Hi, There are upstream patches for CVE-2017-11613 and CVE-2018-5784. Best regards, Nico.
Source RPM: (none) => libtiff-4.0.9-1.1.mga6.src.rpmAssignee: bugsquad => nicolas.salgueroCVE: (none) => CVE-2017-11613, CVE-2018-5784Whiteboard: (none) => MGA5TOO
Suggested advisory: ======================== The updated packages security vulnerabilities: In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer. (CVE-2017-11613) In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries. (CVE-2018-5784) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11613 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5784 ======================== Updated package in 5/core/updates_testing: ======================== libtiff-progs-4.0.9-1.2.mga5 lib(64)tiff5-4.0.9-1.2.mga5 lib(64)tiff-devel-4.0.9-1.2.mga5 lib(64)tiff-static-devel-4.0.9-1.2.mga5 from SRPMS: libtiff-4.0.9-1.2.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== libtiff-progs-4.0.9-1.2.mga6 lib(64)tiff5-4.0.9-1.2.mga6 lib(64)tiff-devel-4.0.9-1.2.mga6 lib(64)tiff-static-devel-4.0.9-1.2.mga6 from SRPMS: libtiff-4.0.9-1.2.mga6.src.rpm
Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugs
Mageia 6 :: x86_64 CVE-2018-5784 http://bugzilla.maptools.org/show_bug.cgi?id=2772 PoC file: libtiff_4-0-9_tiff2pdf_uncontrolled-resource-consumption_TIFFSetDirectory.tif Before update: $ tiffinfo libtiff_4-0-9_tiff2pdf_uncontrolled-resource-consumption_TIFFSetDirectory.tif TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 29811 (0x7473) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: Warning, Unknown field with tag 225 (0xe1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1093 (0x445) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3328 (0xd00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65522 (0xfff2) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "PhotometricInterpretation"; tag ignored. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. TIFF Directory at offset 0xc (12) Image Width: 128 Image Length: 2305 Bits/Sample: 8 Compression Scheme: Old-style JPEG Photometric Interpretation: YCbCr YCbCr Subsampling: 2, 2 Samples/Pixel: 3 Planar Configuration: single image plane $ tiffgt $POC libGL error: No matching fbConfigs or visuals found libGL error: failed to load driver: swrast freeglut (tiffgt): ERROR: Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow $ display $POC display: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/915. display: Unknown field with tag 29811 (0x7473) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915. display: Unknown field with tag 3 (0x3) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915. display: Unknown field with tag 225 (0xe1) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915. display: Unknown field with tag 1093 (0x445) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915. display: Unknown field with tag 3328 (0xd00) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915. display: Unknown field with tag 65522 (0xfff2) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915. display: Unknown field with tag 1 (0x1) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915. display: Incorrect count for "PhotometricInterpretation"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/915. display: Photometric tag is missing, assuming data is YCbCr. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915. display: BitsPerSample tag is missing, assuming 8 bits per sample. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915. display: SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915. A tall black rectangle is displayed using the last command. After update: $ tiffgt $POC libGL error: No matching fbConfigs or visuals found libGL error: failed to load driver: swrast freeglut (tiffgt): ERROR: Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow $ display $POC <The output is identical to that in the earlier test and the black rectangle is displayed> We cannot draw any conclusions from this -> assume that the patches work. Leaving utility tests until tomorrow, Mageia 5 tests also.
