Bug 1082825 - (CVE-2018-7456) VUL-0: CVE-2018-7456: tiff: A NULL Pointer Dereference occurs in the function TIFFPrintDirectory intif_print.c when using the tiffinfo tool to print crafted TIFFinformation, a different vulnerability than CVE-2017-18013.
(CVE-2018-7456)
VUL-0: CVE-2018-7456: tiff: A NULL Pointer Dereference occurs in the function...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/200816/
CVSSv3:SUSE:CVE-2018-7456:5.5:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-26 12:16 UTC by Karol Babioch
Modified: 2019-03-28 07:53 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Reproducer (474.82 KB, image/tiff)
2018-02-26 12:18 UTC, Karol Babioch
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-02-26 12:16:17 UTC
CVE-2018-7456

A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in
tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF
information, a different vulnerability than CVE-2017-18013. (This affects an
earlier part of the TIFFPrintDirectory function that was not addressed by the
CVE-2017-18013 patch.)

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7456
http://www.cvedetails.com/cve/CVE-2018-7456/
http://bugzilla.maptools.org/show_bug.cgi?id=2778
https://github.com/xiaoqx/pocs/tree/master/libtiff
Comment 1 Karol Babioch 2018-02-26 12:18:08 UTC
Created attachment 761701 [details]
Reproducer
Comment 2 Karol Babioch 2018-02-26 12:18:20 UTC
  % tiffinfo -c 1-tiffinfo-c-null                                                                                                                                                                             !644
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 314 (0x13a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 54034 (0xd312) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "YResolution"; tag ignored.
TIFF Directory at offset 0x767fe (485374)
  Image Width: 1024 Image Length: 768
  Resolution: 2, 0 (unitless)
  Bits/Sample: 8
  Compression Scheme: LZW
  Photometric Interpretation: RGB color
  Samples/Pixel: 4
  Planar Configuration: single image plane
  Transfer Function: 
[1]    15123 segmentation fault (core dumped)  tiffinfo -c 1-tiffinfo-c-null
Comment 3 Karol Babioch 2018-02-26 12:25:45 UTC
Probably all codestreams are affected: The POC triggers on SLE11SP4 (3.8.2) and openSUSE 42.3 (4.0.9) for me, but not on SLE12SP3 (4.0.9).
Comment 4 Petr Gajdos 2018-06-04 13:06:37 UTC
BEFORE

devel,12,11/tiff

$ tiffinfo -c 1-tiffinfo-c-null 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 314 (0x13a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 54034 (0xd312) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "YResolution"; tag ignored.
TIFF Directory at offset 0x767fe (485374)
  Image Width: 1024 Image Length: 768
  Resolution: 2, 0 (unitless)
  Bits/Sample: 8
  Compression Scheme: LZW
  Photometric Interpretation: RGB color
  Samples/Pixel: 4
  Planar Configuration: single image plane
  Transfer Function: 
Segmentation fault (core dumped)
$

PATCH

https://gitlab.com/libtiff/libtiff/commit/be4c85b16e8801a16eec25e80eb9f3dd6a96731b


