|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-1: CVE-2017-9147: tiff: Invalid read in the _TIFFVGetField function in tif_dir.c, allows remote attackers to cause DoS via acrafted TIFF file | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Johannes Segitz <jsegitz> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P4 - Low | CC: | guomin.chen, meissner, mvetter, pgajdos, smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/185710/ | ||
| Whiteboard: | CVSSv3:SUSE:CVE-2017-9147:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv2:SUSE:CVE-2017-9147:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:RedHat:CVE-2017-9147:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:NVD:CVE-2017-9147:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv2:NVD:CVE-2017-9147:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) maint:released:sle10-sp3:64181 | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | _TIFFVGetField | ||
|
Description
Johannes Segitz
2017-05-23 09:01:44 UTC
hi This issue have anyone to handle it? thanks This is fixed in 4.0.9 release. Created attachment 757613 [details]
_TIFFVGetField
QA REPRODUCER:
valgrind tiffsplit _TIFFVGetField
should not report uninitialized reads
For example, with 4.0.7:
$ tiffsplit _TIFFVGetField
[..]
=================================================================
==2759==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f772f8ae5ed bp 0x7fff4b534320 sp 0x7fff4b5342c0 T0)
==2759==The signal is caused by a WRITE memory access.
==2759==Hint: address points to the zero page.
#0 0x7f772f8ae5ec in _TIFFVGetField /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_dir.c:1080
#1 0x7f772f947641 in OJPEGVGetField /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_ojpeg.c:518
#2 0x7f772f8afd17 in TIFFVGetField /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_dir.c:1198
#3 0x7f772f8afb8d in TIFFGetField /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_dir.c:1182
#4 0x55788fa53003 in tiffcp /usr/src/debug/tiff-4.0.7-0.x86_64/tools/tiffsplit.c:217
#5 0x55788fa515fe in main /usr/src/debug/tiff-4.0.7-0.x86_64/tools/tiffsplit.c:89
#6 0x7f772e65bfea in __libc_start_main (/lib64/libc.so.6+0x22fea)
#7 0x55788fa512e9 (/usr/bin/tiffsplit+0x22e9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_dir.c:1080 in _TIFFVGetField
[..]
$
4.0.10, 4.0.9
No such invalid access.
3.8.2
$ valgrind -q tiffsplit _TIFFVGetField
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 6934 (0x1b16) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 60737 (0xed41) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 24 (0x18) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 771 (0x303) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 571 (0x23b) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: wrong data type 1 for "StripOffsets"; tag ignored.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 4386 (0x1122) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 2051 (0x803) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 16384 (0x4000) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 326 (0x146) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 511 (0x1ff) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 27905 (0x6d01) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 433 (0x1b1) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 28956 (0x711c) encountered.
MissingRequired: _TIFFVGetField: TIFF directory is missing required "StripOffsets" field.
$
https://gitlab.com/libtiff/libtiff/commit/6281927e03aed3fdaac4c25e1cd1a5ff7232bcd8 Upstream bug number 2693 is listed there (see bug 960341 for details and upstream bug number 2580 for details). We are fixing it already with tiff-CVE-2014-8128,CVE-2015-7554,CVE-2016-5318,10095,8331,3632.patch Will submit rpm changelog modfifications for 11/tiff and 10sp3/tiff. I believe all fixed. SUSE-SU-2018:3879-1: An update that fixes 11 vulnerabilities is now available. Category: security (moderate) Bug References: 1010163,1014461,1040080,1040322,1074186,1099257,1113672,974446,974447,974448,983440 CVE References: CVE-2015-8870,CVE-2016-3619,CVE-2016-3620,CVE-2016-3621,CVE-2016-5319,CVE-2016-9273,CVE-2017-17942,CVE-2017-9117,CVE-2017-9147,CVE-2018-12900,CVE-2018-18661 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.22.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.22.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.22.1 An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-12-25. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64180 released |