CVEs have been assigned for security issues in libtiff: http://openwall.com/lists/oss-security/2017/01/01/10 http://openwall.com/lists/oss-security/2017/01/01/11 There were several other CVE requests for libtiff today: http://openwall.com/lists/oss-security/2017/01/01/ At least some of the issues have been fixed in upstream git.
CC: (none) => nicolas.salgueroWhiteboard: (none) => MGA5TOO
Assigning to the registered maintainer
Assignee: bugsquad => nicolas.salgueroCC: (none) => marja11
Hi David, The latest CVS version of libtiff corrects CVE-2016-1009[2-4] as well as many other security issues that have not been assigned a CVE. But CVE-2016-10095 and several other security issues that have not been assigned a CVE are not fixed yet (and I see no progress in solving those problems). What is the best choice in your opinion: do I wait for a fix for at least CVE-2016-10095 or do I push a version (based upon the latest CVS version; in that case, I will create a separate bug report for CVE-2016-10095)? Best regards, Nico.
I guess we can give it a little more time, as that's a lot of issues being reported at once and I imagine they're still working on fixing them.
Debian has issued an advisory for this on January 13: https://www.debian.org/security/2017/dsa-3762
URL: (none) => https://lwn.net/Vulnerabilities/711777/
CVE-2017-5225: https://lwn.net/Vulnerabilities/712363/
I pushed to Cauldron a version that corrects at least CVE-2016-1009[2-4] and CVE-2017-5225.
CVE-2017-5849: http://openwall.com/lists/oss-security/2017/02/02/2
Summary: libtiff new security issues CVE-2016-1009[2-5] and more => libtiff new security issues CVE-2016-1009[2-5], CVE-2017-5225, CVE-2017-5849 and more
CVE-2016-1026[6-9] and CVE-2016-1027[0-2]: http://openwall.com/lists/oss-security/2017/03/25/2 http://openwall.com/lists/oss-security/2017/03/25/3
(In reply to David Walser from comment #8) > CVE-2016-1026[6-9] and CVE-2016-1027[0-2]: > http://openwall.com/lists/oss-security/2017/03/25/2 > http://openwall.com/lists/oss-security/2017/03/25/3 Fedora has issued an advisory for this today (April 9): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CFEQDPO55JLW4OTNZMTCX6DPJFVJTWAK/
CVE-2017-759[2-9], CVE-2017-760[0-2]: http://openwall.com/lists/oss-security/2017/04/10/1 http://openwall.com/lists/oss-security/2017/04/10/2 http://openwall.com/lists/oss-security/2017/04/10/3 http://openwall.com/lists/oss-security/2017/04/10/4 http://openwall.com/lists/oss-security/2017/04/10/5
(In reply to David Walser from comment #8) > CVE-2016-1026[6-9] and CVE-2016-1027[0-2]: > http://openwall.com/lists/oss-security/2017/03/25/2 > http://openwall.com/lists/oss-security/2017/03/25/3 Fedora has issued an advisory for this today (April 10): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KLH7V5OQSTAJWJSTJANTEQ4WZWONWL4W/
(In reply to David Walser from comment #10) > CVE-2017-759[2-9], CVE-2017-760[0-2]: > http://openwall.com/lists/oss-security/2017/04/10/1 > http://openwall.com/lists/oss-security/2017/04/10/2 > http://openwall.com/lists/oss-security/2017/04/10/3 > http://openwall.com/lists/oss-security/2017/04/10/4 > http://openwall.com/lists/oss-security/2017/04/10/5 Fedora has issued an advisory for this today (April 14): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YSX46XMIA34YREHKQOUGR2HDXPEUWNVH/
cauldron has a newer snapshot, including already all this CVE Fixes
Whiteboard: MGA5TOO => (none)CC: (none) => mageiaVersion: Cauldron => 5
Debian has issued an advisory for this on May 3: https://www.debian.org/security/2017/dsa-3844 It includes CVE-2016-3658 and CVE-2016-9535, which I don't believe I've previously mentioned.
Package : tiff CVE ID : CVE-2016-3658 CVE-2016-9535 CVE-2016-10266 CVE-2016-10267 CVE-2016-10269 CVE-2016-10270 CVE-2017-5225 CVE-2017-7592 CVE-2017-7593 CVE-2017-7594 CVE-2017-7595 CVE-2017-7596 CVE-2017-7597 CVE-2017-7598 CVE-2017-7599 CVE-2017-7600 CVE-2017-7601 CVE-2017-7602 Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service, memory disclosure or the execution of arbitrary code.
