Bug 19688 - libtiff new security issue CVE-2014-8127 (duplicate: CVE-2016-3658)
Summary: libtiff new security issue CVE-2014-8127 (duplicate: CVE-2016-3658)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/705366/
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-10-31 10:39 CET by Nicolas Salguero
Modified: 2016-11-02 18:43 CET (History)
4 users (show)

See Also:
Source RPM: libtiff-4.0.6-1.4.mga5.src.rpm
CVE: CVE-2014-8127, CVE-2016-3658
Status comment:


Attachments
PoC test file for CVE-2016-3658 (234 bytes, image/tiff)
2016-10-31 22:25 CET, Len Lawrence
Details

Description Nicolas Salguero 2016-10-31 10:39:49 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable (CVE-2016-3658).

They also fix:

An out-of-bound read of up to 3 bytes in readContigTilesIntoBuffer().

An out-of-bound read on some tiled images.

Segfault when specifying -r without argument (fax2tiff).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3658
========================

Updated packages in core/updates_testing:
========================
i586:
libtiff-progs-4.0.6-1.5.mga5.i586.rpm
libtiff5-4.0.6-1.5.mga5.i586.rpm
libtiff-devel-4.0.6-1.5.mga5.i586.rpm
libtiff-static-devel-4.0.6-1.5.mga5.i586.rpm

x86_64:
libtiff-progs-4.0.6-1.5.mga5.x86_64.rpm
lib64tiff5-4.0.6-1.5.mga5.x86_64.rpm
lib64tiff-devel-4.0.6-1.5.mga5.x86_64.rpm
lib64tiff-static-devel-4.0.6-1.5.mga5.x86_64.rpm

Source RPMs:
libtiff-4.0.6-1.5.mga5.src.rpm
Nicolas Salguero 2016-10-31 10:41:58 CET

Status: NEW => ASSIGNED
CVE: (none) => CVE-2014-8127, CVE-2016-3658
Assignee: bugsquad => qa-bugs
Source RPM: (none) => libtiff-4.0.6-1.4.mga5.src.rpm

Comment 1 Len Lawrence 2016-10-31 22:21:11 CET
Testing on x86_64 real hardware.
CVE-2016-3658 provides a link to a testing procedure:
http://bugzilla.maptools.org/show_bug.cgi?id=2546

The attachments comprise 19_tiffset.tiff and two debugging output files from gdb and valgrind.

Procedure:
$ tiffset 19_tiffset.tiff 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 17 (0x11) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 21 (0x15) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22 (0x16) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 23 (0x17) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 28 (0x1c) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3.
Segmentation fault

These messages appear also in the downloaded debug reports.
Note that the TIFF file is changed by the test so a copy needs to be kept for completing the PoC.

CC: (none) => tarazed25

Comment 2 Len Lawrence 2016-10-31 22:25:27 CET
Created attachment 8613 [details]
PoC test file for CVE-2016-3658

This file was written for an earlier bug but the comments on the current bug indicate that this is essentially the same one.
Comment 3 Len Lawrence 2016-10-31 23:15:51 CET
Updated the packages from Updates testing.

Ran the test again:
$ tiffset 19_tiffset.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 17 (0x11) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 21 (0x15) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22 (0x16) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 23 (0x17) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 28 (0x1c) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3.
_TIFFVSetField: Warning, SamplesPerPixel tag value is changing, but SMaxSampleValue tag was read with a different value. Cancelling it.

The patch handles the error and there is no longer a segfault.

$ wget photojournal.jpl.nasa.gov/tiff/PIA20966.tif
$ tiffgt PIA20966.tif
This displayed a photo of Ceres from the NASA archives.
Copied the tif file to Ikapati.tif and generated a copy in PGM format.
$ tifftopnm Ikapati.tif > Ikapati.pgm
$ tiffdump Ikapati.tif
This printed a summary of the structure of the file.
Experimented with tiffcp to combine images.
$ tiffcp -c none SantaMaria.tif Ikapati.tif craters.tif
This generated craters.tif.  tiffgt could see only the first frame - SantaMaria but
IM's display showed first the SantaMaria crater and then the Ikapati crater via the menu command file -> next.  Not a particularly useful example but a demonstration that the process works.  tiffinfo showed information for frame 1 only and returned the error message about 'Invalid tag "BadFaxLines"' which seems to turn up now and again.
The original files were recovered as xaaa.tif and xaab.tif using tiffsplit.

Giving this the OK assuming it was CVE-2016-3658 that was to be checked.
Len Lawrence 2016-10-31 23:16:11 CET

Whiteboard: (none) => MGA5-64-OK

Comment 4 Lewis Smith 2016-11-01 21:10:51 CET
Advisory uploaded.

CC: (none) => lewyssmith
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 5 Len Lawrence 2016-11-01 21:31:02 CET
Going to give this a quick run in i586 vbox.
Comment 6 Len Lawrence 2016-11-01 22:23:32 CET
The PoC using 19_tiffset.tiff failed as before with a segfault.

Installed the updates and tried again.  This time no segfault.

Ran the functionality tests again to exercise tiffgt, tiffinfo, tiffdump, tiffcp, tiffsplit and tifftopnm.  display showed the two frames in craters.tif. 
Used some of the tests described by lewis on the collection he quoted.

$ tiff2pdf -d -o cayuga_2.pdf cayuga_2.tif
$ okular cayuga_2.pdf
$ tiff2rgba mcfaddin_2.tif mcfaddin_rgba.tif
$ tiffgt mcfaddin_rgba.tif
$ tifftopnm mcfaddin_1.tif > mcfaddin.ppm
$ display mcfaddin.ppm
$ tiff2ps sage_1.tif > sage.ps
$ gs sage.ps
GPL Ghostscript 9.14 (2014-03-26)
.....
$ tiff2bw -r 4 sage_2.tif sage_greyscale.tif
$ tiffgt sage_greyscale.tif 
$ tiffmedian -r 4 -c none falls_1.tif falls_median.tif
tiffgt shows posterized output.

All worked as expected.

OK for 32-bits.

This bug can be validated.
Len Lawrence 2016-11-01 22:24:50 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2016-11-02 09:44:07 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0361.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-11-02 18:43:43 CET

URL: (none) => http://lwn.net/Vulnerabilities/705366/
CC: (none) => luigiwalser


Note You need to log in before you can comment on or make changes to this bug.