Bug 1086408 - (CVE-2018-8905) VUL-0: CVE-2018-8905: tiff: A heap-based buffer overflow occurs in the functionLZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated bytiff2ps.
(CVE-2018-8905)
VUL-0: CVE-2018-8905: tiff: A heap-based buffer overflow occurs in the functi...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/202460/
CVSSv3:SUSE:CVE-2018-8905:5.3:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-22 08:33 UTC by Karol Babioch
Modified: 2019-01-14 10:21 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Reproducer (316 bytes, image/tiff)
2018-03-22 09:54 UTC, Karol Babioch
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-03-22 08:33:34 UTC
CVE-2018-8905

In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function
LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by
tiff2ps.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8905
https://github.com/halfbitteam/POCs/tree/master/libtiff-4.08_tiff2ps_heap_overflow
http://bugzilla.maptools.org/show_bug.cgi?id=2780
Comment 1 Karol Babioch 2018-03-22 09:54:49 UTC
Created attachment 764557 [details]
Reproducer
Comment 2 Karol Babioch 2018-03-22 09:55:17 UTC
> $ valgrind tiff2ps ~/Downloads/poc4                                                                                                                                                                  [±master ✓]
==32403== Memcheck, a memory error detector
==32403== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==32403== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==32403== Command: tiff2ps /home/kbabioch/Downloads/poc4
==32403== 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 1805 (0x70d) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 4882 (0x1312) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3072 (0xc00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3600 (0xe10) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 32794 (0x801a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 204 (0xcc) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 1805"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 4882"; tag ignored.
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 3600" value failed; tag ignored.
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 32794" value failed; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "YResolution"; tag ignored.
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 3" value failed; tag ignored.
TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.
%!PS-Adobe-3.0 EPSF-3.0
%%Creator: tiff2ps
%%Title: /home/kbabioch/Downloads/poc4
%%CreationDate: Thu Mar 22 10:54:05 2018
%%DocumentData: Clean7Bit
%%Origin: 0 0
%%BoundingBox: 0 0 16 223
%%LanguageLevel: 1
%%Pages: 1 1
%%EndComments
%%Page: 1 1
gsave
100 dict begin
16.000000 223.000000 scale
%ImageData: 16 223 4 3 0 8 2 "true 3 colorimage"
/line0 8 string def
/line1 8 string def
/line2 8 string def
16 223 4
[16 0 0 -223 0 223] 
{currentfile line0 readhexstring pop}bind
{currentfile line1 readhexstring pop}bind
{currentfile line2 readhexstring pop}bind
true 3 colorimage
LZWPreDecode: Warning, Old-style LZW codes, convert file.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 2.
==32403== Invalid write of size 1
==32403==    at 0x4E6A5E8: ??? (in /usr/lib64/libtiff.so.5.3.0)
==32403==    by 0x4E79416: TIFFReadScanline (in /usr/lib64/libtiff.so.5.3.0)
==32403==    by 0x10CE04: ??? (in /usr/bin/tiff2ps)
==32403==    by 0x10FC1D: ??? (in /usr/bin/tiff2ps)
==32403==    by 0x110889: ??? (in /usr/bin/tiff2ps)
==32403==    by 0x109F98: ??? (in /usr/bin/tiff2ps)
==32403==    by 0x53CB724: (below main) (libc-start.c:289)
==32403==  Address 0x62299af is 1 bytes before a block of size 8 alloc'd
==32403==    at 0x4C2A110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32403==    by 0x10CD98: ??? (in /usr/bin/tiff2ps)
==32403==    by 0x10FC1D: ??? (in /usr/bin/tiff2ps)
==32403==    by 0x110889: ??? (in /usr/bin/tiff2ps)
==32403==    by 0x109F98: ??? (in /usr/bin/tiff2ps)
==32403==    by 0x53CB724: (below main) (libc-start.c:289)
==32403== 
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 3.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 4.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 5.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 6.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 7.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 8.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 9.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 10.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 11.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 12.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 13.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 14.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 15.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 16.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 17.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 18.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 19.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 20.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 21.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 22.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 23.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 24.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 25.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 26.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 27.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 28.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 29.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 30.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 31.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 32.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 33.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 34.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 35.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 36.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 37.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 38.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 39.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 40.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 41.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 42.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 43.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 44.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 45.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 46.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 47.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 48.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 49.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 50.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 51.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 52.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 53.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 54.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 55.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 56.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 57.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 58.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 59.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 60.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 61.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 62.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 63.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 64.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 65.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 66.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 67.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 68.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 69.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 70.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 71.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 72.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 73.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 74.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 75.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 76.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 77.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 78.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 79.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 80.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 81.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 82.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 83.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 84.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 85.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 86.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 87.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 88.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 89.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 90.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 91.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 92.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 93.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 94.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 95.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 96.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 97.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 98.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 99.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 100.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 101.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 102.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 103.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 104.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 105.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 106.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 107.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 108.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 109.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 110.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 111.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 112.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 113.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 114.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 115.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 116.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 117.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 118.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 119.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 120.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 121.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 122.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 123.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 124.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 125.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 126.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 127.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 128.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 129.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 130.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 131.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 132.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 133.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 134.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 135.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 136.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 137.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 138.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 139.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 140.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 141.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 142.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 143.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 144.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 145.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 146.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 147.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 148.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 149.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 150.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 151.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 152.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 153.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 154.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 155.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 156.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 157.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 158.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 159.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 160.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 161.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 162.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 163.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 164.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 165.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 166.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 167.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 168.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 169.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 170.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 171.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 172.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 173.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 174.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 175.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 176.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 177.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 178.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 179.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 180.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 181.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 182.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 183.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 184.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 185.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 186.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 187.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 188.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 189.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 190.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 191.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 192.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 193.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 194.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 195.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 196.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 197.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 198.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 199.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 200.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 201.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 202.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 203.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 204.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 205.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 206.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 207.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 208.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 209.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 210.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 211.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 212.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 213.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 214.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 215.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 216.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 217.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 218.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 219.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 220.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 221.
/home/kbabioch/Downloads/poc4: LZWDecode: Corrupted LZW table at scanline 222.
0104a0080c000004a0000004a0000000
end
grestore
showpage
%%Trailer
%%EOF
==32403== 
==32403== HEAP SUMMARY:
==32403==     in use at exit: 0 bytes in 0 blocks
==32403==   total heap usage: 50 allocs, 50 frees, 109,742 bytes allocated
==32403== 
==32403== All heap blocks were freed -- no leaks are possible
==32403== 
==32403== For counts of detected and suppressed errors, rerun with: -v
==32403== ERROR SUMMARY: 220 errors from 1 contexts (suppressed: 0 from 0)
Comment 3 Karol Babioch 2018-03-22 10:01:06 UTC
Reproducer triggered on SLE12SP3, but not on other codestreams (SLE10/SLE11). According to git blame there was not too much change in this section, so probably all codestreams might be affected. Will have to wait until someone looks into this in on more detail.
Comment 4 Petr Gajdos 2018-06-05 12:20:03 UTC
BEFORE

