Created attachment 775382 [details]
poc2

QA REPRODUCER:

valgrind tiffcp -i poc2 result.tif

should not crash
should not report "Invalid write of size 1"

BEFORE

3.8.2 (11,10sp3)
4.0.9 (TW,15,12)

$ gdb -q --args tiffcp -i poc2 output.tiff
(gdb) run
[...]
DumpModeDecode: Not enough data for scanline 0, expected a request for at most 152 bytes, got a request for 4195328 bytes.

Program received signal SIGSEGV, Segmentation fault.
0x0000555555559094 in cpSeparateBufToContigBuf (bytes_per_sample=4097, spp=1024, inskew=0, outskew=<optimized out>, cols=1024, rows=0, 
    in=0x7ffff5d74803 "", out=0x7ffff6974001 "ELF\002\001\001") at tiffcp.c:1228
1228					*out++ = *in++;
(gdb) bt
#0  0x0000555555559094 in cpSeparateBufToContigBuf (bytes_per_sample=4097, spp=1024, inskew=0, outskew=<optimized out>, cols=1024, rows=0, 
    in=0x7ffff5d74803 "", out=0x7ffff6974001 "ELF\002\001\001") at tiffcp.c:1228
#1  readSeparateTilesIntoBuffer (in=0x55555575d940, buf=<optimized out>, imagelength=2, imagewidth=1, spp=1024) at tiffcp.c:1458
#2  0x0000555555558a33 in cpImage (in=0x55555575d940, out=0x55555575d010, fin=0x555555558cd0 <readSeparateTilesIntoBuffer>, 
    fout=0x555555559450 <writeBufferToSeparateTiles>, imagelength=2, imagewidth=1, spp=1024) at tiffcp.c:1253
#3  0x0000555555558b73 in cpSeparateTiles2SeparateTiles (in=<optimized out>, out=<optimized out>, imagelength=<optimized out>, 
    imagewidth=<optimized out>, spp=<optimized out>) at tiffcp.c:1747
#4  0x000055555555675f in tiffcp (out=0x55555575d010, in=0x55555575d940) at tiffcp.c:814
#5  main (argc=4, argv=0x7fffffffe858) at tiffcp.c:303
$

There's no reaction from upstream side so far. I have commented in the upstream bug.

One idea: this seems to be consequence of -i option of tiffcp. I would question whether it would be good idea to just remove that option from tiff tools.

I doubt any of our customers use the tools with -i , this lessens the impact of these issues.

for reproducibility it should probably stay.

Perhaps -i could be removed from next tiff version, I have asked upstream to consider that.

Still no reaction in upstream bug.

https://gitlab.com/libtiff/libtiff/merge_requests/44

AFTER

4.0.9
3.8.2

$ tiffcp -i poc2 output.tiff 
[..]
poc2: Error, either TileWidth (4195328) or BitsPerSample (32776) is too large.
$

(In reply to Petr Gajdos from comment #8)
> AFTER
> 
> 4.0.9
> 3.8.2
4.0.10
> $ tiffcp -i poc2 output.tiff 
> [..]
> poc2: Error, either TileWidth (4195328) or BitsPerSample (32776) is too
> large.
> $

Will submit for TW,15,12,11,10sp3/tiff.

I believe all fixed.

SUSE-SU-2018:3879-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010163,1014461,1040080,1040322,1074186,1099257,1113672,974446,974447,974448,983440
CVE References: CVE-2015-8870,CVE-2016-3619,CVE-2016-3620,CVE-2016-3621,CVE-2016-5319,CVE-2016-9273,CVE-2017-17942,CVE-2017-9117,CVE-2017-9147,CVE-2018-12900,CVE-2018-18661
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.22.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.22.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.22.1

SUSE-SU-2018:3911-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1099257,1113094,1113672
CVE References: CVE-2018-12900,CVE-2018-18557,CVE-2018-18661
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    tiff-4.0.9-44.27.1
SUSE Linux Enterprise Server 12-SP3 (src):    tiff-4.0.9-44.27.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    tiff-4.0.9-44.27.1

SUSE-SU-2018:3925-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1099257,1113094,1113672
CVE References: CVE-2018-12900,CVE-2018-18557,CVE-2018-18661
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    tiff-4.0.9-5.17.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    tiff-4.0.9-5.17.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    tiff-4.0.9-5.17.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    tiff-4.0.9-5.17.1

done

openSUSE-SU-2018:3947-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1099257,1113094,1113672
CVE References: CVE-2018-12900,CVE-2018-18557,CVE-2018-18661
Sources used:
openSUSE Leap 42.3 (src):    tiff-4.0.9-40.1

openSUSE-SU-2018:3948-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1099257,1113094,1113672
CVE References: CVE-2018-12900,CVE-2018-18557,CVE-2018-18661
Sources used:
openSUSE Leap 15.0 (src):    tiff-4.0.9-lp150.4.9.1

SUSE-SU-2018:3911-2: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1099257,1113094,1113672
CVE References: CVE-2018-12900,CVE-2018-18557,CVE-2018-18661
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    tiff-4.0.9-44.27.1
SUSE Linux Enterprise Server 12-SP4 (src):    tiff-4.0.9-44.27.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    tiff-4.0.9-44.27.1

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-12-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64180

This is an autogenerated message for OBS integration:
This bug (1099257) was mentioned in
https://build.opensuse.org/request/show/671132 Factory / tiff

Just for the record:
Upstream might take https://gitlab.com/libtiff/libtiff/merge_requests/60 instead of https://gitlab.com/libtiff/libtiff/merge_requests/44.

Request 60 is also needed for:
http://bugzilla.maptools.org/show_bug.cgi?id=2833 bsc#1125113

So we have both.

This is an autogenerated message for OBS integration:
This bug (1099257) was mentioned in
https://build.opensuse.org/request/show/674138 Factory / tiff