AFTER

devel,12,11/tiff

$ tiffinfo -c 1-tiffinfo-c-null 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 314 (0x13a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 54034 (0xd312) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "YResolution"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
TIFF Directory at offset 0x767fe (485374)
  Image Width: 1024 Image Length: 768
  Resolution: 2, 0 (unitless)
  Bits/Sample: 8
  Compression Scheme: LZW
  Photometric Interpretation: RGB color
  Samples/Pixel: 4
  Planar Configuration: single image plane
  Transfer Function: 
     0:     0     0     0
     1:    16    16    16
     2:    46    46    46
     3:    84    84    84
     4:   129   129   129
     5:   180   180   180
     6:   237   237   237
     7:   298   298   298
     8:   364   364   364
     9:   435   435   435
    10:   509   509   509
    11:   587   587   587
    12:   669   669   669
    13:   754   754   754
    14:   843   843   843
    15:   935   935   935
    16:  1030  1030  1030
    17:  1128  1128  1128
    18:  1229  1229  1229
    19:  1333  1333  1333
    20:  1439  1439  1439
    21:  1549  1549  1549
    22:  1661  1661  1661
    23:  1775  1775  1775
    24:  1892  1892  1892
    25:  2012  2012  2012
    26:  2134  2134  2134
    27:  2258  2258  2258
    28:  2385  2385  2385
    29:  2513  2513  2513
    30: 48981 48981 48981
    31:  2778  2778  2778
    32:  2913  2913  2913
    33:  3051  3051  3051
    34:  3191  3191  3191
    35:  3332  3332  3332
    36:  3476  3476  3476
    37:  3622  3622  3622
    38:  3770  3770  3770
    39:  3920  3920  3920
    40:  4071  4071  4071
    41:  4225  4225  4225
    42:  4381  4381  4381
    43:  4538  4538  4538
    44:  4697  4697  4697
    45:  4858  4858  4858
    46:  5021  5021  5021
    47:  5186  5186  5186
    48:  5352  5352  5352
    49:  5520  5520  5520
    50:  5690  5690  5690
    51:  5862  5862  5862
    52:  6035  6035  6035
    53:  6210  6210  6210
    54:  6386  6386  6386
    55:  6565  6565  6565
    56:  6744  6744  6744
    57:  6926  6926  6926
    58:  7073  7073  7073
    59:  7294  7294  7294
    60:  7480  7480  7480
    61:  7668  7668  7668
    62:  7857  7857  7857
    63:  8048  8048  8048
    64:  8240  8240  8240
    65:  8434  8434  8434
    66:  8629  8629  8629
    67:  8826  8826  8826
    68:  9025  9025  9025
    69:  9224  9224  9224
    70:  9426  9426  9426
    71:  9628  9628  9628
    72:  9832  9832  9832
    73: 10038 10038 10038
    74: 10245 10245 10245
    75: 10453 10453 10453
    76: 10663 10663 10663
    77: 10874 10874 10874
    78: 11087 11087 11087
    79: 11301 11301 11301
    80: 11516 11516 11516
    81: 11633 11633 11633
    82:   686   686   686
    83: 12170 12170 12170
    84: 12390 12390 12390
    85: 12612 12612 12612
    86: 12835 12835 12835
    87: 13060 13060 13060
    88: 13286 13286 13286
    89: 13513 13513 13513
    90: 13741 13741 13741
    91: 13971 13971 13971
    92: 14202 14202 14202
    93: 14434 14434 14434
    94: 14667 14667 14667
    95: 14902 14902 14902
    96: 15138 15138 15138
    97: 15375 15375 15375
    98: 15614 15614 15614
    99: 15853 15853 15853
    100: 16094 16094 16094
    101: 16336 16336 16336
    102: 16579 16579 16579
    103: 16824 16824 16824
    104: 17069 17069 17069
    105: 17316 17316 17316
    106: 17564 17564 17564
    107: 17813 17813 17813
    108: 18063 18063 18063
    109: 18315 18315 18315
    110: 18567 18567 18567
    111: 18821 18821 18821
    112: 19076 19076 19076
    113: 19332 19332 19332
    114: 19589 19589 19589
    115: 19848 19848 19848
    116: 20107 20107 20107
    117: 20368 20368 20368
    118: 20629 20629 20629
    119: 20892 20892 20892
    120: 21156 21156 21156
    121: 21421 21421 21421
    122: 21687 21687 21687
    123: 21954 21954 21954
    124: 22223 22223 22223
    125: 22492 22492 22492
    126: 22762 22762 22762
    127: 23034 23034 23034
    128: 23307 23307 23307
    129: 23580 23580 23580
    130: 23855 23855 23855
    131: 24131 24131 24131
    132: 24408 24408 24408
    133: 24577 24577 24577
    134: 24964 24964 24964
    135: 25244 25244 25244
    136: 25525 25525 25525
    137: 25807 25807 25807
    138: 50154 50154 50154
    139: 26375 26375 26375
    140: 26660 26660 26660
    141: 26946 26946 26946
    142: 27233 27233 27233
    143: 27521 27521 27521
    144: 27810 27810 27810
    145: 28101 28101 28101
    146: 28392 28392 28392
    147: 28684 28684 28684
    148: 28977 28977 28977
    149: 29271 29271 29271
    150: 29567 29567 29567
    151: 29863 29863 29863
    152: 30160 30160 30160
    153: 30458 30458 30458
    154: 30757 30757 30757
    155: 31057 31057 31057
    156: 31358 31358 31358
    157: 31660 31660 31660
    158: 31963 31963 31963
    159: 32267 32267 32267
    160: 32572 32572 32572
    161: 32878 32878 32878
    162: 33185 33185 33185
