22920 – libtiff new security issue CVE-2018-7456

Bug 22920 - libtiff new security issue CVE-2018-7456

Summary: libtiff new security issue CVE-2018-7456

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-04-17 13:03 CEST by Nicolas Salguero
Modified:	2018-04-20 19:25 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	libtiff-4.0.9-1.2.mga6.src.rpm
CVE:	CVE-2018-7456
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2018-04-17 13:03:19 CEST

Hi,

There is an upstream patch for CVE-2018-7456.

Best regards,

Nico.

Nicolas Salguero 2018-04-17 13:04:28 CEST

Assignee: bugsquad => nicolas.salguero
CVE: (none) => CVE-2018-7456
Whiteboard: (none) => MGA5TOO

Nicolas Salguero 2018-04-17 13:04:46 CEST

Source RPM: (none) => libtiff-4.0.9-1.2.mga6.src.rpm

Comment 1 Nicolas Salguero 2018-04-17 13:10:12 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.). (CVE-2018-7456)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7456
========================

Updated package in 5/core/updates_testing:
========================
libtiff-progs-4.0.9-1.3.mga5
lib(64)tiff5-4.0.9-1.3.mga5
lib(64)tiff-devel-4.0.9-1.3.mga5
lib(64)tiff-static-devel-4.0.9-1.3.mga5

from SRPMS:
libtiff-4.0.9-1.3.mga5.src.rpm

Updated package in 6/core/updates_testing:
========================
libtiff-progs-4.0.9-1.3.mga6
lib(64)tiff5-4.0.9-1.3.mga6
lib(64)tiff-devel-4.0.9-1.3.mga6
lib(64)tiff-static-devel-4.0.9-1.3.mga6

from SRPMS:
libtiff-4.0.9-1.3.mga6.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

Comment 2 Len Lawrence 2018-04-17 21:06:23 CEST

Mageia 6, x86_64

PoC file at https://github.com/xiaoqx/pocs/tree/master/libtiff

$ tiffinfo -c 1-tiffinfo-c-null 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 314 (0x13a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 54034 (0xd312) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "YResolution"; tag ignored.
TIFF Directory at offset 0x767fe (485374)
  Image Width: 1024 Image Length: 768
  Resolution: 2, 0 (unitless)
  Bits/Sample: 8
  Compression Scheme: LZW
  Photometric Interpretation: RGB color
  Samples/Pixel: 4
  Planar Configuration: single image plane
  Transfer Function: 
Segmentation fault (core dumped)

ImageMagick displays a black window without an image.

$ display 1-tiffinfo-c-null 
display: Invalid TIFF directory; tags are not sorted in ascending order. `TIFFReadDirectoryCheckOrder' @ warning/tiff.c/TIFFWarnings/915.
display: Unknown field with tag 314 (0x13a) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915.
display: Unknown field with tag 54034 (0xd312) encountered. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915.
display: Incorrect count for "YResolution"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/915.
display: Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/915.
display: Wrong length of decoded string: data probably corrupted at scanline 0. `LZWDecode' @ error/tiff.c/TIFFErrors/567.

$ tiffgt 1-tiffinfo-c-null 
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
freeglut (tiffgt):  ERROR:  Internal error <FBConfig with necessary capabilities not found> in function fgOpenWindow

Updated the libtiff packages.

Ran the test again:
$ tiffinfo -c 1-tiffinfo-c-null 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 314 (0x13a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 54034 (0xd312) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "YResolution"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
TIFF Directory at offset 0x767fe (485374)
  Image Width: 1024 Image Length: 768
  Resolution: 2, 0 (unitless)
  Bits/Sample: 8
  Compression Scheme: LZW
......................................
    254: 65150 65150 65150
    255: 33279 33279 33279
  Tag 314: Composer� Untitled, frame �
  Tag 54034: 1
  Software: Composer
  DateTime: Tue May  7 21:48:30 2002
  Artist: maya
  HostComputer: thor
$

Looks like libtiff coped with the corrupt file.

Checked the behaviour of some of the tools.  tiffgt does not display tiff images, as in the past.  Not a regression but an unfixed bug.

$ tiff2pdf -o test1.pdf SantaMaria.tif 
$ xpdf test1.pdf
Worked perfectly.
$ tiffinfo SantaMaria.tif 
TIFF Directory at offset 0x1e1348 (1971016)
  Image Width: 1638 Image Length: 1410
  Resolution: 495.062, 495.062 pixels/inch
.....................

