Bugzilla – Bug 1046770
VUL-1: CVE-2017-10688: tiff: Assertion abort in TIFFWriteDirectoryTagCheckedLong8Array allowing for remote denial of service attack
Last modified: 2018-12-01 07:29:19 UTC
Created attachment 730818 [details] Reproducer CVE-2017-10688 In LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDirectoryTagCheckedLong8Array function in tif_dirwrite.c. A crafted input will lead to a remote denial of service attack. Reproducer: tiffset POC1 Triggered for me once on SLE 12, but not anymore after that. Kind of strange, please have a look References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10688 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10688 http://bugzilla.maptools.org/show_bug.cgi?id=2712
BEFORE 12/tiff $ tiffset POC1 POC1: Failed to allocate memory for to read TIFF directory (0 elements of 12 bytes each). TIFFReadDirectory: Failed to read directory at offset 5356. $ 11/tiff $ tiffset POC1 POC1: No space to read TIFF directory. $ PATCH https://gitlab.com/libtiff/libtiff/commit/3cb621f5cff48202c890c3c028ffbd8517962c4f 12/tiff: fix is already in by version update 11/tiff: no such code found