Bugzilla – Bug 1046077
VUL-0: CVE-2017-9935: tiff: Heap-based buffer overflow in t2p_write_pdf
Last modified: 2018-10-18 11:58:24 UTC
Created attachment 730311 [details] Reproducers CVE-2017-9935 In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution. Reproducers: tiff2pdf on the various files References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9935 http://www.cvedetails.com/cve/CVE-2017-9935/ http://bugzilla.maptools.org/show_bug.cgi?id=2704
Upstream fix: https://gitlab.com/libtiff/libtiff/commit/d4f213636b6f950498a1386083199bd7f65676b9
And https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 apparently
SR#577270 to Factory
This is an autogenerated message for OBS integration: This bug (1046077) was mentioned in https://build.opensuse.org/request/show/577270 Factory / tiff
BEFORE 12/tiff $ valgrind -q tiff2pdf POCx -o out.pdf [gives invalid reads] 11/tiff $ valgrind -q tiff2pdf POCx -o out.pdf [no valgrind issues observed] PATCH: 12/tiff: needed 10sp3,11/tiff: needed after tiff2pdf.c update AFTER 12/tiff $ valgrind -q tiff2pdf POCx -o out.pdf [no invalid reads anymore] 11/tiff $ valgrind -q tiff2pdf POCx -o out.pdf [still no valgrind issues]
Will be submitted for 12/tiff, 11/tiff and 10sp3/tiff.
I believe all fixed in sr#163144, sr#163145 and sr#163146. I think this bug can be reassigned to security-team@ after review and creating maintenance request.
SR#164509 SLE-10-SP3 SR#164510 SLE-11 SR#164511 SLE-12
released
SUSE-SU-2018:1179-1: An update that solves 11 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1007280,1011107,1011845,1017688,1017690,1017691,1017692,1031255,1046077,1048937,1074318,960341,983436 CVE References: CVE-2015-7554,CVE-2016-10095,CVE-2016-10268,CVE-2016-3945,CVE-2016-5318,CVE-2016-5652,CVE-2016-9453,CVE-2016-9536,CVE-2017-11335,CVE-2017-17973,CVE-2017-9935 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.3.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.3.1
SUSE-SU-2018:1180-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1046077,1074318,1081690 CVE References: CVE-2017-17973,CVE-2017-9935,CVE-2018-5784 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): tiff-4.0.9-44.10.1 SUSE Linux Enterprise Server 12-SP3 (src): tiff-4.0.9-44.10.1 SUSE Linux Enterprise Desktop 12-SP3 (src): tiff-4.0.9-44.10.1
openSUSE-SU-2018:1204-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1046077,1074318,1081690 CVE References: CVE-2017-17973,CVE-2017-9935,CVE-2018-5784 Sources used: openSUSE Leap 42.3 (src): tiff-4.0.9-28.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2018-05-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64038
*** Bug 1110358 has been marked as a duplicate of this bug. ***