First Last Prev Next    This bug is not in your last search results.
Bug 1071031 - (CVE-2017-17095) VUL-0: CVE-2017-17095: tiff: tools/pal2rgb.c in pal2rgb allows remote attackers to cause DoS (TIFFSetupStrips heap-based buffer overflow and application crash)
(CVE-2017-17095)
VUL-0: CVE-2017-17095: tiff: tools/pal2rgb.c in pal2rgb allows remote attacke...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/196082/
CVSSv2:SUSE:CVE-2017-17095:5.1:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-04 12:15 UTC by Johannes Segitz
Modified: 2022-06-10 10:30 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Reproducer (9.44 KB, image/tiff)
2017-12-04 12:15 UTC, Johannes Segitz 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-12-04 12:15:55 UTC 
Created attachment 751259 [details]
Reproducer

CVE-2017-17095

tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a
denial of service (TIFFSetupStrips heap-based buffer overflow and application
crash) or possibly have unspecified other impact via a crafted TIFF file.

pal2rgb poc.tiff /dev/null

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17095
http://seclists.org/oss-sec/2017/q4/346
http://www.openwall.com/lists/oss-security/2017/11/30/3
http://www.cvedetails.com/cve/CVE-2017-17095/
http://bugzilla.maptools.org/show_bug.cgi?id=2750
Comment 1 Johannes Segitz 2017-12-04 12:18:50 UTC 
Triggers on SLE 12, not on SLE 11
Comment 2 Petr Gajdos 2018-08-24 11:48:22 UTC 
I will propose to remove pal2rgb binary removal from Tumbleweed, given that there's no update in the upstream bug nearly one year.

4.0.9

$ valgrind -q pal2rgb poc.tiff output
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored.
JPEGLib: Not a JPEG file: starts with 0xd5 0xc6.
==13093== Use of uninitialised value of size 8
==13093==    at 0x109A0F: main (pal2rgb.c:196)
==13093== 
==13093== Use of uninitialised value of size 8
==13093==    at 0x109A1F: main (pal2rgb.c:197)
==13093== 
==13093== Use of uninitialised value of size 8
==13093==    at 0x109A2F: main (pal2rgb.c:198)
==13093== 
==13093== Invalid write of size 1
==13093==    at 0x109A13: main (pal2rgb.c:196)
==13093==  Address 0x622ca81 is 0 bytes after a block of size 225 alloc'd
==13093==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13093==    by 0x1095B1: main (pal2rgb.c:188)
==13093== 
==13093== Invalid write of size 1
==13093==    at 0x109A23: main (pal2rgb.c:197)
==13093==  Address 0x622ca82 is 1 bytes after a block of size 225 alloc'd
==13093==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13093==    by 0x1095B1: main (pal2rgb.c:188)
==13093== 
==13093== Invalid write of size 1
==13093==    at 0x109A33: main (pal2rgb.c:198)
==13093==  Address 0x622ca83 is 2 bytes after a block of size 225 alloc'd
==13093==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13093==    by 0x1095B1: main (pal2rgb.c:188)
==13093== 
==13093== Invalid read of size 16
==13093==    at 0x58BDBF2: ??? (in /usr/lib64/libjpeg.so.8.1.2)
==13093==  Address 0x622ca80 is 224 bytes inside a block of size 225 alloc'd
==13093==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13093==    by 0x1095B1: main (pal2rgb.c:188)
==13093== 
==13093== Invalid read of size 16
==13093==    at 0x58BDBE9: ??? (in /usr/lib64/libjpeg.so.8.1.2)
==13093==  Address 0x622ca90 is 15 bytes after a block of size 225 alloc'd
==13093==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13093==    by 0x1095B1: main (pal2rgb.c:188)
==13093== 
[..]
$

3.8.2

$ valgrind -q pal2rgb poc.tiff out
TIFFReadDirectory: Warning, poc.tiff: wrong data type 1 for "StripOffsets"; tag ignored.
MissingRequired: poc.tiff: TIFF directory is missing required "StripOffsets" field.
$
Comment 3 Petr Gajdos 2018-08-24 13:41:08 UTC 
Question is, why TIFFScanlineSize(out) returns less than 3*imagewidth, as the rest of pal2rgb assume.

