Bug 21195 - libtiff new security issues CVE-2017-9936 and CVE-2017-10688
Summary: libtiff new security issues CVE-2017-9936 and CVE-2017-10688
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-07-07 04:29 CEST by David Walser
Modified: 2017-07-22 10:58 CEST (History)
5 users (show)

See Also:
Source RPM: libtiff-4.0.8-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-07-07 04:29:27 CEST
Debian has issued an advisory on July 5:
https://www.debian.org/security/2017/dsa-3903

It's possible we may have already addressed these in Bug 20057, but I'm not sure.
David Walser 2017-07-07 05:24:00 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Nicolas Salguero 2017-07-07 11:37:44 CEST
Hi,

Some issues have already been addressed: CVE-2017-9147, CVE-2017-9403, CVE-2017-9404.

But CVE-2017-9936 and CVE-2017-10688 remain.

Best regards,

Nico.
David Walser 2017-07-07 12:05:58 CEST

Summary: libtiff new security issues CVE-2017-9147, CVE-2017-9403, CVE-2017-9404, CVE-2017-9936, CVE-2017-10688 => libtiff new security issues CVE-2017-9936 and CVE-2017-10688

Comment 2 Nicolas Salguero 2017-07-07 13:13:23 CEST
For Mga6, freeze push request.

For Mga5, libtiff-4.0.8-1.1.mga5 fixes CVE-2017-9936 and CVE-2017-10688.
Comment 3 David Walser 2017-07-09 03:33:26 CEST
Patched packages uploaded for Mageia 5 and Cauldron.  Thanks Nicolas!

Advisory:
========================

Updated libtiff packages fix security vulnerabilities:

Multiple vulnerabilities have been discovered in the libtiff library and the
included tools, which may result in denial of service or the execution of
arbitrary code (CVE-2017-9936, CVE-2017-10688).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10688
https://www.debian.org/security/2017/dsa-3903
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.8-1.1.mga5
libtiff5-4.0.8-1.1.mga5
libtiff-devel-4.0.8-1.1.mga5
libtiff-static-devel-4.0.8-1.1.mga5

from libtiff-4.0.8-1.1.mga5.src.rpm

Version: Cauldron => 5
Whiteboard: MGA6TOO, MGA5TOO => (none)
CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => qa-bugs

Comment 4 Len Lawrence 2017-07-14 17:01:49 CEST
x86_64  real hardware  Mate

Before the update:

Downloaded poc1 from http://bugzilla.maptools.org/show_bug.cgi?id=2706.
Downloaded POC1.rar from http://bugzilla.maptools.org/show_bug.cgi?id=2712 and
extracted POC1.

[CVE-2017-9936]
$ tiff2ps poc1
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 24655 (0x604f) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 62085 (0xf285) encountered.
..............................
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 34203" value failed; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16384"; tag ignored.
%!PS-Adobe-3.0 EPSF-3.0
%%Creator: tiff2ps
%%Title: poc1
....................................
image
JBIG: Error (80) decoding: Unknown marker segment encountered.
poc1: Can't read strip.

end
grestore
showpage
%%Trailer
%%EOF

< A long wait while it tried to process the included image. >
$

$ tiff2pdf poc1
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 24655 (0x604f) encountered.
.....................................
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 34203" value failed; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16384"; tag ignored.
%PDF-1.1 
%���
1 0 obj
.........................
/Decode [ 1 0 ]
 >>
stream
JBIG: Error (32) decoding: Unexpected end of input data stream.
tiff2pdf: Error on decoding strip 0 of poc1.
tiff2pdf: An error occurred creating output PDF file.
--------------------------------------------------------------------------------------

[CVE-2017-10688]
$ tiffset POC1
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
tiffset: tif_dirwrite.c:2127: TIFFWriteDirectoryTagCheckedLong8Array: Assertion `tif->tif_flags&0x80000U' failed.
Abort

==========================================================================
After updates.

$ tiff2ps poc1
The error trace looks the same as before, so does the output from
$ tiff2pdf poc1

$ tiffset POC1
POC1: Failed to allocate memory for to read TIFF directory (0 elements of 12 bytes each).
TIFFReadDirectory: Failed to read directory at offset 5356.

The situation is handled more gracefully here and no abort.
So, OK for CVE-2017-10688 but there is nothing to go on for CVE-2017-9936.

Checked the viability of the updated libraries by running simple image tests on various files using the tiff utilities.  No regressions.

Where do we go from here?

CC: (none) => tarazed25

Len Lawrence 2017-07-14 17:03:31 CEST

Keywords: (none) => NEEDINFO

Comment 5 David Walser 2017-07-14 21:33:03 CEST
Len, just a reminder that NEEDINFO is not the right item to add when QA has a question about an update.  That's for when the bug squad or a developer needs clarification on what the original bug is about from the reporter.  QA should put feedback in the whiteboard in cases like this.

CVE-2017-9936 is not a crash and is only detectable with ASAN, which we were unable to get working when we tried before, so you can pass this update.

Keywords: NEEDINFO => (none)

Comment 6 Len Lawrence 2017-07-15 08:02:58 CEST
Thanks David.  Yes I had noticed that the original analysis depended on ASAN.

Thanks also for the feedback information.  I could not find feedback in the list of keywords so used NEEDINFO instead.  Did not realize that you just write feedback onto the whiteboard.

Adding the OK for 64-bits.

Whiteboard: (none) => MGA5-64-OK

Comment 7 Herman Viaene 2017-07-17 14:17:19 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Similar output with poc as above ; except for:
$ tiffset POC1
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
TIFFWriteDirectoryTagCheckedLong8Array: LONG8 not allowed for ClassicTIFF.

Tried commands with images used on previous updates for libtiff:
tiff2pdf is OK
but 
mind this:
$ tiff2ps 1973-024.tif -O 1973-024.ps
against
$ tiff2pdf 1973-024.tif -o 1973-024.pdf
OK for me.

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
CC: (none) => herman.viaene

Comment 8 Lewis Smith 2017-07-20 11:42:59 CEST
Advisoried, validating.

Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 9 Mageia Robot 2017-07-22 10:58:38 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0210.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.