A CVE has been assigned for a security issue in libtiff: http://openwall.com/lists/oss-security/2017/12/02/1 I don't believe it has been fixed yet.
Assigning to the registered libtiff maintainer.
CC: (none) => marja11Assignee: bugsquad => nicolas.salguero
Whiteboard: (none) => MGA6TOO, MGA5TOO
No fix upstream yet, so no fix for Mageia 5.
Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO
For Cauldron, I submitted a new version that corresponds to latest git snapshot and that fixes CVE-2017-9935 and CVE-2017-18013.
Summary: libtiff new security issue CVE-2017-17095 => libtiff new security issues CVE-2017-17095, CVE-2017-9935 and CVE-2017-18013
SUSE has issued an advisory on January 12: https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00036.html It lists CVE-2017-16232, which we haven't mentioned before.
openSUSE has issued an advisory on January 15: https://lists.opensuse.org/opensuse-updates/2018-01/msg00041.html It fixes the same issues as the SUSE advisory.
Debian has issued an advisory on January 27: https://www.debian.org/security/2018/dsa-4100 It fixes some of these issues, as well as CVE-2017-11335, CVE-2017-12944, CVE-2017-13726, and CVE-2017-13727, which we haven't previously mentioned.
After checking, it appears CVE-2017-16232, CVE-2017-11335, CVE-2017-12944, CVE-2017-13726 and CVE-2017-13727 are already fixed in libtiff 4.0.9.
Suggested advisory: ======================== The updated packages security vulnerabilities: tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file. (CVE-2017-17095) In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution. (CVE-2017-9935) In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. (CVE-2017-18013) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17095 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013 http://openwall.com/lists/oss-security/2017/12/02/1 https://lists.opensuse.org/opensuse-updates/2018-01/msg00041.html https://www.debian.org/security/2018/dsa-4100 ======================== Updated package in core/updates_testing: ======================== libtiff-progs-4.0.9-1.1.mga6 lib(64)tiff5-4.0.9-1.1.mga6 lib(64)tiff-devel-4.0.9-1.1.mga6 lib(64)tiff-static-devel-4.0.9-1.1.mga6 from SRPMS: libtiff-4.0.9-1.1.mga6.src.rpm
Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugsWhiteboard: MGA6TOO => (none)Version: Cauldron => 6Source RPM: libtiff-4.0.9-1.mga7.src.rpm => libtiff-4.0.9-1.mga6.src.rpm
Thanks Nicolas. I've added a Mageia 5 build, since image libraries are among the most exposed to untrusted data.
Whiteboard: (none) => MGA5TOO
*** Before the update *** CVE-2017-17095 http://bugzilla.maptools.org/show_bug.cgi?id=2750 $ pal2rgb poc.tiff /dev/null TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored. JPEGLib: Not a JPEG file: starts with 0xd5 0xc6. Segmentation fault CVE-2017-9935 http://bugzilla.maptools.org/show_bug.cgi?id=2704 $ tiff2pdf POC1 > /dev/null [...] *** Error in `tiff2pdf': free(): invalid size: 0x00000000014e1590 *** ======= Backtrace: ========= /usr/lib64/libc.so.6(+0x7238e)[0x7f5b7b2db38e] /usr/lib64/libc.so.6(+0x7a0c8)[0x7f5b7b2e30c8] /usr/lib64/libc.so.6(cfree+0x48)[0x7f5b7b2e6798] /usr/lib64/libtiff.so.5(TIFFCleanup+0x172)[0x7f5b7b6272b2] /usr/lib64/libtiff.so.5(TIFFClose+0x19)[0x7f5b7b627349] tiff2pdf[0x401ac9] /usr/lib64/libc.so.6(__libc_start_main+0xf0)[0x7f5b7b289050] tiff2pdf[0x401f7f] [...] Aborted $ tiff2pdf POC2 > /dev/null [...] *** Error in `tiff2pdf': munmap_chunk(): invalid pointer: 0x00000000015d2c40 *** Segmentation fault $ tiff2pdf POC3 > /dev/null [...] Segmentation fault $ tiff2pdf POC4 > /dev/null [...] *** Error in `tiff2pdf': free(): invalid next size (fast): 0x00000000008a7ab0 *** ======= Backtrace: ========= /usr/lib64/libc.so.6(+0x7238e)[0x7f92c5bd438e] /usr/lib64/libc.so.6(+0x7a0c8)[0x7f92c5bdc0c8] /usr/lib64/libc.so.6(cfree+0x48)[0x7f92c5bdf798] tiff2pdf[0x4024e1] tiff2pdf[0x401dc7] /usr/lib64/libc.so.6(__libc_start_main+0xf0)[0x7f92c5b82050] tiff2pdf[0x401f7f] [...] Aborted $ tiff2pdf POC5 > /dev/null *** Error in `tiff2pdf': double free or corruption (!prev): 0x0000000001a59680 *** Segmentation fault CVE-2017-18013 http://bugzilla.maptools.org/show_bug.cgi?id=2770 $ tiffinfo -s tiff_npd.bin TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. TIFF Directory at offset 0x8 (8) Image Width: 12336 Image Length: 12336 Bits/Sample: 8 Compression Scheme: Old-style JPEG Photometric Interpretation: YCbCr YCbCr Subsampling: 2, 2 Samples/Pixel: 3 Planar Configuration: single image plane 1 Strips: Segmentation fault *** After the update *** $ pal2rgb poc.tiff /dev/null TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored. Could not determine correct image size for output. Exiting. $ tiff2pdf POC1 > /dev/null [...] tiff2pdf: An error occurred creating output PDF file. $ tiff2pdf POC2 > /dev/null [...] tiff2pdf: An error occurred creating output PDF file. $ tiff2pdf POC3 > /dev/null [...] tiff2pdf: An error occurred creating output PDF file. $ tiff2pdf POC4 > /dev/null [...] tiff2pdf: An error occurred creating output PDF file. $ tiff2pdf POC5 > /dev/null [...] tiff2pdf: An error occurred creating output PDF file. $ tiffinfo -s tiff_npd.bin TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. TIFF Directory at offset 0x8 (8) Image Width: 12336 Image Length: 12336 Bits/Sample: 8 Compression Scheme: Old-style JPEG Photometric Interpretation: YCbCr YCbCr Subsampling: 2, 2 Samples/Pixel: 3 Planar Configuration: single image plane 1 Strips: 0: [808464432, 0] *** All looks good on Mageia 5 x86_64.