A CVE has been assigned for a security issue fixed upstream in libtiff: http://openwall.com/lists/oss-security/2016/11/11/6
CC: (none) => nicolas.salgueroWhiteboard: (none) => MGA5TOO
Assigning to maintainer
CC: (none) => marja11Assignee: bugsquad => nicolas.salguero
CVE request for an issue fixed today: http://openwall.com/lists/oss-security/2016/11/11/14
And another one: http://openwall.com/lists/oss-security/2016/11/12/2
(In reply to David Walser from comment #3) > And another one: > http://openwall.com/lists/oss-security/2016/11/12/2 CVE-2016-9297: http://openwall.com/lists/oss-security/2016/11/14/7
Summary: libtiff new security issue CVE-2016-9273 => libtiff new security issues CVE-2016-9273 and CVE-2016-9297
Suggested advisory: ======================== The updated packages fix several security vulnerabilities: A read outside of array in tiffsplit (or other utilities using TIFFNumberOfStrips()) (CVE-2016-9273). A potential read outside buffer in _TIFFPrintField() (CVE-2016-9297). Multiple uint32 overflows in writeBufferToSeparateStrips(), writeBufferToContigTiles() and writeBufferToSeparateTiles() that could cause heap buffer overflows (CVE number not assigned yet). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9297 ======================== Updated packages in core/updates_testing: ======================== i586: libtiff-progs-4.0.6-1.6.mga5.i586.rpm libtiff5-4.0.6-1.6.mga5.i586.rpm libtiff-devel-4.0.6-1.6.mga5.i586.rpm libtiff-static-devel-4.0.6-1.6.mga5.i586.rpm x86_64: libtiff-progs-4.0.6-1.6.mga5.x86_64.rpm lib64tiff5-4.0.6-1.6.mga5.x86_64.rpm lib64tiff-devel-4.0.6-1.6.mga5.x86_64.rpm lib64tiff-static-devel-4.0.6-1.6.mga5.x86_64.rpm Source RPMs: libtiff-4.0.6-1.6.mga5.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 5Assignee: nicolas.salguero => qa-bugsWhiteboard: MGA5TOO => (none)
x86_64 Before updates: Downloaded the PoC test file attached to this bug: http://bugzilla.maptools.org/show_bug.cgi?id=2592 $ tiffcrop 2016-11-10-heap-buffer-overflow.tif test TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 515 (0x203) encountered. TIFFReadDirectory: Warning, Unknown field with tag 518 (0x206) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65278 (0xfefe) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32557 (0x7f2d) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65408 (0xff80) encountered. TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "NumberOfInks"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 309"; tag ignored. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFFAdvanceDirectory: Error fetching directory count. loadImage: Image lacks Photometric interpreation tag. *** Error in `tiffcrop': malloc(): memory corruption: 0x00000000021088e0 *** Used Ctrl-C to abort. This matches the error report on the bug. The ASan report contains a lot more information. CVE-2016-9297 There is a PoC available at http://bugzilla.maptools.org/show_bug.cgi?id=2590 The tesfile downloads as test000.gz which unzips to test000, which 'file' identifies as TIFF image data, confirmed with 'od -x'. The original report claims that it crashes only if run in a particular harness but ImageMagick produces messages which match the first section of the output posted on the bug report. Use identify or display. $ identify test000.tif identify: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/896. identify: Unknown field with tag 12336 (0x3030) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/896. identify: Unknown field with tag 12291 (0x3003) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/896. identify: TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/896. identify: improper image header `test000.tif' @ error/tiff.c/ReadTIFFImage/1219. or: $ tiffinfo -i test000.tif TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, Unknown field with tag 12291 (0x3003) encountered. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFF Directory at offset 0x62 (98) Image Width: 12336 Image Length: 12336 Compression Scheme: None Planar Configuration: single image plane Tag 12291: 0 � CVE-2016-9273 Download test049.gz from http://bugzilla.maptools.org/show_bug.cgi?id=2587 test049 is a malformed TIFF file which can be tested with tiffsplit. $ tiffsplit test049 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