12/tiff

$ valgrind tiff2ps poc4
[..]
==17283== Invalid write of size 1
==17283==    at 0x4E69828: LZWDecodeCompat (tif_lzw.c:763)
==17283==    by 0x4E78656: TIFFReadScanline (tif_read.c:450)
==17283==    by 0x10CE04: PSDataColorSeparate (tiff2ps.c:2526)
==17283==    by 0x10FC1D: PSpage (tiff2ps.c:2366)
==17283==    by 0x110889: TIFF2PS (tiff2ps.c:1612)
==17283==    by 0x109F98: main (tiff2ps.c:479)
==17283==  Address 0x62291ff is 1 bytes before a block of size 8 alloc'd
==17283==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==17283==    by 0x10CD98: PSDataColorSeparate (tiff2ps.c:2518)
==17283==    by 0x10FC1D: PSpage (tiff2ps.c:2366)
==17283==    by 0x110889: TIFF2PS (tiff2ps.c:1612)
==17283==    by 0x109F98: main (tiff2ps.c:479)
==17283==
[..]
==17283== ERROR SUMMARY: 220 errors from 1 contexts (suppressed: 0 from 0
$
[the same issue as reporter in upstream bug]

11/tiff
$ valgrind tiff2ps poc4                        
[..]
poc4: Error fetching data for field "StripOffsets".
LIBTIFF, Version 3.8.2
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.

usage: tiff2ps [options] input.tif ...
where options are:
 -1            generate PostScript Level 1 (default)
 -2            generate PostScript Level 2
 -3            generate PostScript Level 3
 -8            disable use of ASCII85 encoding with PostScript Level 2/3
 -a            convert all directories in file (default is first)
 -b #          set the bottom margin to # inches
 -c            center image (-b and -l still add to this)
 -d #          convert directory number #
 -D            enable duplex printing (two pages per sheet of paper)
 -e            generate Encapsulated PostScript (EPS) (implies -z)
 -h #          assume printed page height is # inches (default 11)
 -w #          assume printed page width is # inches (default 8.5)
 -H #          split image if height is more than # inches
 -L #          overLap split images by # inches
 -i #          enable/disable (Nz/0) pixel interpolation (default: enable)
 -l #          set the left margin to # inches
 -m            use "imagemask" operator instead of "image"
 -o #          convert directory at file offset #
 -O file       write PostScript to file instead of standard output
 -p            generate regular PostScript
 -r            rotate by 180 degrees
 -s            generate PostScript for a single image
 -T            print pages for top edge binding
 -x            override resolution units as centimeters
 -y            override resolution units as inches
 -z            enable printing in the deadzone (only for PostScript Level 2/3)
==17510== 
==17510== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 1)
==17510== malloc/free: in use at exit: 0 bytes in 0 blocks.
==17510== malloc/free: 41 allocs, 41 frees, 205,777,579 bytes allocated.
==17510== For counts of detected errors, rerun with: -v
==17510== All heap blocks were freed -- no leaks are possible.
$
[no issues observed, the error path is taken, though]