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Thanks for stepping in David. Mageia 6 :: x86_64 Before the update: CVE-2017-17095 http://bugzilla.maptools.org/show_bug.cgi?id=2750 $ pal2rgb heapoverflow.tiff /dev/null TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored. JPEGLib: Not a JPEG file: starts with 0xd5 0xc6. Segmentation fault (core dumped) ========================================================================== CVE-2017-9935 http://bugzilla.maptools.org/show_bug.cgi?id=2704 $ tiff2pdf POC1 ..................................... ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted (core dumped) $ tiff2pdf POC2 *** Error in `tiff2pdf': munmap_chunk(): invalid pointer: 0x0000000001929c40 *** Segmentation fault (core dumped) $ tiff2pdf POC3 Segmentation fault (core dumped) $ tiff2pdf POC4 Aborted (core dumped) $ tiff2pdf POC5 Aborted (core dumped) ========================================================================== CVE-2017-18013 http://bugzilla.maptools.org/show_bug.cgi?id=2770 $ tiffinfo -s tiff_npd .............................................. TIFF Directory at offset 0x8 (8) Image Width: 12336 Image Length: 12336 Bits/Sample: 8 Compression Scheme: Old-style JPEG Photometric Interpretation: YCbCr YCbCr Subsampling: 2, 2 Samples/Pixel: 3 Planar Configuration: single image plane 1 Strips: Segmentation fault (core dumped) ************************************************************************* After the update: $ pal2rgb heapoverflow.tiff /dev/null TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored. Could not determine correct image size for output. Exiting. $ ll POC* -rw-r--r-- 1 lcl lcl 5000 May 26 2017 POC1 -rw-r--r-- 1 lcl lcl 4752 May 22 2017 POC2 -rw-r--r-- 1 lcl lcl 3264 May 22 2017 POC3 -rw-r--r-- 1 lcl lcl 3292 May 23 2017 POC4 -rw-r--r-- 1 lcl lcl 4743 May 27 2017 POC5 $ tiff2pdf POC* <All five POC files produced similar messages, all finishing with:> tiff2pdf: Different transfer function on page 2. tiff2pdf: An error occurred creating output PDF file. $ tiffinfo -s tiff_npd TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. TIFF Directory at offset 0x8 (8) Image Width: 12336 Image Length: 12336 Bits/Sample: 8 Compression Scheme: Old-style JPEG Photometric Interpretation: YCbCr YCbCr Subsampling: 2, 2 Samples/Pixel: 3 Planar Configuration: single image plane 1 Strips: 0: [808464432, 0] Looks OK as far as the patches are concerned. ******************************************************************************* Utility tests. $ strace gm display mars_crater.tif 2> trace $ grep tiff trace access("/usr/lib64/GraphicsMagick-1.3.28/modules-Q8/coders/tiff.so", R_OK) = 0 open("/usr/lib64/GraphicsMagick-1.3.28/modules-Q8/coders/tiff.so", O_RDONLY|O_CLOEXEC) = 4 open("/usr/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 4 $ gm identify SantaMaria.tiff SantaMaria.tiff TIFF 1311x1128+0+0 DirectClass 8-bit 1.0Mi 0.000u 0m:0.000001s $ tiffinfo SantaMaria.tiff TIFF Directory at offset 0x107466 (1078374) Image Width: 1311 Image Length: 1128 Resolution: 194.9, 194.9 pixels/cm Bits/Sample: 8 Sample Format: unsigned integer Compression Scheme: AdobeDeflate Photometric Interpretation: RGB color Samples/Pixel: 3 Rows/Strip: 8 Planar Configuration: single image plane Page Number: 0-1 DocumentName: SantaMaria.tiff ImageDescription: IDL TIFF file Software: GraphicsMagick 1.3.26 2017-07-04 Q8 http://www.GraphicsMagick.org/ Photoshop Data: <present>, 3884 bytes Predictor: horizontal differencing 2 (0x2) $ tiff2pdf -o new.pdf ScarlettJ_4.tif $ xpdf new.pdf Showed a single page containing the original image. Good for 64 bits.
CC: (none) => tarazed25
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0109.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Mageia 5 update was never pushed. SVN advisory fixed. Please push libtiff-4.0.9-1.1.mga5.
Resolution: FIXED => (none)Status: RESOLVED => REOPENED
Moved
CC: (none) => tmbStatus: REOPENED => RESOLVEDResolution: (none) => FIXED
This also fixed CVE-2018-17795 (same fix as CVE-2017-9935): https://lists.opensuse.org/opensuse-updates/2018-10/msg00149.html https://security-tracker.debian.org/tracker/CVE-2018-17795