CC: (none) => tarazed25
Updated the packages from Core Updates Testing and ran the PoC tests. $ tiffcrop 2016-11-10-heap-buffer-overflow.tif test TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 515 (0x203) encountered. TIFFReadDirectory: Warning, Unknown field with tag 518 (0x206) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65278 (0xfefe) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32557 (0x7f2d) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65408 (0xff80) encountered. TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "NumberOfInks"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 309"; tag ignored. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFFAdvanceDirectory: Error fetching directory count. loadImage: Image lacks Photometric interpreation tag. test: Error, uint32 overflow when computing rowsperstrip * bytes_per_sample * (width + 1). : Unable to write separate strip data for page 0. TIFFFetchDirectory: Can not read TIFF directory count. TIFFReadDirectory: Failed to read directory at offset 5592. This looks satisfactory in that the patched software now recognizes the cause of the overflow and closes down cleanly. $ identify test000.tif identify: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/896. identify: Unknown field with tag 12336 (0x3030) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/896. identify: Unknown field with tag 12291 (0x3003) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/896. identify: ASCII value for tag "Tag 12291" does not end in null byte. Forcing it to be null. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/896. identify: TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/896. identify: improper image header `test000.tif' @ error/tiff.c/ReadTIFFImage/1219. This too now precisely identifies the source of the problem. $ tiffinfo -i test000.tif TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, Unknown field with tag 12291 (0x3003) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "Tag 12291" does not end in null byte. Forcing it to be null. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFF Directory at offset 0x62 (98) Image Width: 12336 Image Length: 12336 Compression Scheme: None Planar Configuration: single image plane Tag 12291: This looks almost the same as before but does not produce the grabage string at the end. $ tiffsplit test049 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFFetchDirectory: Can not read TIFF directory count. TIFFReadDirectory: Failed to read directory at offset 808464432. This looks like an improvement also. Leaving the functionality checks until later.
s/grabage/garbage/ And note also for 'tiffinfo -i test000.tif' TIFFFetchNormalTag: Warning, ASCII value for tag "Tag 12291" does not end in null byte. Forcing it to be null.
Roster of libtiff utilities: /bin/fax2tiff /bin/pamtotiff /bin/pfsintiff /bin/pfsouttiff /bin/pnmtotiff /bin/pnmtotiffcmyk /bin/ppm2tiff /bin/raw2tiff /bin/tiff2bw /bin/tiff2pdf /bin/tiff2ps /bin/tiff2rgba /bin/tiffcmp /bin/tiffcp /bin/tiffcrop /bin/tiffdither /bin/tiffdump /bin/tiffgamut /bin/tiffgt /bin/tiffinfo /bin/tiffmedian /bin/tiffset /bin/tiffsplit /bin/tifftopnm Some sample TIFF images: http://web.stanford.edu/class/ee398a/samples.htm
