Bug 1017689 - VUL-1: libtiff: assertion failure in readSeparateTilesIntoBuffer (tiffcp.c)
VUL-1: libtiff: assertion failure in readSeparateTilesIntoBuffer (tiffcp.c)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/178189/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-01 17:55 UTC by Mikhail Kasimov
Modified: 2019-11-14 15:38 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-01-01 17:55:50 UTC
Ref: http://seclists.org/oss-sec/2017/q1/7
============================================
Description:
Libtiff is a software that provides support for the Tag Image File Format 
(TIFF), a widely used format for storing image data.

A crafted tiff file revealed an assertion failure.

The complete output:

# tiffcp -i $FILE /tmp/foo
tiffcp: /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1390:
int readSeparateTilesIntoBuffer(TIFF *, uint8 *, uint32, uint32, tsample_t):
Assertion `bps % 8 == 0' failed.

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/7ff9652da2eec4c65279dcbc7e55c0418e87bbc8

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00072-libtiff-assert-readSeparateTilesIntoBuffer

Timeline:
2016-11-23: bug discovered and reported to upstream
2016-12-03: upstream released a patch
2017-01-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-assertion-failure-in-readseparatetilesintobuffer-tiffcp-c

-- 
Agostino Sarubbo
Gentoo Linux Developer
============================================

https://software.opensuse.org/package/libtiff5

TW: 4.0.7
42.2: 4.0.6
42.1: 4.0.6
13.2: 4.0.7
Comment 1 Swamp Workflow Management 2017-01-01 23:00:37 UTC
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2017-01-02 10:44:29 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2017-01-30.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63317
Comment 4 Petr Gajdos 2018-05-15 11:56:53 UTC
BEFORE

12/tiff

$ tiffcp -i 00072-libtiff-assert-readSeparateTilesIntoBuffer /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 491 (0x1eb) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 4119 (0x1017) encountered.
00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, Nonstandard tile width 29, convert file.
TIFFReadDirectory: Warning, Unknown field with tag 32189 (0x7dbd) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8 (0x8) encountered.
_TIFFVSetField: 00072-libtiff-assert-readSeparateTilesIntoBuffer: Bad value 65282 for "FillOrder" tag.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 491"; tag ignored.
_TIFFVSetField: 00072-libtiff-assert-readSeparateTilesIntoBuffer: Null count for "Tag 8" (type 8, writecount -3, passcount 1).
TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.
00072-libtiff-assert-readSeparateTilesIntoBuffer: Error, cannot handle BitsPerSample that is not a multiple of 8.
$

11/tiff

$ tiffcp -i 00072-libtiff-assert-readSeparateTilesIntoBuffer /tmp/foo
TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 491 (0x1eb) encountered.
TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 4119 (0x1017) encountered.
00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, Nonstandard tile width 29, convert file.
TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 32189 (0x7dbd) encountered.
TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 8 (0x8) encountered.
00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, incorrect count for field "BitsPerSample" (4, expecting 1); tag trimmed.
_TIFFVSetField: 00072-libtiff-assert-readSeparateTilesIntoBuffer: Bad value 65282 for "FillOrder".
00072-libtiff-assert-readSeparateTilesIntoBuffer: Error fetching data for field "Tag 491".
00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, incorrect count for field "Tag 8" (0, expecting 1); tag ignored.
TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.
tiffcp: tiffcp.c:1277: readSeparateTilesIntoBuffer: Assertion `bps % 8 == 0' failed.
Aborted (core dumped)
$

PATCH

see comment 0

12/tiff: have the fix already in
11/tiff: affected

AFTER

11/tiff

$ tiffcp -i 00072-libtiff-assert-readSeparateTilesIntoBuffer /tmp/foo          
TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 491 (0x1eb) encountered.
TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 4119 (0x1017) encountered.
00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, Nonstandard tile width 29, convert file.
TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 32189 (0x7dbd) encountered.
TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: unknown field with tag 8 (0x8) encountered.
00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, incorrect count for field "BitsPerSample" (4, expecting 1); tag trimmed.
_TIFFVSetField: 00072-libtiff-assert-readSeparateTilesIntoBuffer: Bad value 65282 for "FillOrder".
00072-libtiff-assert-readSeparateTilesIntoBuffer: Error fetching data for field "Tag 491".
00072-libtiff-assert-readSeparateTilesIntoBuffer: Warning, incorrect count for field "Tag 8" (0, expecting 1); tag ignored.
TIFFReadDirectory: Warning, 00072-libtiff-assert-readSeparateTilesIntoBuffer: TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.
00072-libtiff-assert-readSeparateTilesIntoBuffer: Error, cannot handle BitsPerSample that is not a multiple of 8.
$
[the assertion changed to error message]
Comment 5 Petr Gajdos 2018-05-15 11:57:55 UTC
Will submit for 11/tiff and 10sp3/tiff.
Comment 6 Petr Gajdos 2018-05-18 11:09:02 UTC
Packages submitted:
12/tiff:    165341
11/tiff:    165349
10sp3/tiff: 165350

@Michael, after you review these requests and after you accept and resubmit packages in case everything's ok, I think you can reassign this bug to security-team@.
Comment 7 Petr Gajdos 2018-06-04 07:55:22 UTC
This was fixed by tiff-assert-readSeparateTilesIntoBuffer.patch, I just forgot to reference this bug in rpm change log. I will add it.
Comment 8 Petr Gajdos 2018-06-06 11:32:16 UTC
This bug should be fixed by current submission.
Comment 10 Swamp Workflow Management 2018-06-28 13:10:41 UTC
SUSE-SU-2018:1835-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1011839,1011846,1017689,1017690,1019611,1031263,1082332,1082825,1086408,974621
CVE References: CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-10266,CVE-2016-3632,CVE-2016-5318,CVE-2016-8331,CVE-2016-9535,CVE-2016-9540,CVE-2017-11613,CVE-2017-5225,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.9.1
Comment 11 Marcus Meissner 2019-01-14 08:15:09 UTC
released