CC: (none) => zombie_ryushu
Upstream today (June 1) committed a fix for an unfixed remaining portion of CVE-2014-8128: http://bugzilla.maptools.org/show_bug.cgi?id=2580#c7
(In reply to David Walser from comment #16) > Upstream today (June 1) committed a fix for an unfixed remaining portion of > CVE-2014-8128: > http://bugzilla.maptools.org/show_bug.cgi?id=2580#c7 Original bug for that was here: http://bugzilla.maptools.org/show_bug.cgi?id=2499
libtiff-4.0.8-2.mga6 contains the fix.
I did not see that the fix from June 1 also fixed CVE-2016-10095 so all the CVEs listed in this bug report are now fixed.
Suggested advisory: ======================== The updated packages fix several security vulnerabilities: Heap-based buffer overflow in the readContigStripsIntoBuffer function in tif_unix.c in LibTIFF 4.0.7 allows remote attackers to have unspecified impact via a crafted image. (CVE-2016-10092) Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to have unspecified impact via a crafted image, which triggers a heap-based buffer overflow. (CVE-2016-10093) Off-by-one error in the t2p_readwrite_pdf_image_tile function in tools/tiff2pdf.c in LibTIFF 4.0.7 allows remote attackers to have unspecified impact via a crafted image. (CVE-2016-10094) Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file. (CVE-2016-10095) LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. (CVE-2017-5225) LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. (CVE-2016-10266) LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. (CVE-2016-10267) tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 78490" and libtiff/tif_unix.c:115:23. (CVE-2016-10268) LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2. (CVE-2016-10269) LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22. (CVE-2016-10270) tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read and buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 1" and libtiff/tif_fax3.c:413:13. (CVE-2016-10271) LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to "WRITE of size 2048" and libtiff/tif_next.c:64:9. (CVE-2016-10272) The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7592) tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image. (CVE-2017-7593) The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image. (CVE-2017-7594) The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. (CVE-2017-7595) LibTIFF 4.0.7 has an "outside the range of representable values of type float" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7596) tif_dirread.c in LibTIFF 4.0.7 has an "outside the range of representable values of type float" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7597) tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. (CVE-2017-7598) LibTIFF 4.0.7 has an "outside the range of representable values of type short" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7599) LibTIFF 4.0.7 has an "outside the range of representable values of type unsigned char" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7600) LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7601) LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7602) The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable. (CVE-2016-3658) tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow." (CVE-2016-9535) libtiff: out-of-bounds write in multiple tools. (CVE-2014-8128) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10092 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10093 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10094 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10095 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10266 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10267 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10268 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10269 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10270 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7592 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7593 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7594 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7595 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7596 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7597 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7598 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7599 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7600 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7601 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7602 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3658 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9535 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128 ======================== Updated packages in core/updates_testing: ======================== i586: libtiff-progs-4.0.8-1.mga5.i586.rpm libtiff5-4.0.8-1.mga5.i586.rpm libtiff-devel-4.0.8-1.mga5.i586.rpm libtiff-static-devel-4.0.8-1.mga5.i586.rpm x86_64: libtiff-progs-4.0.8-1.mga5.x86_64.rpm lib64tiff5-4.0.8-1.mga5.x86_64.rpm lib64tiff-devel-4.0.8-1.mga5.x86_64.rpm lib64tiff-static-devel-4.0.8-1.mga5.x86_64.rpm Source RPMs: libtiff-4.0.8-1.mga5.src.rpm
Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNED
x86_64 Working on these - likely to take the rest of the weekend. There are several PoC files to test the libtiff tools; with ASAN diagnostics wouldn't you know.
CC: (none) => tarazed25
Still accumulating test data....
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Created attachment 9422 [details] List of reproducer files indexed on CVE No reproducers found for several of these. For some, several issues are addressed on the one CVE.
Created attachment 9423 [details] Collection of crafted files to be used for proof of concept There are no attributions for any of these, yet, but the original names of the files have been kept wherever possible to allow backtracking via browser searches.
