Bugzilla – Bug 1033120
VUL-0: CVE-2017-7597: tiff: tif_dirread.c "outside the range of representable valuesof type float" undefined behavior
Last modified: 2019-01-14 08:08:11 UTC
CVE-2017-7597 tif_dirread.c in LibTIFF 4.0.7 has an "outside the range of representable values of type float" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7597 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7597
SUSE-SU-2017:2569-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805 CVE References: CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): tiff-4.0.8-44.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): tiff-4.0.8-44.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): tiff-4.0.8-44.3.1 SUSE Linux Enterprise Server 12-SP3 (src): tiff-4.0.8-44.3.1 SUSE Linux Enterprise Server 12-SP2 (src): tiff-4.0.8-44.3.1 SUSE Linux Enterprise Desktop 12-SP3 (src): tiff-4.0.8-44.3.1 SUSE Linux Enterprise Desktop 12-SP2 (src): tiff-4.0.8-44.3.1
openSUSE-SU-2017:2635-1: An update that fixes 14 vulnerabilities is now available. Category: security (moderate) Bug References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805 CVE References: CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404 Sources used: openSUSE Leap 42.3 (src): tiff-4.0.8-21.1 openSUSE Leap 42.2 (src): tiff-4.0.8-17.6.1
http://bugzilla.maptools.org/show_bug.cgi?id=2653 https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
(In reply to Petr Gajdos from comment #3) > http://bugzilla.maptools.org/show_bug.cgi?id=2653 > https://github.com/vadz/libtiff/commit/ > 3144e57770c1e4d26520d8abee750f8ac8b75490 Wrong. http://bugzilla.maptools.org/show_bug.cgi?id=2643 https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
CVE-2017-7596 (bug 1033126), CVE-2017-7597 (bug 1033120), CVE-2017-7599 (bug 1033113) and CVE-2017-7600 (bug 1033112) share the commit.
BEFORE 12/tiff $ tiffcp -i 00114-libtiff-outside-float-tif_dirread /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 63766 (0xf916) encountered. TIFFReadDirectory: Warning, Unknown field with tag 33537 (0x8301) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "PhotometricInterpretation"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored. TIFFReadDirectory: tif->tif_dir.td_stripoffset is already allocated. Likely duplicated StripOffsets/TileOffsets tag. $ 11/tiff $ tiffcp -i 00114-libtiff-outside-float-tif_dirread /tmp/foo TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: unknown field with tag 63766 (0xf916) encountered. TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: wrong data type 3 for "XPosition"; tag ignored. TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: wrong data type 16 for "PhotometricInterpretation"; tag ignored. TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: unknown field with tag 33537 (0x8301) encountered. TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: wrong data type 3 for "TileOffsets"; tag ignored. TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: wrong data type 12 for "PrimaryChromaticities"; tag ignored. 00114-libtiff-outside-float-tif_dirread: Warning, incorrect count for field "StripByteCounts" (3, expecting 1); tag trimmed. 00114-libtiff-outside-float-tif_dirread: Error fetching data for field "XResolution". 00114-libtiff-outside-float-tif_dirread: Error fetching data for field "WhitePoint". TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: Bogus "StripByteCounts" field, ignoring and calculating from imagelength. TIFFFillStrip: 00114-libtiff-outside-float-tif_dirread: Read error at scanline 4294967295, strip 1; got 18446744073709544743 bytes, expected 7175. [..] $ PATCH see comment 4 12/ImageMagick: has it in via version update 11/ImageMagick: considering affected by this CVE set AFTER $ tiffcp -i 00114-libtiff-outside-float-tif_dirread /tmp/foo TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: unknown field with tag 63766 (0xf916) encountered. TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: wrong data type 3 for "XPosition"; tag ignored. TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: wrong data type 16 for "PhotometricInterpretation"; tag ignored. TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: unknown field with tag 33537 (0x8301) encountered. TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: wrong data type 3 for "TileOffsets"; tag ignored. TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: wrong data type 12 for "PrimaryChromaticities"; tag ignored. 00114-libtiff-outside-float-tif_dirread: Warning, incorrect count for field "StripByteCounts" (3, expecting 1); tag trimmed. 00114-libtiff-outside-float-tif_dirread: Error fetching data for field "XResolution". 00114-libtiff-outside-float-tif_dirread: Error fetching data for field "WhitePoint". TIFFReadDirectory: Warning, 00114-libtiff-outside-float-tif_dirread: Bogus "StripByteCounts" field, ignoring and calculating from imagelength. TIFFFillStrip: 00114-libtiff-outside-float-tif_dirread: Read error at scanline 4294967295, strip 0; got 302 bytes, expected 7175. TIFFFillStrip: 00114-libtiff-outside-float-tif_dirread: Read error at scanline 4294967295, strip 1; got 18446744073709544743 bytes, expected 7175. [..] $ [no change]
Will submit for 11/tiff and 10sp3/tiff.
Packages submitted: 12/tiff: 165341 11/tiff: 165349 10sp3/tiff: 165350 @Michael, after you review these requests and after you accept and resubmit packages in case everything's ok, I think you can reassign this bug to security-team@.
Thanks a lot Petr! All perfect. SR#165480 to SLE12. SR#165482 to SLE11. SR#165483 to SLE10.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-06-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64044
SUSE-SU-2018:1472-1: An update that solves 14 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1017694,1031250,1031254,1033109,1033111,1033112,1033113,1033120,1033126,1033127,1033129,1074317,984808,984809,984831,987351 CVE References: CVE-2016-10267,CVE-2016-10269,CVE-2016-10270,CVE-2016-5314,CVE-2016-5315,CVE-2017-18013,CVE-2017-7593,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.6.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.6.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.6.1
released