Bug 1040322 - (CVE-2017-9147) VUL-1: CVE-2017-9147: tiff: Invalid read in the _TIFFVGetField function in tif_dir.c, allows remote attackers to cause DoS via acrafted TIFF file
(CVE-2017-9147)
VUL-1: CVE-2017-9147: tiff: Invalid read in the _TIFFVGetField function in ti...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/185710/
CVSSv3:SUSE:CVE-2017-9147:5.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-23 09:01 UTC by Johannes Segitz
Modified: 2019-01-14 09:42 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
_TIFFVGetField (226 bytes, application/octet-stream)
2018-01-25 12:32 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-05-23 09:01:44 UTC
CVE-2017-9147

LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c,
which might allow remote attackers to cause a denial of service (crash) via a
crafted TIFF file.

Details and reproducer in http://bugzilla.maptools.org/show_bug.cgi?id=2693

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9147
http://www.cvedetails.com/cve/CVE-2017-9147/
http://bugzilla.maptools.org/show_bug.cgi?id=2693
Comment 1 gm chen 2018-01-18 04:04:05 UTC
hi
  This issue have anyone to handle it? 
thanks
Comment 2 Marcus Meissner 2018-01-25 12:30:33 UTC
This is fixed in 4.0.9 release.
Comment 3 Marcus Meissner 2018-01-25 12:32:09 UTC
Created attachment 757613 [details]
_TIFFVGetField

QA REPRODUCER:

valgrind tiffsplit _TIFFVGetField

should not report uninitialized reads
Comment 4 Petr Gajdos 2018-11-14 13:59:27 UTC
For example, with 4.0.7:

$ tiffsplit _TIFFVGetField
[..]
=================================================================
==2759==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f772f8ae5ed bp 0x7fff4b534320 sp 0x7fff4b5342c0 T0)
==2759==The signal is caused by a WRITE memory access.
==2759==Hint: address points to the zero page.
    #0 0x7f772f8ae5ec in _TIFFVGetField /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_dir.c:1080
    #1 0x7f772f947641 in OJPEGVGetField /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_ojpeg.c:518
    #2 0x7f772f8afd17 in TIFFVGetField /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_dir.c:1198
    #3 0x7f772f8afb8d in TIFFGetField /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_dir.c:1182
    #4 0x55788fa53003 in tiffcp /usr/src/debug/tiff-4.0.7-0.x86_64/tools/tiffsplit.c:217
    #5 0x55788fa515fe in main /usr/src/debug/tiff-4.0.7-0.x86_64/tools/tiffsplit.c:89
    #6 0x7f772e65bfea in __libc_start_main (/lib64/libc.so.6+0x22fea)
    #7 0x55788fa512e9  (/usr/bin/tiffsplit+0x22e9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_dir.c:1080 in _TIFFVGetField
[..]
$

4.0.10, 4.0.9

No such invalid access.

3.8.2

$ valgrind -q tiffsplit _TIFFVGetField
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 6934 (0x1b16) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 60737 (0xed41) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 24 (0x18) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 771 (0x303) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 571 (0x23b) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: wrong data type 1 for "StripOffsets"; tag ignored.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 4386 (0x1122) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 2051 (0x803) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 16384 (0x4000) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 326 (0x146) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 511 (0x1ff) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 27905 (0x6d01) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 433 (0x1b1) encountered.
TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 28956 (0x711c) encountered.
MissingRequired: _TIFFVGetField: TIFF directory is missing required "StripOffsets" field.
$
Comment 5 Petr Gajdos 2018-11-14 14:03:21 UTC
https://gitlab.com/libtiff/libtiff/commit/6281927e03aed3fdaac4c25e1cd1a5ff7232bcd8

Upstream bug number 2693 is listed there (see bug 960341 for details and upstream bug number 2580 for details). We are fixing it already with 
tiff-CVE-2014-8128,CVE-2015-7554,CVE-2016-5318,10095,8331,3632.patch
Comment 6 Petr Gajdos 2018-11-14 14:04:45 UTC
Will submit rpm changelog modfifications for 11/tiff and 10sp3/tiff.
Comment 7 Petr Gajdos 2018-11-14 14:21:24 UTC
I believe all fixed.
Comment 10 Swamp Workflow Management 2018-11-23 20:12:12 UTC
SUSE-SU-2018:3879-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010163,1014461,1040080,1040322,1074186,1099257,1113672,974446,974447,974448,983440
CVE References: CVE-2015-8870,CVE-2016-3619,CVE-2016-3620,CVE-2016-3621,CVE-2016-5319,CVE-2016-9273,CVE-2017-17942,CVE-2017-9117,CVE-2017-9147,CVE-2018-12900,CVE-2018-18661
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.22.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.22.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.22.1
Comment 11 Swamp Workflow Management 2018-12-11 10:04:49 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-12-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64180
Comment 12 Marcus Meissner 2019-01-14 09:42:51 UTC
released