Created attachment 9424 [details] Digest of poc tests run before update
Created attachment 9425 [details] List of poc test commands
Created attachment 9427 [details] Summary of poc tests after the update
A number of PoC files have been collected from the CVE backlinks and tested both before and after updating libtiff. The results are attached, too long and tedious to be posted in the clear. Some of the CVEs do not have any obvious way to be tested. The weak point in these tests is the interpretation of the output because the results are rarely clear-cut except where the earlier tests produce an abort, segfault or exception, but I have assigned pass or inconclusive as seems fitting. If the functionality tests run fine then maybe the whole lot should be given the OK in spite of the lack of complete evidence that the patches work. It is what we would do if there were no PoCs at all.
Functionality tests were conducted using the available libtiff tools in /usr/bin. Test results attached. Roster of libtiff utilities: /bin/fax2tiff /bin/pamtotiff /bin/pnmtotiff /bin/pnmtotiffcmyk /bin/ppm2tiff /bin/PTtiff2psd /bin/PTtiffdump /bin/raw2tiff /bin/tiff2bw /bin/tiff2pdf /bin/tiff2ps /bin/tiff2rgba /bin/tiffcmp /bin/tiffcp /bin/tiffcrop /bin/tiffdither /bin/tiffdump /bin/tiffgt /bin/tiffinfo /bin/tiffmedian /bin/tiffset /bin/tiffsplit /bin/tifftopnm Some sample TIFF images: http://web.stanford.edu/class/ee398a/samples.htm These were all quick tests to show that the basic functions work; it was possible to run all of the tools except raw2tiff and fax2tiff. Giving this an OK notwithstanding the uncertainties about the CVEs.
Whiteboard: advisory => advisory MGA5-64-OK
Created attachment 9429 [details] Functionality tests using libtiff utilities
MGA5-32 on Asus A6000VM Xfce No installation issues. Repeating Len's post-update test as in his attachment above with the poc tiff files, I'll give feedback below when my results deviate. $ tiffcp -i 00082-libtiff-heap-overflow-cpStripToTile /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 8450 (0x2102) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1301 (0x515) encountered. TIFFReadDirectory: Warning, Unknown field with tag 30069 (0x7575) encountered. TIFFReadDirectory: Warning, Unknown field with tag 16384 (0x4000) encountered. 00082-libtiff-heap-overflow-cpStripToTile: Warning, Nonstandard tile width 6, convert file. TIFFReadDirectory: Warning, Unknown field with tag 62708 (0xf4f4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. and more TIFFFetchNormalTag: Warning, Incompatible type for "PhotometricInterpretation"; tag ignored. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFFetchNormalTag: Warning, Incompatible type for "Make"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 789"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 778"; tag ignored. TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 1051" value failed; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 2565"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16388"; tag ignored. TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 5" value failed; tag ignored. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample. TIFFScanlineSize: Integer arithmetic overflow. TIFFReadDirectory: Cannot handle zero scanline size. resulting in ]$ ls -als /tmp/foo 4 -rw-r--r-- 1 tester5 tester5 8 jun 30 14:12 /tmp/foo which cannot be opened with ristretto.
CC: (none) => herman.viaene
$ tiff2pdf 00112-libtiff-heapoverflow-_TIFFmemcpy -o /tmp/foo diffrence is that pdf file has a wide but very sort red rectangle on top of the page. $ tiffsplit 00104-libtiff-stackoverflow-_TIFFVGetField no feedback at CLI, but file xaaa.tiff created. Ristretto finds it contains 21 parts but none of these display. $ tiffcp -p separate poc_2656.tiff output.tiff TIFFOpen: poc_2656.tiff: No such file or directory. ??????? $ tiffcrop 00099-libtiff-fpe-readSeparateStripsIntoBuffer /tmp/foo foo file cannot be read by ristretto
$ tiffcp -i 00068-libtiff-heapoverflow-_tiffWriteProc /tmp/foo resulting file cannot be read by ristretto $ tiffcp -i 00123-libtiff-fpe-JPEGSetupEncode /tmp/out resulting file cannot be read by ristretto None of the test cases result in an abort.
Did some functional tests, guided by attachment above, and found some differences compared to Len's results: The "cmyk" commands resulted in image files that could not be opened by ristretto nor Eye of Mate: wrong initial byte. But neither Gimp nor LibreOffice Draw complained and opened OK. The "tiffgt" command did result in a color image not greyscale. Otherwise I see no problems.
Whiteboard: advisory MGA5-64-OK => MGA5-64-OK MGA5-32-OK advisory
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0199.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
CVE-2017-9147, CVE-2017-9403, CVE-2017-9404 also fixed by this update.