Bug 1033112 (CVE-2017-7600)

Summary: VUL-0: CVE-2017-7600: tiff: "outside the range of representable values of type unsigned char" undefined behavior issue could lead to denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mvetter, pgajdos, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/183190/
Whiteboard: CVSSv2:SUSE:CVE-2017-7600:2.6:(AV:N/AC:H/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-7600:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2017-7600:7.8:(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSSv3:SUSE:CVE-2017-7600:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2017-7600:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) maint:released:sle10-sp3:64045
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Victor Pereira 2017-04-10 05:56:38 UTC 
CVE-2017-7600

LibTIFF 4.0.7 has an "outside the range of representable values of type unsigned
char" undefined behavior issue, which might allow remote attackers to cause a
denial of service (application crash) or possibly have unspecified other impact
via a crafted image.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7600
Comment 1 Swamp Workflow Management 2017-09-26 13:09:59 UTC 
SUSE-SU-2017:2569-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805
CVE References: CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    tiff-4.0.8-44.3.1
Comment 2 Swamp Workflow Management 2017-10-03 19:07:32 UTC 
openSUSE-SU-2017:2635-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805
CVE References: CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404
Sources used:
openSUSE Leap 42.3 (src):    tiff-4.0.8-21.1
openSUSE Leap 42.2 (src):    tiff-4.0.8-17.6.1
Comment 4 Petr Gajdos 2018-05-14 16:43:47 UTC 
CVE-2017-7596 (bug 1033126), CVE-2017-7597 (bug 1033120), CVE-2017-7599 (bug 1033113) and CVE-2017-7600 (bug 1033112) share the commit.
Comment 5 Petr Gajdos 2018-05-15 11:57:04 UTC 
12/tiff

$ tiffcp -i 00118-libtiff-outside-unsigned-char-tif_dirwrite /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 33537 (0x8301) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 57345 (0xe001) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, incorrect count for field "PageNumber", expected 2, got 8388610.
TIFFFetchNormalTag: Warning, IO error during reading of "WhitePoint"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "PrimaryChromaticities"; tag ignored.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 33537 (0x8301) encountered.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Warning, Nonstandard tile length 7, convert file.
TIFFReadDirectory: Warning, Unknown field with tag 63 (0x3f) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Error, cannot handle BitsPerSample that is not a multiple of 8.
$

11/tiff
$ tiffcp -i 00118-libtiff-outside-unsigned-char-tif_dirwrite /tmp/foo
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: unknown field with tag 33537 (0x8301) encountered.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: wrong data type 15872 for "ImageWidth"; tag ignored.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: unknown field with tag 57345 (0xe001) encountered.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Warning, incorrect count for field "PageNumber" (8388610, expecting 2); tag trimmed.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Warning, incorrect count for field "StripByteCounts" (3, expecting 1); tag trimmed.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Error fetching data for field "XResolution".
00118-libtiff-outside-unsigned-char-tif_dirwrite: Error fetching data for field "PageNumber".
00118-libtiff-outside-unsigned-char-tif_dirwrite: Error fetching data for field "WhitePoint".
00118-libtiff-outside-unsigned-char-tif_dirwrite: Error fetching data for field "PrimaryChromaticities".
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: Bogus "StripByteCounts" field, ignoring and calculating from imagelength.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: invalid TIFF directory; tags are not sorted in ascending order.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Warning, incorrect count for field "XResolution" (4194305, expecting 1); tag trimmed.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: unknown field with tag 33537 (0x8301) encountered.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Warning, Nonstandard tile length 7, convert file.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: unknown field with tag 63 (0x3f) encountered.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: unknown field with tag 2 (0x2) encountered.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Warning, incorrect count for field "StripByteCounts" (3, expecting 1); tag trimmed.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Error fetching data for field "XResolution".
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: Bogus "StripByteCounts" field, ignoring and calculating from imagelength.
tiffcp: tiffcp.c:1277: readSeparateTilesIntoBuffer: Assertion `bps % 8 == 0' failed.
/root/bin/vgq: line 3: 12115 Aborted                 (core dumped) valgrind -q $@
$


PATCH

see comment 2

12/ImageMagick: has it in via version update
11/ImageMagick: considering affected by this CVE set


AFTER

11/ImageMagick

$ tiffcp -i 00118-libtiff-outside-unsigned-char-tif_dirwrite /tmp/foo
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: unknown field with tag 33537 (0x8301) encountered.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: wrong data type 15872 for "ImageWidth"; tag ignored.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: unknown field with tag 57345 (0xe001) encountered.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Warning, incorrect count for field "PageNumber" (8388610, expecting 2); tag trimmed.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Warning, incorrect count for field "StripByteCounts" (3, expecting 1); tag trimmed.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Error fetching data for field "XResolution".
00118-libtiff-outside-unsigned-char-tif_dirwrite: Error fetching data for field "PageNumber".
00118-libtiff-outside-unsigned-char-tif_dirwrite: Error fetching data for field "WhitePoint".
00118-libtiff-outside-unsigned-char-tif_dirwrite: Error fetching data for field "PrimaryChromaticities".
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: Bogus "StripByteCounts" field, ignoring and calculating from imagelength.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: invalid TIFF directory; tags are not sorted in ascending order.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Warning, incorrect count for field "XResolution" (4194305, expecting 1); tag trimmed.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: unknown field with tag 33537 (0x8301) encountered.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Warning, Nonstandard tile length 7, convert file.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: unknown field with tag 63 (0x3f) encountered.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: unknown field with tag 2 (0x2) encountered.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Warning, incorrect count for field "StripByteCounts" (3, expecting 1); tag trimmed.
00118-libtiff-outside-unsigned-char-tif_dirwrite: Error fetching data for field "XResolution".
TIFFReadDirectory: Warning, 00118-libtiff-outside-unsigned-char-tif_dirwrite: Bogus "StripByteCounts" field, ignoring and calculating from imagelength.
tiffcp: tiffcp.c:1277: readSeparateTilesIntoBuffer: Assertion `bps % 8 == 0' failed.
Aborted (core dumped)
$
[no change, the assert is subject of bug 1017689 which will be fixed simultaneously]
Comment 6 Petr Gajdos 2018-05-15 11:57:49 UTC 
Will submit for 11/tiff and 10sp3/tiff.
Comment 7 Petr Gajdos 2018-05-18 11:08:57 UTC 
Packages submitted:
12/tiff:    165341
11/tiff:    165349
10sp3/tiff: 165350

@Michael, after you review these requests and after you accept and resubmit packages in case everything's ok, I think you can reassign this bug to security-team@.
Comment 8 Michael Vetter 2018-05-22 09:23:32 UTC 
Thanks a lot Petr! All perfect.

SR#165480 to SLE12.
SR#165482 to SLE11.
SR#165483 to SLE10.
Comment 10 Swamp Workflow Management 2018-05-30 09:06:20 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-06-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64044
Comment 11 Swamp Workflow Management 2018-05-30 13:14:36 UTC 
SUSE-SU-2018:1472-1: An update that solves 14 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1017694,1031250,1031254,1033109,1033111,1033112,1033113,1033120,1033126,1033127,1033129,1074317,984808,984809,984831,987351
CVE References: CVE-2016-10267,CVE-2016-10269,CVE-2016-10270,CVE-2016-5314,CVE-2016-5315,CVE-2017-18013,CVE-2017-7593,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.6.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.6.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.6.1
Comment 12 Marcus Meissner 2019-01-14 08:07:17 UTC 
done