CC: (none) => tarazed25
Installed and tested without issues. Tests used the tools in the package libtiff-progs. Tested using several TIFF images, some with the 16 MPixel resolution. Also did quick tests with gimp (load/view/save) and okular (load/view). $ rpm -qa | egrep 'lib(64)?tiff' | sort lib64tiff5-4.0.9-1.2.mga6 libtiff5-4.0.9-1.2.mga6 libtiff-progs-4.0.9-1.2.mga6 $ $ $ rpm -ql lib64tiff5 /usr/lib64/libtiff.so.5 /usr/lib64/libtiff.so.5.3.0 /usr/lib64/libtiffxx.so.5 /usr/lib64/libtiffxx.so.5.3.0 $ $ $ strace -o tiffinfo.strace tiffinfo test.tiff TIFF Directory at offset 0x22d82ce (36537038) Subfile Type: (0 = 0x0) Image Width: 4200 Image Length: 4200 Resolution: 299.999, 299.999 pixels/inch Bits/Sample: 8 Compression Scheme: LZW Photometric Interpretation: RGB color Extra Samples: 1<assoc-alpha> Orientation: row 0 top, col 0 lhs Samples/Pixel: 4 Rows/Strip: 64 Planar Configuration: single image plane DocumentName: /home/pclx/tmp/test.tiff ICC Profile: <present>, 3144 bytes Predictor: horizontal differencing 2 (0x2) $ grep libtiff tiffinfo.strace open("/usr/lib64/tls/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/tls/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3 $ okular test.tiff $ $ $ strace -o tiffdump.strace tiffdump test.tiff test.tiff: Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF> Directory 0: offset 36537038 (0x22d82ce) next 0 (0) SubFileType (254) LONG (4) 1<0> ImageWidth (256) SHORT (3) 1<4200> ImageLength (257) SHORT (3) 1<4200> BitsPerSample (258) SHORT (3) 4<8 8 8 8> Compression (259) SHORT (3) 1<5> Photometric (262) SHORT (3) 1<2> DocumentName (269) ASCII (2) 26</home/pclx/tmp/test.tif ...> StripOffsets (273) LONG (4) 66<8 100904 264983 485867 826963 1252832 1731760 2248236 2795496 3358955 3932989 4526542 5140731 5741104 6364826 7015886 7668761 8323268 8976108 9621538 10271631 10921888 11562408 12212244 ...> Orientation (274) SHORT (3) 1<1> SamplesPerPixel (277) SHORT (3) 1<4> RowsPerStrip (278) SHORT (3) 1<64> StripByteCounts (279) LONG (4) 66<100896 164079 220884 341096 425869 478928 516476 547260 563459 574034 593553 614189 600373 623722 651060 652875 654507 652840 645430 650093 650257 640520 649836 664761 ...> XResolution (282) RATIONAL (5) 1<299.999> YResolution (283) RATIONAL (5) 1<299.999> PlanarConfig (284) SHORT (3) 1<1> ResolutionUnit (296) SHORT (3) 1<2> Predictor (317) SHORT (3) 1<2> BadFaxLines (326) LONG (4) 1<12058626> ExtraSamples (338) SHORT (3) 1<1> ICC Profile (34675) UNDEFINED (7) 3144<00 00 0xc 0x48 0x4c 0x69 0x6e 0x6f 0x2 0x10 00 00 0x6d 0x6e 0x74 0x72 0x52 0x47 0x42 0x20 0x58 0x59 0x5a 0x20 ...> $ grep libtiff tiffdump.strace open("/usr/lib64/tls/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/tls/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3 $ $ $ strace -o tiff2pdf.strace tiff2pdf -o test.pdf test.tiff $ grep libtiff tiff2pdf.strace open("/usr/lib64/tls/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/tls/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3 $ okular test.pdf $ $ $ strace -o tiff2ps.strace tiff2ps -O test.ps test.tiff $ grep libtiff tiff2ps.strace open("/usr/lib64/tls/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/tls/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/x86_64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib64/libtiff.so.5", O_RDONLY|O_CLOEXEC) = 3 $ okular test.ps
CC: (none) => mageiaWhiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Using the PoC and test at http://bugzilla.maptools.org/show_bug.cgi?id=2772 From the time it takes, it seems the denial of service is resolved. $ time tiff2pdf libtiff_4-0-9_tiff2pdf_uncontrolled-resource-consumption_TIFFSetDirectory.tif -o poc.pdf TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 29811 (0x7473) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: Warning, Unknown field with tag 225 (0xe1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1093 (0x445) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3328 (0xd00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65522 (0xfff2) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "PhotometricInterpretation"; tag ignored. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. TIFFNumberOfDirectories: Directory count exceeded 65535 limit, giving up on counting.. tiff2pdf: TIFF contains too many directories, libtiff_4-0-9_tiff2pdf_uncontrolled-resource-consumption_TIFFSetDirectory.tif. tiff2pdf: An error occurred creating output PDF file. real 0m0.005s user 0m0.001s sys 0m0.004s
Thanks PC LX for those very thorough tests and helpful reports. Adding the 64-bit OK for mga5.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
(In reply to Len Lawrence from comment #5) > Thanks PC LX for those very thorough tests and helpful reports. Adding the > 64-bit OK for mga5. Thanks to you both. After c4, it could have been validated. The advisory will catch it up.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0180.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This also fixed CVE-2018-16335 (same fix as CVE-2017-11613): https://lists.opensuse.org/opensuse-updates/2018-10/msg00149.html https://security-tracker.debian.org/tracker/CVE-2018-16335
CC: (none) => luigiwalser