$ tiff2ps -O test3.ps bridge.tif 
$ gs test3.ps
GPL Ghostscript 9.22 (2017-10-04)
..........................

This displayed a copy of the original image as a postscript page.

$ tiff2rgba macbethcolourscan.tif rgba.tif

The resulting file looked the same under display but the files differed.
$ diff rgba.tif macbethcolourscan.tif
Binary files rgba.tif and macbethcolourscan.tif differ
$ ll macbethcolourscan.tif rgba.tif
-rw-r--r-- 1 lcl lcl 2955850 Nov 16  2016 macbethcolourscan.tif
-rw-r--r-- 1 lcl lcl 3975572 Apr 17 19:24 rgba.tif
The main difference seems to be the addition of the Alpha channel to rgba.tif.
tiffcmp fails to work as expected but it is not known if this is a regression.  Needs further investigation.
$ tiffcmp macbethcolourscan.tif rgba.tif
SamplesPerPixel: 3 4
$ tiffcmp -z 20 macbethcolourscan.tif rgba.tif
SamplesPerPixel: 3 4
$ tiffcmp -l macbethcolourscan.tif rgba.tif
SamplesPerPixel: 3 4

$ tifftopnm JessicaAlba.tif > jessica.pnm
tifftopnm: writing PPM file
$ display jessica.pnm 
Perfect copy.
$ tiff2bw GlenShiel.tif GlenShiel_greyscale.tif
Produces a greyscale copy of original colour image.

The latest patch works and the libraries work in most cases but there are one or two possible bugs or regressions which makes the status of libtiff uncertain.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2018-04-18 16:13:49 CEST

Mageis 5, x86_64

PoC test:
$ tiffinfo -c 1-tiffinfo-c-null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 314 (0x13a) encountered.
................................................
Segmentation fault

tiffgt works with TIFF format files.

Upgraded the packages.

$ tiffinfo -c 1-tiffinfo-c-null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 314 (0x13a) encountered.
..........................
    255: 33279 33279 33279
  Tag 314: Composer� Untitled, frame �
  Tag 54034: 1
  Software: Composer
  DateTime: Tue May  7 21:48:30 2002
  Artist: maya
  HostComputer: thor
$

That looks positive and it agrees with the Mageia 6 test.
And tiffgt continues to work.

$ tiffinfo SantaMaria.tif
TIFF Directory at offset 0x1e1348 (1971016)
  Image Width: 1638 Image Length: 1410
  Resolution: 495.062, 495.062 pixels/inch
  Bits/Sample: 8
  Compression Scheme: LZW
  Photometric Interpretation: RGB color
....................

$ tiff2pdf -o lena.pdf lena_color.tiff
$ xpdf lena.pdf
Displays a one page document containing the original image.

$ tiff2ps -O harbour.ps harbour.tif
[lcl@difda images]$ gs harbour.ps
GPL Ghostscript 9.22 (2017-10-04)

Original greyscale image displayed as an encapsulated Postscript document.
$ head -7 harbour.ps
%!PS-Adobe-3.0 EPSF-3.0
%%Creator: tiff2ps
%%Title: harbour.tif
%%CreationDate: Wed Apr 18 14:45:34 2018
%%DocumentData: Clean7Bit
%%Origin: 0 0
%%BoundingBox: 0 0 512 512

$ tiff2rgba macbethcolourscan.tif rgba.tif
$ tiffgt rgba.tif
Displays original colour chart.
Comparing the two side by side does not reveal any differences.
$ ll macbethcolourscan.tif rgba.tif
-rw-r--r-- 1 lcl lcl 2955850 Nov 16  2016 macbethcolourscan.tif
-rw-r--r-- 1 lcl lcl 3975572 Apr 18 14:48 rgba.tif

This conversion worked perfectly:
$ tifftopnm GlenShiel.tif > GlenShiel.pnm

$ tiff2bw JessicaAlba.tif jessica_grey.tif
produced a greyscale copy of the original colour image.

This is fine for 64 bits in Mageia 5.

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 4 Len Lawrence 2018-04-18 16:15:47 CEST

Adding the OK for Mageia 6 because the failure of tiffgt does not look like a regression but an original bug.  Need to raise one on that.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Lewis Smith 2018-04-20 08:49:12 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2018-04-20 19:25:02 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0208.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.