Bug 1082332 - (CVE-2017-11613) VUL-1: CVE-2017-11613: tiff: denial of service in TIFFOpen function
(CVE-2017-11613)
VUL-1: CVE-2017-11613: tiff: denial of service in TIFFOpen function
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:NVD:CVE-2017-11613:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-22 15:51 UTC by Alexander Bergmann
Modified: 2019-01-14 10:18 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-02-22 15:51:57 UTC
CVE-2017-11613

In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer. 

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11613
https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f
Comment 1 Petr Gajdos 2018-06-04 15:16:51 UTC
Upstream bug:
http://bugzilla.maptools.org/show_bug.cgi?id=2724


BEFORE

12/tiff

$ ulimit -m 1000000
$ ulimit -v 1000000
$ tiff2pdf oom-libtiff2 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 1124 (0x464) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59904 (0xea00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61952 (0xf200) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 64256 (0xfb00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6656 (0x1a00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 48639 (0xbdff) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 6656"; tag ignored.
_TIFFVSetField: oom-libtiff2: Null count for "StripRowCounts" (type 4, writecount -1, passcount 1).
TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.
oom-libtiff2: Failed to allocate memory for for chopped "StripByteCounts" array (201337417 elements of 8 bytes each).
oom-libtiff2: Failed to allocate memory for for chopped "StripOffsets" array (201337417 elements of 8 bytes each).
TIFFVStripSize64: Integer overflow in TIFFVStripSize64.
TIFFReadDirectory: Cannot handle zero strip size.
tiff2pdf: Can't open input file oom-libtiff2 for reading.
$

When I do not set limits, tiff2pdf tooks approx. 3 seconds to bail out while allocating quite a lot of memory (see the upstream report).

11/tiff

$ tiff2pdf oom-libtiff2
TIFFReadDirectory: Warning, oom-libtiff2: wrong data type 16 for "ImageWidth"; tag ignored.
TIFFReadDirectory: Warning, oom-libtiff2: wrong data type 17 for "ImageLength"; tag ignored.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 1124 (0x464) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 59904 (0xea00) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 61952 (0xf200) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 64256 (0xfb00) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 6656 (0x1a00) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 559 (0x22f) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 48639 (0xbdff) encountered.
MissingRequired: oom-libtiff2: TIFF directory is missing required "ImageLength" field.
tiff2pdf: Can't open input file oom-libtiff2 for reading.
$

No such issue observed here.


PATCH

https://gitlab.com/libtiff/libtiff/commit/3719385a3fac5cfb20b487619a5f08abbf967cf8
https://gitlab.com/libtiff/libtiff/commit/7a092f8af2568d61993a8cc2e7a35a998d7d37be

11/tiff: the patch seems to fit there, too


AFTER

12/tiff

$ ulimit -v 1000000
$ ulimit -m 1000000
$ tiff2pdf oom-libtiff2 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 1124 (0x464) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59904 (0xea00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61952 (0xf200) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 64256 (0xfb00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6656 (0x1a00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 48639 (0xbdff) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 6656"; tag ignored.
_TIFFVSetField: oom-libtiff2: Null count for "StripRowCounts" (type 4, writecount -1, passcount 1).
TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.
TIFFVStripSize64: Integer overflow in TIFFVStripSize64.
TIFFReadDirectory: Cannot handle zero strip size.
tiff2pdf: Can't open input file oom-libtiff2 for reading.
$
[no out of memory error message anymore]

Even if running with memory bounds not set, program exits immediately.

11/tiff

$ tiff2pdf oom-libtiff2           
TIFFReadDirectory: Warning, oom-libtiff2: wrong data type 16 for "ImageWidth"; tag ignored.
TIFFReadDirectory: Warning, oom-libtiff2: wrong data type 17 for "ImageLength"; tag ignored.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 1124 (0x464) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 59904 (0xea00) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 61952 (0xf200) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 64256 (0xfb00) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 6656 (0x1a00) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 559 (0x22f) encountered.
TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 48639 (0xbdff) encountered.
MissingRequired: oom-libtiff2: TIFF directory is missing required "ImageLength" field.
tiff2pdf: Can't open input file oom-libtiff2 for reading.
$
[no change]
Comment 2 Petr Gajdos 2018-06-04 15:17:22 UTC
Will submit for Tumbleweed, 15, 12, 11 and 10sp3.
Comment 5 Petr Gajdos 2018-06-06 11:32:17 UTC
This bug should be fixed by current submission.
Comment 7 Swamp Workflow Management 2018-06-19 12:14:30 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-07-03.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64065
Comment 8 Swamp Workflow Management 2018-06-27 16:10:24 UTC
SUSE-SU-2018:1826-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1074317,1082332,1082825,1086408,1092949,974621
CVE References: CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    tiff-4.0.9-44.15.2
SUSE Linux Enterprise Server 12-SP3 (src):    tiff-4.0.9-44.15.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    tiff-4.0.9-44.15.2
Comment 9 Swamp Workflow Management 2018-06-28 13:08:51 UTC
openSUSE-SU-2018:1834-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1074317,1082332,1082825,1086408,1092949,974621
CVE References: CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
openSUSE Leap 42.3 (src):    tiff-4.0.9-31.1
Comment 10 Swamp Workflow Management 2018-06-28 13:11:34 UTC
SUSE-SU-2018:1835-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1011839,1011846,1017689,1017690,1019611,1031263,1082332,1082825,1086408,974621
CVE References: CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-10266,CVE-2016-3632,CVE-2016-5318,CVE-2016-8331,CVE-2016-9535,CVE-2016-9540,CVE-2017-11613,CVE-2017-5225,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.9.1
Comment 11 Swamp Workflow Management 2018-07-05 10:17:10 UTC
SUSE-SU-2018:1889-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1074317,1082332,1082825,1086408,1092949
CVE References: CVE-2017-11613,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    tiff-4.0.9-5.9.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    tiff-4.0.9-5.9.1
Comment 12 Swamp Workflow Management 2018-07-13 22:09:33 UTC
openSUSE-SU-2018:1956-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1074317,1082332,1082825,1086408,1092949
CVE References: CVE-2017-11613,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
openSUSE Leap 15.0 (src):    tiff-4.0.9-lp150.4.3.1
Comment 13 Marcus Meissner 2019-01-14 10:18:40 UTC
released