Breakpoint 2, main (argc=3, argv=0x7fffffffe8a8) at pal2rgb.c:187
187		  ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
(gdb) call TIFFScanlineSize(in)
$7 = 150
(gdb) n
188		  obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
(gdb) call TIFFScanlineSize(out)
$8 = 225
(gdb)

Following code has the influence, because TIFFScanlineSize() value depends on photometric content (TIFFTAG_PHOTOMETRIC):

        case COMPRESSION_JPEG:
                if (jpegcolormode == JPEGCOLORMODE_RGB)
                        photometric = PHOTOMETRIC_YCBCR;
                else
                        photometric = PHOTOMETRIC_RGB;
                TIFFSetField(out, TIFFTAG_JPEGQUALITY, quality);
                TIFFSetField(out, TIFFTAG_JPEGCOLORMODE, jpegcolormode);
                break;

When photometric is set to PHOTOMETRIC_YCBCR, the value of TIFFScanlineSize(out) is 225 in this case. While set to PHOTOMETRIC_RGB, the value is TIFFScanlineSize(out) is then 450, i. e. 3*TIFFScanlineSize(in), which would suffice.
Comment 6 Alexandros Toptsoglou 2019-11-14 16:31:59 UTC 
Tracked here https://gitlab.com/libtiff/libtiff/issues/111

workaround at https://gitlab.com/libtiff/libtiff/commit/9171da596c88e6a2dadcab4a3a89dddd6e1b4655 
The bug reference is mentioned in the comments. 
The issue is still opened.
Comment 7 ni yingjun 2020-11-24 01:30:00 UTC 
Hi Support,
I have a customer who are focus on this CVE.
I don't see any information about this CVE of SLES12SP5 on https://www.suse.com/security/cve/.
Is SLES12 SP5 affected by this CVE? Is it a plan to merge it into SLES12sp5?

Thanks.
Comment 8 Alexandros Toptsoglou 2020-11-24 09:19:53 UTC 
Fix at [1]. Tracked SLE12 (including SLE12-SP5) and SLE15 as affected. 


[1]https://gitlab.com/libtiff/libtiff/-/commit/9171da596c88e6a2dadcab4a3a89dddd6e1b4655
Comment 11 Michael Vetter 2022-02-02 14:18:57 UTC 
submitted
Comment 12 Swamp Workflow Management 2022-02-18 14:34:37 UTC 
SUSE-SU-2022:0496-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1071031,1154365,1182808,1182809,1182811,1182812,1190312,1194539
CVE References: CVE-2017-17095,CVE-2019-17546,CVE-2020-19131,CVE-2020-35521,CVE-2020-35522,CVE-2020-35523,CVE-2020-35524,CVE-2022-22844
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    tiff-4.0.9-44.45.1
SUSE OpenStack Cloud Crowbar 8 (src):    tiff-4.0.9-44.45.1
SUSE OpenStack Cloud 9 (src):    tiff-4.0.9-44.45.1
SUSE OpenStack Cloud 8 (src):    tiff-4.0.9-44.45.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    tiff-4.0.9-44.45.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    tiff-4.0.9-44.45.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    tiff-4.0.9-44.45.1
SUSE Linux Enterprise Server 12-SP5 (src):    tiff-4.0.9-44.45.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    tiff-4.0.9-44.45.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    tiff-4.0.9-44.45.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    tiff-4.0.9-44.45.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    tiff-4.0.9-44.45.1
HPE Helion Openstack 8 (src):    tiff-4.0.9-44.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Carlos López 2022-06-10 10:30:14 UTC 
Done, closing.
First Last Prev Next    This bug is not in your last search results.