root@localhost Pictures]# tiff2ps M_2016.tif >  M_2016.ps
[root@localhost Pictures]# ls -ltr
total 1428
-rwxrwx--- 1 brian brian 480182 Jan  9 08:17 M_2016.tif*
-rw-r--r-- 1 brian brian 240562 Jan  9 08:38 M_2017.tif
-rw-r--r-- 1 brian brian   2183 Jan  9 08:39 M_2016.png
-rw-r--r-- 1 root  root  731758 Jan  9 08:43 M_2016.ps
[root@localhost Pictures]# tiffdither M_2016.tif dither.tif
tiffdither: Not a b&w image.
[root@localhost Pictures]# tiffset M_2016.tif 
[root@localhost Pictures]# ls -ltr
total 1428
-rw-r--r-- 1 brian brian 240562 Jan  9 08:38 M_2017.tif
-rw-r--r-- 1 brian brian   2183 Jan  9 08:39 M_2016.png
-rw-r--r-- 1 root  root  731758 Jan  9 08:43 M_2016.ps
-rwxrwx--- 1 brian brian 480848 Jan  9 08:44 M_2016.tif*
[root@localhost Pictures]# convert M_2016.tif -colorspace Gray M_gray.tif
[root@localhost Pictures]# ls -ltr
total 1664
-rw-r--r-- 1 brian brian 240562 Jan  9 08:38 M_2017.tif
-rw-r--r-- 1 brian brian   2183 Jan  9 08:39 M_2016.png
-rw-r--r-- 1 root  root  731758 Jan  9 08:43 M_2016.ps
-rwxrwx--- 1 brian brian 480848 Jan  9 08:44 M_2016.tif*
-rw-r--r-- 1 root  root  240474 Jan  9 08:49 M_gray.tif
[root@localhost Pictures]# tiffset M_gray.tif
[root@localhost Pictures]# tiffinfo M_gray.tif
TIFF Directory at offset 0x3ab5a (240474)
  Image Width: 400 Image Length: 300
  Resolution: 96, 96 pixels/inch
  Bits/Sample: 8
  Compression Scheme: None
  Photometric Interpretation: min-is-black
  Extra Samples: 1<unassoc-alpha>
  FillOrder: msb-to-lsb
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 2
  Rows/Strip: 10
  Planar Configuration: single image plane
  Page Number: 0-1
[root@localhost Pictures]#


Seems good to me.

CC: (none) => brtians1
Whiteboard: has_procedure => has_procedure MGA_32_OK

Brian Rockwell 2016-01-09 15:54:09 CET

Whiteboard: has_procedure MGA_32_OK => has_procedure MGA5-32-OK

Comment 46 Dave Hodgins 2016-01-12 07:24:11 CET

It's not clear to me from the above which cves are now fixed by this update.

David, can you sort out a complete list and new advisory?

Comment 47 David Walser 2016-01-12 18:17:26 CET

(In reply to David Walser from comment #39)
> and CVE-2015-7554:
> http://openwall.com/lists/oss-security/2015/12/26/7

I moved this one to Bug 17480 as there is still no fix available.

(In reply to David Walser from comment #40)
> Unfortunately, the regression mentioned in Comments 24 through 26 still
> exists.  I've posted another comment on upstream's Bugzilla about that.

Another suggested patch to fix that has been posted on the upstream bug:
http://bugzilla.maptools.org/show_bug.cgi?id=2499#c16

I have confirmed that it fixes the issue.

The original issue in this bug also remains fixed.  There are no more regressions in the testcases from Bug 15132.  CVE-2015-8665 and CVE-2015-8683 are fixed as well.  Advisory to come next.  Let's test and release this one.

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.6-1.2.mga5
libtiff5-4.0.6-1.2.mga5
libtiff-devel-4.0.6-1.2.mga5
libtiff-static-devel-4.0.6-1.2.mga5

from libtiff-4.0.6-1.2.mga5.src.rpm

Whiteboard: has_procedure MGA5-32-OK => has_procedure

Comment 48 David Walser 2016-01-12 18:22:49 CET

Advisory:
========================

Updated libtiff packages fix security issues:

In libtiff, in tif_next.c, a potential out-of-bound write in NeXTDecode()
triggered by the test case for CVE-2015-1547 (maptools bugzilla #2508).

