Bug 22120 - libtiff new security issues CVE-2017-17095, CVE-2017-9935 and CVE-2017-18013
Summary: libtiff new security issues CVE-2017-17095, CVE-2017-9935 and CVE-2017-18013
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-12-03 18:32 CET by David Walser
Modified: 2018-02-26 17:37 CET (History)
5 users (show)

See Also:
Source RPM: libtiff-4.0.9-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-12-03 18:32:45 CET
A CVE has been assigned for a security issue in libtiff:
http://openwall.com/lists/oss-security/2017/12/02/1

I don't believe it has been fixed yet.
Comment 1 Marja Van Waes 2017-12-03 18:40:39 CET
Assigning to the registered libtiff maintainer.

Assignee: bugsquad => nicolas.salguero
CC: (none) => marja11

Nicolas Salguero 2017-12-05 10:59:49 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 2 David Walser 2017-12-30 01:01:50 CET
No fix upstream yet, so no fix for Mageia 5.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

Comment 3 Nicolas Salguero 2018-01-02 14:37:48 CET
For Cauldron, I submitted a new version that corresponds to latest git snapshot and that fixes CVE-2017-9935 and CVE-2017-18013.

Summary: libtiff new security issue CVE-2017-17095 => libtiff new security issues CVE-2017-17095, CVE-2017-9935 and CVE-2017-18013

Comment 4 David Walser 2018-01-14 23:51:05 CET
SUSE has issued an advisory on January 12:
https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00036.html

It lists CVE-2017-16232, which we haven't mentioned before.
Comment 5 David Walser 2018-01-16 12:15:17 CET
openSUSE has issued an advisory on January 15:
https://lists.opensuse.org/opensuse-updates/2018-01/msg00041.html

It fixes the same issues as the SUSE advisory.
Comment 6 David Walser 2018-01-28 19:08:11 CET
Debian has issued an advisory on January 27:
https://www.debian.org/security/2018/dsa-4100

It fixes some of these issues, as well as CVE-2017-11335, CVE-2017-12944, CVE-2017-13726, and CVE-2017-13727, which we haven't previously mentioned.
Comment 7 Nicolas Salguero 2018-01-30 14:53:35 CET
After checking, it appears CVE-2017-16232, CVE-2017-11335, CVE-2017-12944, CVE-2017-13726 and CVE-2017-13727 are already fixed in libtiff 4.0.9.
Comment 8 Nicolas Salguero 2018-01-30 15:00:55 CET
Suggested advisory:
========================

The updated packages security vulnerabilities:

tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file. (CVE-2017-17095)

In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution. (CVE-2017-9935)

In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. (CVE-2017-18013)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17095
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
http://openwall.com/lists/oss-security/2017/12/02/1
https://lists.opensuse.org/opensuse-updates/2018-01/msg00041.html
https://www.debian.org/security/2018/dsa-4100
========================

Updated package in core/updates_testing:
========================
libtiff-progs-4.0.9-1.1.mga6
lib(64)tiff5-4.0.9-1.1.mga6
lib(64)tiff-devel-4.0.9-1.1.mga6
lib(64)tiff-static-devel-4.0.9-1.1.mga6

from SRPMS:
libtiff-4.0.9-1.1.mga6.src.rpm

Version: Cauldron => 6
Source RPM: libtiff-4.0.9-1.mga7.src.rpm => libtiff-4.0.9-1.mga6.src.rpm
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA6TOO => (none)

Comment 9 David Walser 2018-02-01 20:47:39 CET
Thanks Nicolas.  I've added a Mageia 5 build, since image libraries are among the most exposed to untrusted data.

Whiteboard: (none) => MGA5TOO

Comment 10 David Walser 2018-02-02 18:06:00 CET
*** Before the update ***

CVE-2017-17095
http://bugzilla.maptools.org/show_bug.cgi?id=2750

$ pal2rgb poc.tiff /dev/null
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored.
JPEGLib: Not a JPEG file: starts with 0xd5 0xc6.
Segmentation fault

