Bug 1042805 - (CVE-2017-9403) VUL-1: CVE-2017-9403: libtiff: Memory leak in TIFFReadDirEntryLong8Array
(CVE-2017-9403)
VUL-1: CVE-2017-9403: libtiff: Memory leak in TIFFReadDirEntryLong8Array
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/186220/
CVSSv3:SUSE:CVE-2017-9403:4.0:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-06 06:12 UTC by Victor Pereira
Modified: 2018-11-30 14:12 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-06-06 06:12:55 UTC
rh#1458902

In LibTIFF 4.0.7, a memory leak vulnerability was found in the function
TIFFReadDirEntryLong8Array in tif_dirread.c, which allows attackers to cause a
denial of service via a crafted file.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1458902
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9403
http://bugzilla.maptools.org/show_bug.cgi?id=2689
Comment 1 Swamp Workflow Management 2017-09-26 13:16:25 UTC
SUSE-SU-2017:2569-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805
CVE References: CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    tiff-4.0.8-44.3.1
Comment 2 Swamp Workflow Management 2017-10-03 19:09:13 UTC
openSUSE-SU-2017:2635-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805
CVE References: CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404
Sources used:
openSUSE Leap 42.3 (src):    tiff-4.0.8-21.1
openSUSE Leap 42.2 (src):    tiff-4.0.8-17.6.1
Comment 3 Marcus Meissner 2018-02-16 06:11:37 UTC
released
Comment 4 Marcus Meissner 2018-02-16 06:36:25 UTC
hmm our eval showed sle11 as unaffected, not sure how this was found out.

please cross check.
Comment 6 Petr Gajdos 2018-05-18 07:06:39 UTC
BEFORE

12/tiff

$ valgrind -q --leak-check=full tiff2ps memory-leak-TIFFReadDirEntryLong8Array-tiff2ps-2.tif
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 276 (0x114) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 276"; tag ignored.
TIFFReadDirectory: tif->tif_dir.td_stripbytecount is already allocated. Likely duplicated StripByteCounts/TileByteCounts tag.
LIBTIFF, Version 4.0.9
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.

usage: tiff2ps [options] input.tif ...
where options are:
 -1            generate PostScript Level 1 (default)
 -2            generate PostScript Level 2
 -3            generate PostScript Level 3
 -8            disable use of ASCII85 encoding with PostScript Level 2/3
 -a            convert all directories in file (default is first), Not EPS
 -b #          set the bottom margin to # inches
 -c            center image (-b and -l still add to this)
 -C name       set postscript document creator name
 -d #          set initial directory to # counting from zero
 -D            enable duplex printing (two pages per sheet of paper)
 -e            generate Encapsulated PostScript (EPS) (implies -z)
 -h #          set printed page height to # inches (no default)
 -w #          set printed page width to # inches (no default)
 -H #          split image if height is more than # inches
 -W #          split image if width is more than # inches
 -L #          overLap split images by # inches
 -i #          enable/disable (Nz/0) pixel interpolation (default: enable)
 -l #          set the left margin to # inches
 -m            use "imagemask" operator instead of "image"
 -o #          convert directory at file offset # bytes
 -O file       write PostScript to file instead of standard output
 -p            generate regular (non-encapsulated) PostScript
 -P L or P     set optional PageOrientation DSC comment to Landscape or Portrait
 -r # or auto  rotate by 90, 180, 270 degrees or auto
 -s            generate PostScript for a single image
 -t name       set postscript document title. Otherwise the filename is used
 -T            print pages for top edge binding
 -x            override resolution units as centimeters
 -y            override resolution units as inches
 -z            enable printing in the deadzone (only for PostScript Level 2/3)
$

11/tiff

$ valgrind -q --leak-check=full tiff2ps memory-leak-TIFFReadDirEntryLong8Array-tiff2ps-2.tif
TIFFReadDirectory: Warning, memory-leak-TIFFReadDirEntryLong8Array-tiff2ps-2.tif: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, memory-leak-TIFFReadDirEntryLong8Array-tiff2ps-2.tif: unknown field with tag 276 (0x114) encountered.
memory-leak-TIFFReadDirEntryLong8Array-tiff2ps-2.tif: Error fetching data for field "Tag 276".
memory-leak-TIFFReadDirEntryLong8Array-tiff2ps-2.tif: Error fetching data for field "Software".
TIFFReadDirectory: Warning, memory-leak-TIFFReadDirEntryLong8Array-tiff2ps-2.tif: Bogus "StripByteCounts" field, ignoring and calculating from imagelength.
TIFFReadDirectory: memory-leak-TIFFReadDirEntryLong8Array-tiff2ps-2.tif: cannot handle zero strip size.
LIBTIFF, Version 3.8.2
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.

usage: tiff2ps [options] input.tif ...
where options are:
 -1            generate PostScript Level 1 (default)
 -2            generate PostScript Level 2
 -3            generate PostScript Level 3
 -8            disable use of ASCII85 encoding with PostScript Level 2/3
 -a            convert all directories in file (default is first)
 -b #          set the bottom margin to # inches
 -c            center image (-b and -l still add to this)
 -d #          convert directory number #
 -D            enable duplex printing (two pages per sheet of paper)
 -e            generate Encapsulated PostScript (EPS) (implies -z)
 -h #          assume printed page height is # inches (default 11)
 -w #          assume printed page width is # inches (default 8.5)
 -H #          split image if height is more than # inches
 -L #          overLap split images by # inches
 -i #          enable/disable (Nz/0) pixel interpolation (default: enable)
 -l #          set the left margin to # inches
 -m            use "imagemask" operator instead of "image"
 -o #          convert directory at file offset #
 -O file       write PostScript to file instead of standard output
 -p            generate regular PostScript
 -r            rotate by 180 degrees
 -s            generate PostScript for a single image
 -T            print pages for top edge binding
 -x            override resolution units as centimeters
 -y            override resolution units as inches
 -z            enable printing in the deadzone (only for PostScript Level 2/3)
$

[no leaks detected]


PATCH

see comment 5


12/tiff: has the fix already in trough version update
10sp3,11/tiff: I agree with your original evaluation.[*]

I think you can close as fixed.

[*] Reason: _TIFFFillStriles() does not exist there; TIFFFetchStripThing() is called only in TIFFReadDirectory().
Comment 7 Petr Gajdos 2018-05-18 07:12:01 UTC
(In reply to Marcus Meissner from comment #4)
> please cross check.

Done
https://www.youtube.com/watch?v=kB6svcQnJi4
Comment 8 Marcus Meissner 2018-11-30 14:12:28 UTC
done