Bug 1046077 (CVE-2017-9935)

Summary:	VUL-0: CVE-2017-9935: tiff: Heap-based buffer overflow in t2p_write_pdf
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Johannes Segitz <jsegitz>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	meissner, mvetter, pgajdos, smash_bz
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/187313/
Whiteboard:	CVSSv2:SUSE:CVE-2017-9935:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:SUSE:CVE-2017-9935:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSSv3:NVD:CVE-2017-9935:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSSv2:NVD:CVE-2017-9935:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:RedHat:CVE-2017-9935:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) maint:released:sle10-sp3:64039
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	Reproducers

Description Johannes Segitz 2017-06-27 06:39:52 UTC

Created attachment 730311 [details]
Reproducers

CVE-2017-9935

In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf
function in tools/tiff2pdf.c. This heap overflow could lead to different
damages. For example, a crafted TIFF document can lead to an out-of-bounds read
in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in
t2p_readwrite_pdf_image, or a double free in t2p_free. Given these
possibilities, it probably could cause arbitrary code execution.

Reproducers: tiff2pdf on the various files

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9935
http://www.cvedetails.com/cve/CVE-2017-9935/
http://bugzilla.maptools.org/show_bug.cgi?id=2704

Comment 1 Michael Vetter 2018-02-16 13:25:16 UTC

Upstream fix: https://gitlab.com/libtiff/libtiff/commit/d4f213636b6f950498a1386083199bd7f65676b9

Comment 2 Michael Vetter 2018-02-16 13:54:02 UTC

And https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 apparently

Comment 3 Michael Vetter 2018-02-16 14:35:28 UTC

SR#577270 to Factory

Comment 4 Swamp Workflow Management 2018-02-16 15:40:06 UTC

This is an autogenerated message for OBS integration:
This bug (1046077) was mentioned in
https://build.opensuse.org/request/show/577270 Factory / tiff

Comment 6 Petr Gajdos 2018-04-27 10:45:05 UTC

BEFORE

12/tiff

$ valgrind -q tiff2pdf POCx -o out.pdf

[gives invalid reads]

11/tiff

$ valgrind -q tiff2pdf POCx -o out.pdf

[no valgrind issues observed]


PATCH:

12/tiff: needed
10sp3,11/tiff: needed after tiff2pdf.c update


AFTER

12/tiff

$ valgrind -q tiff2pdf POCx -o out.pdf

[no invalid reads anymore]

11/tiff

$ valgrind -q tiff2pdf POCx -o out.pdf

[still no valgrind issues]

Comment 7 Petr Gajdos 2018-04-27 10:51:36 UTC

Will be submitted for 12/tiff, 11/tiff and 10sp3/tiff.

Comment 8 Petr Gajdos 2018-04-27 10:59:58 UTC

I believe all fixed in sr#163144, sr#163145 and sr#163146.

I think this bug can be reassigned to security-team@ after review and creating maintenance request.

Comment 9 Michael Vetter 2018-05-07 13:08:26 UTC

SR#164509 SLE-10-SP3
SR#164510 SLE-11
SR#164511 SLE-12

Comment 11 Marcus Meissner 2018-05-09 14:47:27 UTC

released

Comment 12 Swamp Workflow Management 2018-05-09 16:14:20 UTC

SUSE-SU-2018:1179-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1007280,1011107,1011845,1017688,1017690,1017691,1017692,1031255,1046077,1048937,1074318,960341,983436
CVE References: CVE-2015-7554,CVE-2016-10095,CVE-2016-10268,CVE-2016-3945,CVE-2016-5318,CVE-2016-5652,CVE-2016-9453,CVE-2016-9536,CVE-2017-11335,CVE-2017-17973,CVE-2017-9935
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.3.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.3.1

Comment 13 Swamp Workflow Management 2018-05-09 16:15:41 UTC

SUSE-SU-2018:1180-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1046077,1074318,1081690
CVE References: CVE-2017-17973,CVE-2017-9935,CVE-2018-5784
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    tiff-4.0.9-44.10.1
SUSE Linux Enterprise Server 12-SP3 (src):    tiff-4.0.9-44.10.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    tiff-4.0.9-44.10.1

Comment 14 Swamp Workflow Management 2018-05-10 22:07:10 UTC

openSUSE-SU-2018:1204-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1046077,1074318,1081690
CVE References: CVE-2017-17973,CVE-2017-9935,CVE-2018-5784
Sources used:
openSUSE Leap 42.3 (src):    tiff-4.0.9-28.1

Comment 15 Swamp Workflow Management 2018-05-11 15:26:35 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-05-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64038

Comment 16 Petr Gajdos 2018-10-18 11:58:24 UTC

*** Bug 1110358 has been marked as a duplicate of this bug. ***