Bugzilla – Bug 1082332
VUL-1: CVE-2017-11613: tiff: denial of service in TIFFOpen function
Last modified: 2019-01-14 10:18:40 UTC
CVE-2017-11613 In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11613 https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f
Upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2724 BEFORE 12/tiff $ ulimit -m 1000000 $ ulimit -v 1000000 $ tiff2pdf oom-libtiff2 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 1124 (0x464) encountered. TIFFReadDirectory: Warning, Unknown field with tag 59904 (0xea00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 61952 (0xf200) encountered. TIFFReadDirectory: Warning, Unknown field with tag 64256 (0xfb00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered. TIFFReadDirectory: Warning, Unknown field with tag 6656 (0x1a00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 48639 (0xbdff) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 6656"; tag ignored. _TIFFVSetField: oom-libtiff2: Null count for "StripRowCounts" (type 4, writecount -1, passcount 1). TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. oom-libtiff2: Failed to allocate memory for for chopped "StripByteCounts" array (201337417 elements of 8 bytes each). oom-libtiff2: Failed to allocate memory for for chopped "StripOffsets" array (201337417 elements of 8 bytes each). TIFFVStripSize64: Integer overflow in TIFFVStripSize64. TIFFReadDirectory: Cannot handle zero strip size. tiff2pdf: Can't open input file oom-libtiff2 for reading. $ When I do not set limits, tiff2pdf tooks approx. 3 seconds to bail out while allocating quite a lot of memory (see the upstream report). 11/tiff $ tiff2pdf oom-libtiff2 TIFFReadDirectory: Warning, oom-libtiff2: wrong data type 16 for "ImageWidth"; tag ignored. TIFFReadDirectory: Warning, oom-libtiff2: wrong data type 17 for "ImageLength"; tag ignored. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 1124 (0x464) encountered. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 59904 (0xea00) encountered. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 61952 (0xf200) encountered. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 64256 (0xfb00) encountered. TIFFReadDirectory: Warning, oom-libtiff2: invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 768 (0x300) encountered. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 6656 (0x1a00) encountered. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 559 (0x22f) encountered. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 48639 (0xbdff) encountered. MissingRequired: oom-libtiff2: TIFF directory is missing required "ImageLength" field. tiff2pdf: Can't open input file oom-libtiff2 for reading. $ No such issue observed here. PATCH https://gitlab.com/libtiff/libtiff/commit/3719385a3fac5cfb20b487619a5f08abbf967cf8 https://gitlab.com/libtiff/libtiff/commit/7a092f8af2568d61993a8cc2e7a35a998d7d37be 11/tiff: the patch seems to fit there, too AFTER 12/tiff $ ulimit -v 1000000 $ ulimit -m 1000000 $ tiff2pdf oom-libtiff2 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 1124 (0x464) encountered. TIFFReadDirectory: Warning, Unknown field with tag 59904 (0xea00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 61952 (0xf200) encountered. TIFFReadDirectory: Warning, Unknown field with tag 64256 (0xfb00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered. TIFFReadDirectory: Warning, Unknown field with tag 6656 (0x1a00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 48639 (0xbdff) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 6656"; tag ignored. _TIFFVSetField: oom-libtiff2: Null count for "StripRowCounts" (type 4, writecount -1, passcount 1). TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFFVStripSize64: Integer overflow in TIFFVStripSize64. TIFFReadDirectory: Cannot handle zero strip size. tiff2pdf: Can't open input file oom-libtiff2 for reading. $ [no out of memory error message anymore] Even if running with memory bounds not set, program exits immediately. 11/tiff $ tiff2pdf oom-libtiff2 TIFFReadDirectory: Warning, oom-libtiff2: wrong data type 16 for "ImageWidth"; tag ignored. TIFFReadDirectory: Warning, oom-libtiff2: wrong data type 17 for "ImageLength"; tag ignored. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 1124 (0x464) encountered. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 59904 (0xea00) encountered. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 61952 (0xf200) encountered. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 64256 (0xfb00) encountered. TIFFReadDirectory: Warning, oom-libtiff2: invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 768 (0x300) encountered. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 6656 (0x1a00) encountered. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 559 (0x22f) encountered. TIFFReadDirectory: Warning, oom-libtiff2: unknown field with tag 48639 (0xbdff) encountered. MissingRequired: oom-libtiff2: TIFF directory is missing required "ImageLength" field. tiff2pdf: Can't open input file oom-libtiff2 for reading. $ [no change]
Will submit for Tumbleweed, 15, 12, 11 and 10sp3.
This bug should be fixed by current submission.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-07-03. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64065
SUSE-SU-2018:1826-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 1007276,1074317,1082332,1082825,1086408,1092949,974621 CVE References: CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): tiff-4.0.9-44.15.2 SUSE Linux Enterprise Server 12-SP3 (src): tiff-4.0.9-44.15.2 SUSE Linux Enterprise Desktop 12-SP3 (src): tiff-4.0.9-44.15.2
openSUSE-SU-2018:1834-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 1007276,1074317,1082332,1082825,1086408,1092949,974621 CVE References: CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905 Sources used: openSUSE Leap 42.3 (src): tiff-4.0.9-31.1
SUSE-SU-2018:1835-1: An update that fixes 13 vulnerabilities is now available. Category: security (moderate) Bug References: 1007276,1011839,1011846,1017689,1017690,1019611,1031263,1082332,1082825,1086408,974621 CVE References: CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-10266,CVE-2016-3632,CVE-2016-5318,CVE-2016-8331,CVE-2016-9535,CVE-2016-9540,CVE-2017-11613,CVE-2017-5225,CVE-2018-7456,CVE-2018-8905 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.9.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.9.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.9.1
SUSE-SU-2018:1889-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1074317,1082332,1082825,1086408,1092949 CVE References: CVE-2017-11613,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905 Sources used: SUSE Linux Enterprise Module for Desktop Applications 15 (src): tiff-4.0.9-5.9.1 SUSE Linux Enterprise Module for Basesystem 15 (src): tiff-4.0.9-5.9.1
openSUSE-SU-2018:1956-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1074317,1082332,1082825,1086408,1092949 CVE References: CVE-2017-11613,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905 Sources used: openSUSE Leap 15.0 (src): tiff-4.0.9-lp150.4.3.1
released