CVE-2017-9935
http://bugzilla.maptools.org/show_bug.cgi?id=2704

$ tiff2pdf POC1 > /dev/null
[...]
*** Error in `tiff2pdf': free(): invalid size: 0x00000000014e1590 ***
======= Backtrace: =========
/usr/lib64/libc.so.6(+0x7238e)[0x7f5b7b2db38e]
/usr/lib64/libc.so.6(+0x7a0c8)[0x7f5b7b2e30c8]
/usr/lib64/libc.so.6(cfree+0x48)[0x7f5b7b2e6798]
/usr/lib64/libtiff.so.5(TIFFCleanup+0x172)[0x7f5b7b6272b2]
/usr/lib64/libtiff.so.5(TIFFClose+0x19)[0x7f5b7b627349]
tiff2pdf[0x401ac9]
/usr/lib64/libc.so.6(__libc_start_main+0xf0)[0x7f5b7b289050]
tiff2pdf[0x401f7f]
[...]
Aborted
$ tiff2pdf POC2 > /dev/null
[...]
*** Error in `tiff2pdf': munmap_chunk(): invalid pointer: 0x00000000015d2c40 ***
Segmentation fault
$ tiff2pdf POC3 > /dev/null
[...]
Segmentation fault
$ tiff2pdf POC4 > /dev/null
[...]
*** Error in `tiff2pdf': free(): invalid next size (fast): 0x00000000008a7ab0 ***
======= Backtrace: =========
/usr/lib64/libc.so.6(+0x7238e)[0x7f92c5bd438e]
/usr/lib64/libc.so.6(+0x7a0c8)[0x7f92c5bdc0c8]
/usr/lib64/libc.so.6(cfree+0x48)[0x7f92c5bdf798]
tiff2pdf[0x4024e1]
tiff2pdf[0x401dc7]
/usr/lib64/libc.so.6(__libc_start_main+0xf0)[0x7f92c5b82050]
tiff2pdf[0x401f7f]
[...]
Aborted
$ tiff2pdf POC5 > /dev/null
*** Error in `tiff2pdf': double free or corruption (!prev): 0x0000000001a59680 ***
Segmentation fault

CVE-2017-18013
http://bugzilla.maptools.org/show_bug.cgi?id=2770

$ tiffinfo -s tiff_npd.bin 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3.
TIFF Directory at offset 0x8 (8)
  Image Width: 12336 Image Length: 12336
  Bits/Sample: 8
  Compression Scheme: Old-style JPEG
  Photometric Interpretation: YCbCr
  YCbCr Subsampling: 2, 2
  Samples/Pixel: 3
  Planar Configuration: single image plane
  1 Strips:
Segmentation fault

*** After the update ***

$ pal2rgb poc.tiff /dev/null
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored.
Could not determine correct image size for output. Exiting.

$ tiff2pdf POC1 > /dev/null
[...]
tiff2pdf: An error occurred creating output PDF file.
$ tiff2pdf POC2 > /dev/null
[...]
tiff2pdf: An error occurred creating output PDF file.
$ tiff2pdf POC3 > /dev/null
[...]
tiff2pdf: An error occurred creating output PDF file.
$ tiff2pdf POC4 > /dev/null
[...]
tiff2pdf: An error occurred creating output PDF file.
$ tiff2pdf POC5 > /dev/null
[...]
tiff2pdf: An error occurred creating output PDF file.

$ tiffinfo -s tiff_npd.bin
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3.
TIFF Directory at offset 0x8 (8)
  Image Width: 12336 Image Length: 12336
  Bits/Sample: 8
  Compression Scheme: Old-style JPEG
  Photometric Interpretation: YCbCr
  YCbCr Subsampling: 2, 2
  Samples/Pixel: 3
  Planar Configuration: single image plane
  1 Strips:
      0: [808464432,        0]

*** All looks good on Mageia 5 x86_64.

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 11 Len Lawrence 2018-02-02 19:43:02 CET
Thanks for stepping in David.