In libtiff, in tif_getimage.c, out-of-bound reads in the TIFFRGBAImage
interface in case of unsupported values of SamplesPerPixel/ExtraSamples for
LogLUV / CIELab (CVE-2015-8665, CVE-2015-8683).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8665
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8683
http://bugzilla.maptools.org/show_bug.cgi?id=2508
http://openwall.com/lists/oss-security/2015/12/24/4
http://openwall.com/lists/oss-security/2015/12/26/1

Dave Hodgins 2016-01-12 19:39:04 CET

Whiteboard: has_procedure => has_procedure advisory

Comment 49 William Kenney 2016-01-12 20:13:20 CET

In VirtualBox and KDE

Install updates from core updates_testing

[root@localhost wilcal]# urpmi libtiff
Package libtiff5-4.0.6-1.2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libtiff-progs
Package libtiff-progs-4.0.6-1.2.mga5.i586 is already installed

bmp2tiff pic2.bmp pic2.tif  works
tiff2pdf pic2.tif > pic2.pdf  works
[wilcal@localhost libtiff_test]$ tiffinfo pic2.tif
TIFF Directory at offset 0x1f80f0 (2064624)
  Image Width: 640 Image Length: 1067
  Bits/Sample: 8
  Compression Scheme: PackBits
  Photometric Interpretation: RGB color
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 3
  Rows/Strip: 4
  Planar Configuration: single image plane
tiffinfo -d pic2.tif > testinfo2.txt  ( generates a mountain of info )

Comment 50 William Kenney 2016-01-12 20:26:29 CET

In VirtualBox and KDE

Install updates from core updates_testing

[root@localhost wilcal]# urpmi libtiff
Package lib64tiff5-4.0.6-1.2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi libtiff-progs
Package libtiff-progs-4.0.6-1.2.mga5.x86_64 is already installed

bmp2tiff pic1.bmp pic1.tif  works
tiff2pdf pic1.tif > pic1.pdf  works
[wilcal@localhost libtiff_test]$ tiffinfo pic1.tif
TIFF Directory at offset 0xee13e (975166)
  Image Width: 640 Image Length: 504
  Bits/Sample: 8
  Compression Scheme: PackBits
  Photometric Interpretation: RGB color
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 3
  Rows/Strip: 4
  Planar Configuration: single image plane
tiffinfo -d pic1.tif > testinfo1.txt  ( generates a mountain of info )

Comment 51 William Kenney 2016-01-12 20:27:50 CET

Can we finally push this devil along?

Comment 52 David Walser 2016-01-12 20:28:38 CET

(In reply to William Kenney from comment #51)
> Can we finally push this devil along?

Yes, our long international nightmare is over!

Dave Hodgins 2016-01-12 22:02:42 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 53 Mageia Robot 2016-01-14 02:45:35 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0017.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-01-14 18:44:17 CET

URL: (none) => http://lwn.net/Vulnerabilities/671915/

Comment 54 David Walser 2016-01-24 21:49:54 CET

The original issue in this bug has been assigned CVE-2015-8784:
http://openwall.com/lists/oss-security/2016/01/24/8

The prior upstream commit to the fix for that one received three CVEs:
http://openwall.com/lists/oss-security/2016/01/24/7

Those are CVE-2015-8781, CVE-2015-8782, and CVE-2015-8783.

Comment 55 David Walser 2016-02-02 13:57:14 CET

(In reply to David Walser from comment #54)
> The original issue in this bug has been assigned CVE-2015-8784:
> http://openwall.com/lists/oss-security/2016/01/24/8
> 
> The prior upstream commit to the fix for that one received three CVEs:
> http://openwall.com/lists/oss-security/2016/01/24/7
> 
> Those are CVE-2015-8781, CVE-2015-8782, and CVE-2015-8783.

LWN reference for all of those:
http://lwn.net/Vulnerabilities/674260/

Comment 56 David Walser 2017-02-02 02:12:26 CET

It looks like CVE-2015-8870 was also fixed in either this update or the previous one:
https://lwn.net/Vulnerabilities/713268/

Note You need to log in before you can comment on or make changes to this bug.