Bugzilla – Bug 1017689
VUL-1: libtiff: assertion failure in readSeparateTilesIntoBuffer (tiffcp.c)
Last modified: 2019-11-14 15:38:56 UTC
Ref: http://seclists.org/oss-sec/2017/q1/7 ============================================ Description: Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. A crafted tiff file revealed an assertion failure. The complete output: # tiffcp -i $FILE /tmp/foo tiffcp: /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1390: int readSeparateTilesIntoBuffer(TIFF *, uint8 *, uint32, uint32, tsample_t): Assertion `bps % 8 == 0' failed. Affected version: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/7ff9652da2eec4c65279dcbc7e55c0418e87bbc8 Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00072-libtiff-assert-readSeparateTilesIntoBuffer Timeline: 2016-11-23: bug discovered and reported to upstream 2016-12-03: upstream released a patch 2017-01-01: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/01/01/libtiff-assertion-failure-in-readseparatetilesintobuffer-tiffcp-c -- Agostino Sarubbo Gentoo Linux Developer ============================================ https://software.opensuse.org/package/libtiff5 TW: 4.0.7 42.2: 4.0.6 42.1: 4.0.6 13.2: 4.0.7
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2017-01-30. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63317
BEFORE 12/tiff $ tiffcp -i 00072-libtiff-assert-readSeparateTilesIntoBuffer /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 491 (0x1eb) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4119 (0x1017) encountered. 00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, Nonstandard tile width 29, convert file. TIFFReadDirectory: Warning, Unknown field with tag 32189 (0x7dbd) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8 (0x8) encountered. _TIFFVSetField: 00072-libtiff-assert-readSeparateTilesIntoBuffer: Bad value 65282 for "FillOrder" tag. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 491"; tag ignored. _TIFFVSetField: 00072-libtiff-assert-readSeparateTilesIntoBuffer: Null count for "Tag 8" (type 8, writecount -3, passcount 1). TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. 00072-libtiff-assert-readSeparateTilesIntoBuffer: Error, cannot handle BitsPerSample that is not a multiple of 8. $ 11/tiff $ tiffcp -i 00072-libtiff-assert-readSeparateTilesIntoBuffer /tmp/foo TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 491 (0x1eb) encountered. TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 4119 (0x1017) encountered. 00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, Nonstandard tile width 29, convert file. TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 32189 (0x7dbd) encountered. TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 8 (0x8) encountered. 00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, incorrect count for field "BitsPerSample" (4, expecting 1); tag trimmed. _TIFFVSetField: 00072-libtiff-assert-readSeparateTilesIntoBuffer: Bad value 65282 for "FillOrder". 00072-libtiff-assert-readSeparateTilesIntoBuffer: Error fetching data for field "Tag 491". 00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, incorrect count for field "Tag 8" (0, expecting 1); tag ignored. TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. tiffcp: tiffcp.c:1277: readSeparateTilesIntoBuffer: Assertion `bps % 8 == 0' failed. Aborted (core dumped) $ PATCH see comment 0 12/tiff: have the fix already in 11/tiff: affected AFTER 11/tiff $ tiffcp -i 00072-libtiff-assert-readSeparateTilesIntoBuffer /tmp/foo TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 491 (0x1eb) encountered. TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 4119 (0x1017) encountered. 00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, Nonstandard tile width 29, convert file. TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 32189 (0x7dbd) encountered. TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 8 (0x8) encountered. 00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, incorrect count for field "BitsPerSample" (4, expecting 1); tag trimmed. _TIFFVSetField: 00072-libtiff-assert-readSeparateTilesIntoBuffer: Bad value 65282 for "FillOrder". 00072-libtiff-assert-readSeparateTilesIntoBuffer: Error fetching data for field "Tag 491". 00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, incorrect count for field "Tag 8" (0, expecting 1); tag ignored. TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. 00072-libtiff-assert-readSeparateTilesIntoBuffer: Error, cannot handle BitsPerSample that is not a multiple of 8. $ [the assertion changed to error message]
Will submit for 11/tiff and 10sp3/tiff.
Packages submitted: 12/tiff: 165341 11/tiff: 165349 10sp3/tiff: 165350 @Michael, after you review these requests and after you accept and resubmit packages in case everything's ok, I think you can reassign this bug to security-team@.
This was fixed by tiff-assert-readSeparateTilesIntoBuffer.patch, I just forgot to reference this bug in rpm change log. I will add it.
This bug should be fixed by current submission.
SUSE-SU-2018:1835-1: An update that fixes 13 vulnerabilities is now available. Category: security (moderate) Bug References: 1007276,1011839,1011846,1017689,1017690,1019611,1031263,1082332,1082825,1086408,974621 CVE References: CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-10266,CVE-2016-3632,CVE-2016-5318,CVE-2016-8331,CVE-2016-9535,CVE-2016-9540,CVE-2017-11613,CVE-2017-5225,CVE-2018-7456,CVE-2018-8905 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.9.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.9.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.9.1
released