Tested some of the tiff utilities after the update. tiffgt to display tif[f] images, otherwise display. $ ppm2tiff Ikapati.pgm ppm.tiff OK $ tiff2rgba bbc2.tif bbc2_rgba.tif $ tiff2rgba -n bbc2.tif bbc2_rgb.tif Could not distinguish these by eye but the headers looked different: 1) with alpha channel 0000000 4949 002a 2180 0000 007f 6058 00ff 6058 0000020 00ff 6058 00ff 6058 00ff 6058 00ff 6058 2) RGB only 0000000 4949 002a 193e 0000 007f 6058 5800 0060 0000020 6058 5800 0060 6058 5800 0060 6058 5800 $ tiffdump macbethcolourscan.tif macbethcolourscan.tif: Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF> Directory 0: offset 8 (0x8) next 0 (0) SubFileType (254) LONG (4) 1<0> ImageWidth (256) SHORT (3) 1<850> ImageLength (257) SHORT (3) 1<1159> BitsPerSample (258) SHORT (3) 3<8 8 8> Compression (259) SHORT (3) 1<1> Photometric (262) SHORT (3) 1<2> StripOffsets (273) LONG (4) 1<400> SamplesPerPixel (277) SHORT (3) 1<3> RowsPerStrip (278) SHORT (3) 1<1159> StripByteCounts (279) LONG (4) 1<2955450> XResolution (282) RATIONAL (5) 1<106.25> YResolution (283) RATIONAL (5) 1<106.25> PlanarConfig (284) SHORT (3) 1<1> ResolutionUnit (296) SHORT (3) 1<2> 34377 (0x8649) BYTE (1) 184<0x38 0x42 0x49 0x4d 0x3 0xed 00 00 00 00 00 0x10 00 0x6a 0x40 00 00 0x1 00 0x1 00 0x6a 0x40 00 ...> $ identify macbethcolourscan.tif macbethcolourscan.tif TIFF 850x1159 850x1159+0+0 8-bit sRGB 2.956MB 0.000u 0:00.000 $ tiffdither PIA20966.tif dithered.tif This converted a greyscale image of Ceres into a two-level dithered image. $ tiff2bw lena_color.tiff lena.tif Generated a greyscale image OK. The utility will handle only RGB and Palette images (?). $ tiff2pdf -o ortex.pdf ortex.tiff $ okular ortex.pdf Full page colour display. $ tifftopnm smandril.tif > mandrill.pgm tifftopnm: writing PGM file $ tiffcp airfield.tif boats.tif harbour.tif peppers.tif greycombo.tif $ display greycombo.tif 'Next' command used to traverse the four images. $ mkdir temp $ cp greycombo.tif temp [lcl@vega images]$ cd temp $ tiffsplit greycombo.tif $ ls greycombo.tif xaaa.tif xaab.tif xaac.tif xaad.tif $ display x* Recovered images matched the originals. $ tiff2ps -w 4 -h 6 einstein.tif > einstein.eps This is supposed to generate encapsulated Postscript with the image scaled to 6 inches by 4 inches. Instead it produces a tiny image on the page. It can be viewed by Ghostscript (gs) or LO writer. In the latter the -w and -h options actually position the image on the page. The structure of the file looks OK but I am no expert. $ less einstein.eps %!PS-Adobe-3.0 EPSF-3.0 %%Creator: tiff2ps %%Title: einstein.tif %%CreationDate: Wed Nov 16 20:22:27 2016 %%DocumentData: Clean7Bit %%Origin: 0 0 %%BoundingBox: 0 0 288 432 %%LanguageLevel: 1 %%Pages: 1 1 %%EndComments %%Page: 1 1 gsave 100 dict begin 0.000000 416.640000 translate 15.360000 15.360000 scale %ImageData: 256 256 8 1 0 1 2 "image" /scanLine 256 string def 256 256 8 [256 0 0 -256 0 256] {currentfile scanLine readhexstring pop} bind image 0000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000002e2e2e2e2e2f2f31302f302f302f2d2b2b2d2f302f2f2d 2e313a5260584b3e3f3f3e4f6b757048454c57666d7b736f65778a9190918c8b8c8c89 ........................ I edited the scaling, multiplying it by 10 and that enlarged the image accordingly. Looks like the size switches are being ignored. Such problems are possibly due to unreported bugs or unimplemented features. I would not worry about them. It would be an upstream issue anyhow. The libraries in general pass muster. Giving this the OK.
Whiteboard: (none) => MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0388.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/706846/
(In reply to David Walser from comment #2) > CVE request for an issue fixed today: > http://openwall.com/lists/oss-security/2016/11/11/14 CVE-2016-9532: http://www.openwall.com/lists/oss-security/2016/11/22/1 That was also fixed in this update. Advisory in SVN has been updated.
Summary: libtiff new security issues CVE-2016-9273 and CVE-2016-9297 => libtiff new security issues CVE-2016-9273, CVE-2016-9297, and CVE-2016-9532
(In reply to David Walser from comment #12) > (In reply to David Walser from comment #2) > > CVE request for an issue fixed today: > > http://openwall.com/lists/oss-security/2016/11/11/14 > > CVE-2016-9532: > http://www.openwall.com/lists/oss-security/2016/11/22/1 > > That was also fixed in this update. > > Advisory in SVN has been updated. LWN reference: https://lwn.net/Vulnerabilities/707212/