Suggested advisory: ======================== The updated packages fix a security vulnerability: The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable (CVE-2016-3658). They also fix: An out-of-bound read of up to 3 bytes in readContigTilesIntoBuffer(). An out-of-bound read on some tiled images. Segfault when specifying -r without argument (fax2tiff). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3658 ======================== Updated packages in core/updates_testing: ======================== i586: libtiff-progs-4.0.6-1.5.mga5.i586.rpm libtiff5-4.0.6-1.5.mga5.i586.rpm libtiff-devel-4.0.6-1.5.mga5.i586.rpm libtiff-static-devel-4.0.6-1.5.mga5.i586.rpm x86_64: libtiff-progs-4.0.6-1.5.mga5.x86_64.rpm lib64tiff5-4.0.6-1.5.mga5.x86_64.rpm lib64tiff-devel-4.0.6-1.5.mga5.x86_64.rpm lib64tiff-static-devel-4.0.6-1.5.mga5.x86_64.rpm Source RPMs: libtiff-4.0.6-1.5.mga5.src.rpm
Status: NEW => ASSIGNEDCVE: (none) => CVE-2014-8127, CVE-2016-3658Assignee: bugsquad => qa-bugsSource RPM: (none) => libtiff-4.0.6-1.4.mga5.src.rpm
Testing on x86_64 real hardware. CVE-2016-3658 provides a link to a testing procedure: http://bugzilla.maptools.org/show_bug.cgi?id=2546 The attachments comprise 19_tiffset.tiff and two debugging output files from gdb and valgrind. Procedure: $ tiffset 19_tiffset.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 17 (0x11) encountered. TIFFReadDirectory: Warning, Unknown field with tag 21 (0x15) encountered. TIFFReadDirectory: Warning, Unknown field with tag 22 (0x16) encountered. TIFFReadDirectory: Warning, Unknown field with tag 23 (0x17) encountered. TIFFReadDirectory: Warning, Unknown field with tag 28 (0x1c) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. Segmentation fault These messages appear also in the downloaded debug reports. Note that the TIFF file is changed by the test so a copy needs to be kept for completing the PoC.
CC: (none) => tarazed25
Created attachment 8613 [details] PoC test file for CVE-2016-3658 This file was written for an earlier bug but the comments on the current bug indicate that this is essentially the same one.
Updated the packages from Updates testing. Ran the test again: $ tiffset 19_tiffset.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 17 (0x11) encountered. TIFFReadDirectory: Warning, Unknown field with tag 21 (0x15) encountered. TIFFReadDirectory: Warning, Unknown field with tag 22 (0x16) encountered. TIFFReadDirectory: Warning, Unknown field with tag 23 (0x17) encountered. TIFFReadDirectory: Warning, Unknown field with tag 28 (0x1c) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. _TIFFVSetField: Warning, SamplesPerPixel tag value is changing, but SMaxSampleValue tag was read with a different value. Cancelling it. The patch handles the error and there is no longer a segfault. $ wget photojournal.jpl.nasa.gov/tiff/PIA20966.tif $ tiffgt PIA20966.tif This displayed a photo of Ceres from the NASA archives. Copied the tif file to Ikapati.tif and generated a copy in PGM format. $ tifftopnm Ikapati.tif > Ikapati.pgm $ tiffdump Ikapati.tif This printed a summary of the structure of the file. Experimented with tiffcp to combine images. $ tiffcp -c none SantaMaria.tif Ikapati.tif craters.tif This generated craters.tif. tiffgt could see only the first frame - SantaMaria but IM's display showed first the SantaMaria crater and then the Ikapati crater via the menu command file -> next. Not a particularly useful example but a demonstration that the process works. tiffinfo showed information for frame 1 only and returned the error message about 'Invalid tag "BadFaxLines"' which seems to turn up now and again. The original files were recovered as xaaa.tif and xaab.tif using tiffsplit. Giving this the OK assuming it was CVE-2016-3658 that was to be checked.
Whiteboard: (none) => MGA5-64-OK
Advisory uploaded.
CC: (none) => lewyssmithWhiteboard: MGA5-64-OK => MGA5-64-OK advisory
Going to give this a quick run in i586 vbox.
The PoC using 19_tiffset.tiff failed as before with a segfault. Installed the updates and tried again. This time no segfault. Ran the functionality tests again to exercise tiffgt, tiffinfo, tiffdump, tiffcp, tiffsplit and tifftopnm. display showed the two frames in craters.tif. Used some of the tests described by lewis on the collection he quoted. $ tiff2pdf -d -o cayuga_2.pdf cayuga_2.tif $ okular cayuga_2.pdf $ tiff2rgba mcfaddin_2.tif mcfaddin_rgba.tif $ tiffgt mcfaddin_rgba.tif $ tifftopnm mcfaddin_1.tif > mcfaddin.ppm $ display mcfaddin.ppm $ tiff2ps sage_1.tif > sage.ps $ gs sage.ps GPL Ghostscript 9.14 (2014-03-26) ..... $ tiff2bw -r 4 sage_2.tif sage_greyscale.tif $ tiffgt sage_greyscale.tif $ tiffmedian -r 4 -c none falls_1.tif falls_median.tif tiffgt shows posterized output. All worked as expected. OK for 32-bits. This bug can be validated.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0361.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/705366/CC: (none) => luigiwalser