Bugzilla – Bug 1074317
VUL-0: CVE-2017-18013: tiff: A Null-Pointer Dereference in the tif_print.cTIFFPrintDirectory function, could lead to denial of service
Last modified: 2018-07-13 22:38:57 UTC
CVE-2017-18013 In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18013 http://www.cvedetails.com/cve/CVE-2017-18013/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013 https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01 http://bugzilla.maptools.org/show_bug.cgi?id=2770
Created attachment 756485 [details] tiff_npd QA REPRODUCER: tiffinfo -s tiff_npd should not crash
12,devel/tiff $ tiffinfo -s tiff_npd TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. TIFF Directory at offset 0x8 (8) Image Width: 12336 Image Length: 12336 Bits/Sample: 8 Compression Scheme: Old-style JPEG Photometric Interpretation: YCbCr YCbCr Subsampling: 2, 2 Samples/Pixel: 3 Planar Configuration: single image plane 1 Strips: Segmentation fault (core dumped) $ 11/tiff $ tiffinfo -s tiff_npd TIFFReadDirectory: Warning, tiff_npd: unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, tiff_npd: invalid TIFF directory; tags are not sorted in ascending order. tiff_npd: Warning, incorrect count for field "StripOffsets" (808464432, expecting 1); tag trimmed. tiff_npd: No space to fetch strip tag. $ PATCH in comment 0 10sp3,11/tiff: code partially in, I think it needs to be patched; I have not found that td->td_stripbytecount or td->td_stripoffset would explicitely be set to NULL somewhere in 4.0.9 AFTER 12,devel/tiff $ tiffinfo -s tiff_npd TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. TIFF Directory at offset 0x8 (8) Image Width: 12336 Image Length: 12336 Bits/Sample: 8 Compression Scheme: Old-style JPEG Photometric Interpretation: YCbCr YCbCr Subsampling: 2, 2 Samples/Pixel: 3 Planar Configuration: single image plane 1 Strips: 0: [808464432, 0] $ [no crash] 11/tiff $ valgrind -q tiffinfo -s tiff_npd TIFFReadDirectory: Warning, tiff_npd: unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, tiff_npd: invalid TIFF directory; tags are not sorted in ascending order. tiff_npd: Warning, incorrect count for field "StripOffsets" (808464432, expecting 1); tag trimmed. tiff_npd: No space to fetch strip tag. $ [no change]
Will submit for Tumbleweed/tiff, 12/tiff, 11/tif and 10sp3/tiff. @Michael, could you please forward sr#610254 to Tumbleweed and SLE15.
Packages submitted: 12/tiff: 165341 11/tiff: 165349 10sp3/tiff: 165350 @Michael, after you review these requests and after you accept and resubmit packages in case everything's ok, I think you can reassign this bug to security-team@.
Thanks a lot Petr! All perfect. SR#610255 to TW. SR#165481 to SLE15. SR#165480 to SLE12. SR#165482 to SLE11. SR#165483 to SLE10.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-06-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64044
SUSE-SU-2018:1472-1: An update that solves 14 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1017694,1031250,1031254,1033109,1033111,1033112,1033113,1033120,1033126,1033127,1033129,1074317,984808,984809,984831,987351 CVE References: CVE-2016-10267,CVE-2016-10269,CVE-2016-10270,CVE-2016-5314,CVE-2016-5315,CVE-2017-18013,CVE-2017-7593,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.6.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.6.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.6.1
SUSE-SU-2018:1826-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 1007276,1074317,1082332,1082825,1086408,1092949,974621 CVE References: CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): tiff-4.0.9-44.15.2 SUSE Linux Enterprise Server 12-SP3 (src): tiff-4.0.9-44.15.2 SUSE Linux Enterprise Desktop 12-SP3 (src): tiff-4.0.9-44.15.2
openSUSE-SU-2018:1834-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 1007276,1074317,1082332,1082825,1086408,1092949,974621 CVE References: CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905 Sources used: openSUSE Leap 42.3 (src): tiff-4.0.9-31.1
SUSE-SU-2018:1889-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1074317,1082332,1082825,1086408,1092949 CVE References: CVE-2017-11613,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905 Sources used: SUSE Linux Enterprise Module for Desktop Applications 15 (src): tiff-4.0.9-5.9.1 SUSE Linux Enterprise Module for Basesystem 15 (src): tiff-4.0.9-5.9.1
done
openSUSE-SU-2018:1956-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1074317,1082332,1082825,1086408,1092949 CVE References: CVE-2017-11613,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905 Sources used: openSUSE Leap 15.0 (src): tiff-4.0.9-lp150.4.3.1