Bugzilla – Bug 1040322
VUL-1: CVE-2017-9147: tiff: Invalid read in the _TIFFVGetField function in tif_dir.c, allows remote attackers to cause DoS via acrafted TIFF file
Last modified: 2019-01-14 09:42:51 UTC
CVE-2017-9147 LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service (crash) via a crafted TIFF file. Details and reproducer in http://bugzilla.maptools.org/show_bug.cgi?id=2693 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9147 http://www.cvedetails.com/cve/CVE-2017-9147/ http://bugzilla.maptools.org/show_bug.cgi?id=2693
hi This issue have anyone to handle it? thanks
This is fixed in 4.0.9 release.
Created attachment 757613 [details] _TIFFVGetField QA REPRODUCER: valgrind tiffsplit _TIFFVGetField should not report uninitialized reads
For example, with 4.0.7: $ tiffsplit _TIFFVGetField [..] ================================================================= ==2759==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f772f8ae5ed bp 0x7fff4b534320 sp 0x7fff4b5342c0 T0) ==2759==The signal is caused by a WRITE memory access. ==2759==Hint: address points to the zero page. #0 0x7f772f8ae5ec in _TIFFVGetField /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_dir.c:1080 #1 0x7f772f947641 in OJPEGVGetField /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_ojpeg.c:518 #2 0x7f772f8afd17 in TIFFVGetField /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_dir.c:1198 #3 0x7f772f8afb8d in TIFFGetField /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_dir.c:1182 #4 0x55788fa53003 in tiffcp /usr/src/debug/tiff-4.0.7-0.x86_64/tools/tiffsplit.c:217 #5 0x55788fa515fe in main /usr/src/debug/tiff-4.0.7-0.x86_64/tools/tiffsplit.c:89 #6 0x7f772e65bfea in __libc_start_main (/lib64/libc.so.6+0x22fea) #7 0x55788fa512e9 (/usr/bin/tiffsplit+0x22e9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/src/debug/tiff-4.0.7-0.x86_64/libtiff/tif_dir.c:1080 in _TIFFVGetField [..] $ 4.0.10, 4.0.9 No such invalid access. 3.8.2 $ valgrind -q tiffsplit _TIFFVGetField TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 6934 (0x1b16) encountered. TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 60737 (0xed41) encountered. TIFFReadDirectory: Warning, _TIFFVGetField: invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 24 (0x18) encountered. TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 771 (0x303) encountered. TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 571 (0x23b) encountered. TIFFReadDirectory: Warning, _TIFFVGetField: wrong data type 1 for "StripOffsets"; tag ignored. TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 4386 (0x1122) encountered. TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 2051 (0x803) encountered. TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 16384 (0x4000) encountered. TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 326 (0x146) encountered. TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 511 (0x1ff) encountered. TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 27905 (0x6d01) encountered. TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 433 (0x1b1) encountered. TIFFReadDirectory: Warning, _TIFFVGetField: unknown field with tag 28956 (0x711c) encountered. MissingRequired: _TIFFVGetField: TIFF directory is missing required "StripOffsets" field. $
https://gitlab.com/libtiff/libtiff/commit/6281927e03aed3fdaac4c25e1cd1a5ff7232bcd8 Upstream bug number 2693 is listed there (see bug 960341 for details and upstream bug number 2580 for details). We are fixing it already with tiff-CVE-2014-8128,CVE-2015-7554,CVE-2016-5318,10095,8331,3632.patch
Will submit rpm changelog modfifications for 11/tiff and 10sp3/tiff.
I believe all fixed.
SUSE-SU-2018:3879-1: An update that fixes 11 vulnerabilities is now available. Category: security (moderate) Bug References: 1010163,1014461,1040080,1040322,1074186,1099257,1113672,974446,974447,974448,983440 CVE References: CVE-2015-8870,CVE-2016-3619,CVE-2016-3620,CVE-2016-3621,CVE-2016-5319,CVE-2016-9273,CVE-2017-17942,CVE-2017-9117,CVE-2017-9147,CVE-2018-12900,CVE-2018-18661 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.22.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.22.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.22.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-12-25. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64180
released