Bugzilla – Bug 612879
VUL-0: CVE-2010-2065 ... : various libtiff crashes, integer overflow and NULL derefs
Last modified: 2019-08-16 16:12:35 UTC
I think we should combine it for one SWAMP, but I thought it would be better to have a separate bugzilla: Date: Wed, 9 Jun 2010 14:12:17 +0200 From: Tomas Hoger <thoger@redhat.com> To: Vendor-Sec <vendor-sec@lst.de> Cc: Frank Warmerdam <warmerdam@pobox.com>, vulncoord@ficora.fi Subject: [vendor-sec] libtiff integer overflow and NULL deref (CERT-FI Hi! More libtiff issues. Reported by Sauli Pahlman of CERT-FI / FICORA in Ubuntu Launchpad: https://bugs.launchpad.net/bugs/589145 https://bugs.launchpad.net/bugs/589565 Both issues should only affect 3.9. lp589145 is NULL pointer deref. We're not treating this as security. Attached is the fix that got committed upstream. lp589565 is TIFFroundup integer overflow, similar to CVE-2010-1411. Check if bytecount in TIFFFillStrip is unsigned to see if you're affected. Upstream CVS commit addressing this is attached too. CVE-2010-2065 was assigned to this.
Created attachment 368177 [details] advisory ...
Created attachment 368178 [details] patch1 ...
Created attachment 368180 [details] patch2 ...
Kees Cook found that $ rgb2ycbcr lp589145-sample.tif /tmp/foo still crashes so fixed probably incomplete
Created attachment 368621 [details] tiff-certfi.tgz Reproducer TIFF images.
> On Thu, 10 Jun 2010 17:42:22 -0700 Kees Cook wrote: > > > The attached fix only stops a crash for one style of TIFF parsing. > > There seems to be at least one more crash: > > > > $ rgb2ycbcr lp589145-sample.tif /tmp/foo > > ... > > Program received signal SIGSEGV, Segmentation fault. > > 0x00007ffff7b962ba in putcontig8bitYCbCr22tile (img=0x7fffffffd5b0, > > cp=<value optimized out>, x=<value optimized out>, > > y=<value optimized out>, w=<value optimized out>, h=<value > > optimized out>, fromskew=0, toskew=<value optimized out>, > > pp=0x622710 "") at tif_getimage.c:1857 > > 1857 YCbCrtoRGB(cp[0], pp[0]); > > Sounds like a nastier variant of LP#591605... Seem to be the same as: https://bugzilla.redhat.com/show_bug.cgi?id=583081 That BZ links couple of upstream BZs witch patches. -- Tomas Hoger / Red Hat Security Response Team
> > > Seem to be the same as: > > > https://bugzilla.redhat.com/show_bug.cgi?id=583081 > > > > > > That BZ links couple of upstream BZs witch patches. > > > > Yes, thanks, this seems to fix it: > > http://bugzilla.maptools.org/show_bug.cgi?id=2207 > > By "it" above, I meant LP#589145. It seems that LP#591605 doesn't have > a fix anywhere, yet. Tomas subscribed me to the currently-private: https://bugzilla.redhat.com/show_bug.cgi?id=603081 What is the CRD for this fix? -Kees
Created attachment 369721 [details] libtiff-3samples.patch Re: [vendor-sec] libtiff integer overflow and NULL deref (CERT-FI) (Tomas Hoger, Kopie: Frank Warmerdam, vulncoord@ficora.fi, Wed Jun 16 14:14:45 2010) On Tue, 15 Jun 2010 08:17:15 -0700 Kees Cook wrote: > Tomas subscribed me to the currently-private: > https://bugzilla.redhat.com/show_bug.cgi?id=603081 > > What is the CRD for this fix? We don't request any, as it's OOB read. Attaching Tom Lane's proposed patch from that BZ. -- Tomas Hoger / Red Hat Security Response Team
To summarize. There are five problems: (a) CVE-2010-2067 (b) CVE-2010-2065 part I (c) CVE-2010-2065 part II (d) OOB read in putcontig8bitYCbCr11tile (e) tiff2rgba segfault (a) is is covered by bug 612787 and which I don't know how reproduce, but we have a patch in bug 612787 comment 1 (b) this one I can reproduce with tiff 3.9.2, patch 1 from comment 2 fixes it (tested with tiff2pdf) https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589145 (c) this I can reproduce too with tiff 3.9.2, patch2 from comment 3 fixes it (tested with eog) https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589565 (d) I don't get crash with eog and tiff 3.9.2, but I get different results each run eog on p591605-sample.tif! This seems to be fixed with Lane's patch from https://bugzilla.redhat.com/show_bug.cgi?id=603081 (e) tiff2rgba lp591605-sample.tif /dev/null segfaults, we don't have patch so far https://bugzilla.redhat.com/show_bug.cgi?id=603081#c7 Am I correct?
Fortunatelly we have 3.9.2 only in factory for now and it will be part of 11.3. I will test tomorrow which of these bugs are present in 3.8.2 code we have in 11.2.
All (b), (c), (d) and (e) is ok for 3.8.2, so currently only Factory seems to be affected of this vulnerability. I didn't test it for older versions, though.