PATCH

https://gitlab.com/libtiff/libtiff/commit/58a898cb4459055bb488ca815c23b880c242a27d

10sp3,11/tiff: code require the patch


AFTER

12/tiff

$ valgrind tiff2ps poc4 
[..]
==18229== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
$

11/tiff

$  valgrind tiff2ps poc4
[..]
poc4: Warning, incorrect count for field "StripOffsets" (41060, expecting 1); tag trimmed.
poc4: Error fetching data for field "StripOffsets".
LIBTIFF, Version 3.8.2
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.

usage: tiff2ps [options] input.tif ...
where options are:
 -1            generate PostScript Level 1 (default)
 -2            generate PostScript Level 2
 -3            generate PostScript Level 3
 -8            disable use of ASCII85 encoding with PostScript Level 2/3
 -a            convert all directories in file (default is first)
 -b #          set the bottom margin to # inches
 -c            center image (-b and -l still add to this)
 -d #          convert directory number #
 -D            enable duplex printing (two pages per sheet of paper)
 -e            generate Encapsulated PostScript (EPS) (implies -z)
 -h #          assume printed page height is # inches (default 11)
 -w #          assume printed page width is # inches (default 8.5)
 -H #          split image if height is more than # inches
 -L #          overLap split images by # inches
 -i #          enable/disable (Nz/0) pixel interpolation (default: enable)
 -l #          set the left margin to # inches
 -m            use "imagemask" operator instead of "image"
 -o #          convert directory at file offset #
 -O file       write PostScript to file instead of standard output
 -p            generate regular PostScript
 -r            rotate by 180 degrees
 -s            generate PostScript for a single image
 -T            print pages for top edge binding
 -x            override resolution units as centimeters
 -y            override resolution units as inches
 -z            enable printing in the deadzone (only for PostScript Level 2/3)
==10587== 
==10587== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 1)
==10587== malloc/free: in use at exit: 0 bytes in 0 blocks.
==10587== malloc/free: 41 allocs, 41 frees, 205,777,579 bytes allocated.
==10587== For counts of detected errors, rerun with: -v
==10587== All heap blocks were freed -- no leaks are possible.
$
[no change]
Comment 5 Petr Gajdos 2018-06-05 12:26:18 UTC
I will submit to TW, 15, 12, 11 and 10sp3.
Comment 7 Petr Gajdos 2018-06-06 11:32:22 UTC
This bug should be fixed by current submission.
Comment 9 Swamp Workflow Management 2018-06-19 12:14:41 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-07-03.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64065
Comment 10 Swamp Workflow Management 2018-06-27 16:10:45 UTC
SUSE-SU-2018:1826-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1074317,1082332,1082825,1086408,1092949,974621
CVE References: CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    tiff-4.0.9-44.15.2
SUSE Linux Enterprise Server 12-SP3 (src):    tiff-4.0.9-44.15.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    tiff-4.0.9-44.15.2
Comment 11 Swamp Workflow Management 2018-06-28 13:09:11 UTC
openSUSE-SU-2018:1834-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1074317,1082332,1082825,1086408,1092949,974621
CVE References: CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
openSUSE Leap 42.3 (src):    tiff-4.0.9-31.1
Comment 12 Swamp Workflow Management 2018-06-28 13:11:50 UTC
SUSE-SU-2018:1835-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1011839,1011846,1017689,1017690,1019611,1031263,1082332,1082825,1086408,974621
CVE References: CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-10266,CVE-2016-3632,CVE-2016-5318,CVE-2016-8331,CVE-2016-9535,CVE-2016-9540,CVE-2017-11613,CVE-2017-5225,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.9.1
Comment 13 Swamp Workflow Management 2018-07-05 10:17:34 UTC
SUSE-SU-2018:1889-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1074317,1082332,1082825,1086408,1092949
CVE References: CVE-2017-11613,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    tiff-4.0.9-5.9.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    tiff-4.0.9-5.9.1
Comment 14 Swamp Workflow Management 2018-07-13 22:09:57 UTC
openSUSE-SU-2018:1956-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1074317,1082332,1082825,1086408,1092949
CVE References: CVE-2017-11613,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
openSUSE Leap 15.0 (src):    tiff-4.0.9-lp150.4.3.1
Comment 15 Marcus Meissner 2019-01-14 10:21:40 UTC
released