Bug 1113672 - (CVE-2018-18661) VUL-1: CVE-2018-18661: tiff: NULL pointer dereference in the function LZWDecode in the file tif_lzw.c
(CVE-2018-18661)
VUL-1: CVE-2018-18661: tiff: NULL pointer dereference in the function LZWDeco...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/218055/
CVSSv3:SUSE:CVE-2018-18661:3.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-29 08:41 UTC by Karol Babioch
Modified: 2019-01-14 10:31 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-10-29 08:41:20 UTC
CVE-2018-18661

An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in
the function LZWDecode in the file tif_lzw.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18661
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18661.html
http://www.cvedetails.com/cve/CVE-2018-18661/
http://bugzilla.maptools.org/show_bug.cgi?id=2819
Comment 1 Petr Gajdos 2018-11-12 13:10:37 UTC
Submitted 4.0.10 which fixes this to devel project.
Comment 2 Michael Vetter 2018-11-12 13:36:06 UTC
Accepted and on its way to Factory as SR#648457
Comment 3 Petr Gajdos 2018-11-12 13:59:07 UTC
BEFORE

tiff 4.0.9

$ ulimit -v 2000000
$ tiff2bw Null-pointer-derefence__LZWDecode\@tif_lzw.c_462 /dev/null
Segmentation fault
$

tiff 3.8.2

$ ulimit -v 2000000                                               
$ tiff2bw Null-pointer-derefence__LZWDecode\@tif_lzw.c_462 foo    
TIFFReadDirectory: Warning, Null-pointer-derefence__LZWDecode@tif_lzw.c_462: unknown field with tag 292 (0x124) encountered.
Null-pointer-derefence__LZWDecode@tif_lzw.c_462: Integer overflow in TIFFScanlineSize.
TIFFReadDirectory: Null-pointer-derefence__LZWDecode@tif_lzw.c_462: cannot handle zero scanline size.
$


PATCH

https://gitlab.com/libtiff/libtiff/commit/99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f
3.8.2: testcase does not work (_TIFFmalloc is run only for small values of its argument), but checks are missing in tiff2bw

AFTER

4.0.9

$ ulimit -v 2000000
$ tiff2bw Null-pointer-derefence__LZWDecode\@tif_lzw.c_462 /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
Out of memory
TIFFWriteDirectoryTagData: IO error writing tag data.
$
Comment 4 Petr Gajdos 2018-11-12 14:07:19 UTC
Will submit for: 15,12,11,10sp3/tiff.
Comment 5 Petr Gajdos 2018-11-14 14:21:25 UTC
I believe all fixed.
Comment 8 Swamp Workflow Management 2018-11-23 20:12:43 UTC
SUSE-SU-2018:3879-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010163,1014461,1040080,1040322,1074186,1099257,1113672,974446,974447,974448,983440
CVE References: CVE-2015-8870,CVE-2016-3619,CVE-2016-3620,CVE-2016-3621,CVE-2016-5319,CVE-2016-9273,CVE-2017-17942,CVE-2017-9117,CVE-2017-9147,CVE-2018-12900,CVE-2018-18661
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.22.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.22.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.22.1
Comment 9 Swamp Workflow Management 2018-11-26 20:11:54 UTC
SUSE-SU-2018:3911-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1099257,1113094,1113672
CVE References: CVE-2018-12900,CVE-2018-18557,CVE-2018-18661
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    tiff-4.0.9-44.27.1
SUSE Linux Enterprise Server 12-SP3 (src):    tiff-4.0.9-44.27.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    tiff-4.0.9-44.27.1
Comment 10 Swamp Workflow Management 2018-11-27 17:11:41 UTC
SUSE-SU-2018:3925-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1099257,1113094,1113672
CVE References: CVE-2018-12900,CVE-2018-18557,CVE-2018-18661
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    tiff-4.0.9-5.17.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    tiff-4.0.9-5.17.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    tiff-4.0.9-5.17.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    tiff-4.0.9-5.17.1
Comment 11 Swamp Workflow Management 2018-11-29 23:10:33 UTC
openSUSE-SU-2018:3947-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1099257,1113094,1113672
CVE References: CVE-2018-12900,CVE-2018-18557,CVE-2018-18661
Sources used:
openSUSE Leap 42.3 (src):    tiff-4.0.9-40.1
Comment 12 Swamp Workflow Management 2018-11-29 23:11:24 UTC
openSUSE-SU-2018:3948-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1099257,1113094,1113672
CVE References: CVE-2018-12900,CVE-2018-18557,CVE-2018-18661
Sources used:
openSUSE Leap 15.0 (src):    tiff-4.0.9-lp150.4.9.1
Comment 13 Swamp Workflow Management 2018-12-07 11:22:22 UTC
SUSE-SU-2018:3911-2: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1099257,1113094,1113672
CVE References: CVE-2018-12900,CVE-2018-18557,CVE-2018-18661
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    tiff-4.0.9-44.27.1
SUSE Linux Enterprise Server 12-SP4 (src):    tiff-4.0.9-44.27.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    tiff-4.0.9-44.27.1
Comment 14 Swamp Workflow Management 2018-12-11 10:05:05 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-12-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64180
Comment 15 Marcus Meissner 2019-01-14 10:31:11 UTC
done