    163: 33492 33492 33492
    164: 33801 33801 33801
    165: 34111 34111 34111
    166: 34421 34421 34421
    167: 34733 34733 34733
    168: 35045 35045 35045
    169: 35358 35358 35358
    170: 35673 35673 35673
    171: 35988 35988 35988
    172: 36304 36304 36304
    173: 36621 36621 36621
    174: 36939 36939 36939
    175: 37258 37258 37258
    176: 37578 37578 37578
    177: 37899 37899 37899
    178: 38220 38220 38220
    179: 38543 38543 38543
    180: 38866 38866 38866
    181: 39191 39191 39191
    182: 39516 39516 39516
    183: 39842 39842 39842
    184: 40169 40169 40169
    185: 27697 27697 27697
    186: 40826 40826 40826
    187: 41155 41155 41155
    188: 41486 41486 41486
    189: 41817 41817 41817
    190: 42150 42150 42150
    191: 42483 42483 42483
    192: 42817 42817 42817
    193: 43152 43152 43152
    194: 43488 43488 43488
    195: 43824 43824 43824
    196: 44162 44162 44162
    197: 44500 44500 44500
    198: 44840 44840 44840
    199: 45180 45180 45180
    200: 45521 45521 45521
    201: 45862 45862 45862
    202: 46205 46205 46205
    203: 46549 46549 46549
    204: 46893 46893 46893
    205: 47238 47238 47238
    206: 47584 47584 47584
    207: 47931 47931 47931
    208: 48279 48279 48279
    209: 48628 48628 48628
    210: 48977 48977 48977
    211: 49327 49327 49327
    212: 49678 49678 49678
    213: 50030 50030 50030
    214: 50383 50383 50383
    215: 50737 50737 50737
    216: 51091 51091 51091
    217: 51446 51446 51446
    218: 51802 51802 51802
    219: 52159 52159 52159
    220: 52517 52517 52517
    221: 52875 52875 52875
    222: 53234 53234 53234
    223: 53595 53595 53595
    224: 53955 53955 53955
    225: 54317 54317 54317
    226: 54680 54680 54680
    227: 55043 55043 55043
    228: 55407 55407 55407
    229: 55772 55772 55772
    230: 56138 56138 56138
    231: 56504 56504 56504
    232: 56872 56872 56872
    233: 57240 57240 57240
    234: 63497 63497 63497
    235: 57978 57978 57978
    236: 58349 58349 58349
    237: 58720 58720 58720
    238: 59092 59092 59092
    239: 59465 59465 59465
    240: 59838 59838 59838
    241: 60213 60213 60213
    242: 60588 60588 60588
    243: 60964 60964 60964
    244: 61341 61341 61341
    245: 61718 61718 61718
    246: 62096 62096 62096
    247: 62475 62475 62475
    248: 62855 62855 62855
    249: 63236 63236 63236
    250: 63617 63617 63617
    251: 63999 63999 63999
    252: 64382 64382 64382
    253: 64766 64766 64766
    254: 65150 65150 65150
    255: 33279 33279 33279
  Tag 314: ComposerØ Untitled, frame 
  Tag 54034: 1
  Software: Composer
  DateTime: Tue May  7 21:48:30 2002
  Artist: maya
  HostComputer: thor
$
Comment 5 Petr Gajdos 2018-06-04 13:07:19 UTC
Will submit for Tumbleweed, 15, 12, 11 and 10sp3.
Comment 9 Petr Gajdos 2018-06-06 11:32:19 UTC
This bug should be fixed by current submission.
Comment 11 Swamp Workflow Management 2018-06-19 12:14:04 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-07-03.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64065
Comment 12 Swamp Workflow Management 2018-06-27 16:10:34 UTC
SUSE-SU-2018:1826-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1074317,1082332,1082825,1086408,1092949,974621
CVE References: CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    tiff-4.0.9-44.15.2
SUSE Linux Enterprise Server 12-SP3 (src):    tiff-4.0.9-44.15.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    tiff-4.0.9-44.15.2
Comment 13 Swamp Workflow Management 2018-06-28 13:09:01 UTC
openSUSE-SU-2018:1834-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1074317,1082332,1082825,1086408,1092949,974621
CVE References: CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
openSUSE Leap 42.3 (src):    tiff-4.0.9-31.1
Comment 14 Swamp Workflow Management 2018-06-28 13:11:42 UTC
SUSE-SU-2018:1835-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1011839,1011846,1017689,1017690,1019611,1031263,1082332,1082825,1086408,974621
CVE References: CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-10266,CVE-2016-3632,CVE-2016-5318,CVE-2016-8331,CVE-2016-9535,CVE-2016-9540,CVE-2017-11613,CVE-2017-5225,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.9.1
Comment 15 Swamp Workflow Management 2018-07-05 10:17:22 UTC
SUSE-SU-2018:1889-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1074317,1082332,1082825,1086408,1092949
CVE References: CVE-2017-11613,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    tiff-4.0.9-5.9.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    tiff-4.0.9-5.9.1
Comment 16 Andreas Stieger 2018-07-13 18:06:43 UTC
done
Comment 17 Swamp Workflow Management 2018-07-13 22:09:44 UTC
openSUSE-SU-2018:1956-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1074317,1082332,1082825,1086408,1092949
CVE References: CVE-2017-11613,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
openSUSE Leap 15.0 (src):    tiff-4.0.9-lp150.4.3.1