Mageia 6 :: x86_64
Before the update:

CVE-2017-17095
http://bugzilla.maptools.org/show_bug.cgi?id=2750
$ pal2rgb heapoverflow.tiff /dev/null
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored.
JPEGLib: Not a JPEG file: starts with 0xd5 0xc6.
Segmentation fault (core dumped)
==========================================================================
CVE-2017-9935
http://bugzilla.maptools.org/show_bug.cgi?id=2704

$ tiff2pdf POC1
.....................................
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)

$ tiff2pdf POC2
*** Error in `tiff2pdf': munmap_chunk(): invalid pointer: 0x0000000001929c40 ***
Segmentation fault (core dumped)

$ tiff2pdf POC3
Segmentation fault (core dumped)

$ tiff2pdf POC4
Aborted (core dumped)

$ tiff2pdf POC5
Aborted (core dumped)
==========================================================================
CVE-2017-18013
http://bugzilla.maptools.org/show_bug.cgi?id=2770
$ tiffinfo -s tiff_npd
..............................................
TIFF Directory at offset 0x8 (8)
  Image Width: 12336 Image Length: 12336
  Bits/Sample: 8
  Compression Scheme: Old-style JPEG
  Photometric Interpretation: YCbCr
  YCbCr Subsampling: 2, 2
  Samples/Pixel: 3
  Planar Configuration: single image plane
  1 Strips:
Segmentation fault (core dumped)

*************************************************************************
After the update:

$ pal2rgb heapoverflow.tiff /dev/null
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored.
Could not determine correct image size for output. Exiting.

$ ll POC*
-rw-r--r-- 1 lcl lcl 5000 May 26  2017 POC1
-rw-r--r-- 1 lcl lcl 4752 May 22  2017 POC2
-rw-r--r-- 1 lcl lcl 3264 May 22  2017 POC3
-rw-r--r-- 1 lcl lcl 3292 May 23  2017 POC4
-rw-r--r-- 1 lcl lcl 4743 May 27  2017 POC5

$ tiff2pdf POC*
<All five POC files produced similar messages, all finishing with:>
tiff2pdf: Different transfer function on page 2.
tiff2pdf: An error occurred creating output PDF file.

$ tiffinfo -s tiff_npd
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3.
TIFF Directory at offset 0x8 (8)
  Image Width: 12336 Image Length: 12336
  Bits/Sample: 8
  Compression Scheme: Old-style JPEG
  Photometric Interpretation: YCbCr
  YCbCr Subsampling: 2, 2
  Samples/Pixel: 3
  Planar Configuration: single image plane
  1 Strips:
      0: [808464432,        0]

Looks OK as far as the patches are concerned.
*******************************************************************************
Utility tests.
$ strace gm display mars_crater.tif 2> trace
$ grep tiff trace
access("/usr/lib64/GraphicsMagick-1.3.28/modules-Q8/coders/tiff.so", R_OK) = 0
open("/usr/lib64/GraphicsMagick-1.3.28/modules-Q8/coders/tiff.so", O_RDONLY|O_CLOEXEC) = 4
open("/usr/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 4

$ gm identify SantaMaria.tiff
SantaMaria.tiff TIFF 1311x1128+0+0 DirectClass 8-bit 1.0Mi 0.000u 0m:0.000001s

$ tiffinfo SantaMaria.tiff
TIFF Directory at offset 0x107466 (1078374)
  Image Width: 1311 Image Length: 1128
  Resolution: 194.9, 194.9 pixels/cm
  Bits/Sample: 8
  Sample Format: unsigned integer
  Compression Scheme: AdobeDeflate
  Photometric Interpretation: RGB color
  Samples/Pixel: 3
  Rows/Strip: 8
  Planar Configuration: single image plane
  Page Number: 0-1
  DocumentName: SantaMaria.tiff
  ImageDescription: IDL TIFF file
  Software: GraphicsMagick 1.3.26 2017-07-04 Q8 http://www.GraphicsMagick.org/
  Photoshop Data: <present>, 3884 bytes
  Predictor: horizontal differencing 2 (0x2)

$ tiff2pdf -o new.pdf ScarlettJ_4.tif 
$ xpdf new.pdf
Showed a single page containing the original image.

Good for 64 bits.

CC: (none) => tarazed25

Len Lawrence 2018-02-02 19:43:51 CET

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Len Lawrence 2018-02-05 23:14:18 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-02-06 05:32:23 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 12 Mageia Robot 2018-02-06 07:26:45 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0109.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 13 David Walser 2018-02-25 15:25:43 CET
Mageia 5 update was never pushed.  SVN advisory fixed.  Please push libtiff-4.0.9-1.1.mga5.

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

Comment 14 Thomas Backlund 2018-02-26 17:37:19 CET
Moved

Status: REOPENED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.