So we only need fixes in factory? This sounds great :) (a) is tracked in other bnc then.
(In reply to comment #12) > So we only need fixes in factory? This sounds great :) Yes :-). So what to do now? Will we fix (b) - (d) now and (a) and (e) later or will we wait?
If I see correctly, the fixes needed for factory are all public. Then we could just submit it. The other bug (a) will be handled in the other bnc and (e) can be submitted to factory if upstream has a fix. We leave this bnc open until (e) is fixed too.
(In reply to comment #14) > If I see correctly, the fixes needed for factory are all > public. Then we could just submit it. Sure -- done, sr#41959. Therefore only (e) remains.
> > Seem to be the same as: > > https://bugzilla.redhat.com/show_bug.cgi?id=583081 > > > > That BZ links couple of upstream BZs witch patches. > > Yes, thanks, this seems to fix it: > http://bugzilla.maptools.org/show_bug.cgi?id=2207 Let's use CVE-2010-2233 for this issue. 3.9 only too. -- Tomas Hoger / Red Hat Security Response Team
(e) seems to be fixed by some patch by fixes of (b) - (d)
(In reply to comment #17) > (e) seems to be fixed by some patch by fixes of (b) - (d) (e) seems to be fixed by some patch by fixes of (b) or (c) I meaned
(In reply to comment #16) > Let's use CVE-2010-2233 for this issue. 3.9 only too. (f) CVE-2010-2233 http://bugzilla.maptools.org/show_bug.cgi?id=2207 https://bugzilla.redhat.com/show_bug.cgi?id=583081 I have revoked request #41959 and I will add this patch to tiff now.
I can confirm, that the patch fixes the crash of reproducer from RedHat bugzilla. Created new request #41989. I think we can close this, if no CVE arise ;-). What do you think?
Actually fixes was accepted into Factory, yes, but wasn't merged into 11.3. So we need to do update for 11.3. Request #42178 sent against 11.3. Reassigning to security team. Thanks.
The SWAMPID for this issue is 34165. This issue was rated as low. Please submit fixed packages as soon as possible. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
> 2. A NULL pointer derefrence in TIFFVGetField() may result in > application crash > (https://bugs.launchpad.net/ubuntu/lucid/+source/tiff/+bug/589145). This got CVE-2010-2443 from Mitre few days ago. But I guess you're going to (or should?) ask for one more for td_stripbytecount case I pointed out in one of the previous replies (split due to different fixed-in version). Sauli's fuzzer to blame for the discovery again ;). -- Tomas Hoger / Red Hat Security Response Team ---> so (b) got CVE-2010-2443
There have been more CVE-IDs assigned which seem to be related to this bug: ====================================================== Name: CVE-2010-2595 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2595 Reference: CONFIRM:http://bugzilla.maptools.org/show_bug.cgi?id=2208 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=583081 The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in ImageMagick, does not properly handle invalid ReferenceBlackWhite values, which allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers an array index error, related to "downsampled OJPEG input." ====================================================== Name: CVE-2010-2596 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2596 Reference: CONFIRM:http://bugzilla.maptools.org/show_bug.cgi?id=2209 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=583081 The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as used in tiff2ps, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF image, related to "downsampled OJPEG input." ====================================================== Name: CVE-2010-2597 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2597 Reference: CONFIRM:http://bugzilla.maptools.org/show_bug.cgi?id=2215 Reference: CONFIRM:https://bugs.launchpad.net/bugs/593067 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=583081 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=603703 The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2 makes incorrect calls to the TIFFGetField function, which allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image, related to "downsampled OJPEG input" and possibly related to a compiler optimization that triggers a divide-by-zero error. ====================================================== Name: CVE-2010-2598 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2598 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=583081 LibTIFF in Red Hat Enterprise Linux (RHEL) 3 on x86_64 platforms, as used in tiff2rgba, attempts to process image data even when the required compression functionality is not configured, which allows remote attackers to cause a denial of service via a crafted TIFF image, related to "downsampled OJPEG input."
====================================================== Name: CVE-2010-2481 The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly handle unknown tag types in TIFF directory entries, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted TIFF file. Reference: CONFIRM: http://bugzilla.maptools.org/show_bug.cgi?id=2210 Reference: MLIST: http://www.openwall.com/lists/oss-security/2010/06/30/22 Reference: MLIST: http://marc.info/?l=oss-security&m=127797353202873&w=2 Reference: MLIST: http://marc.info/?l=oss-security&m=127781315415896&w=2 Reference: MLIST: http://marc.info/?l=oss-security&m=127738540902757&w=2 Reference: MLIST: http://marc.info/?l=oss-security&m=127736307002102&w=2 Reference: MLIST: http://marc.info/?l=oss-security&m=127731610612908&w=2 ====================================================== Name: CVE-2010-2482 LibTIFF 3.9.4 and earlier does not properly handle an invalid td_stripbytecount field, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted TIFF file, a different vulnerability than CVE-2010-2443. Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=608010 Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=603024 Reference: CONFIRM: https://bugs.launchpad.net/bugs/597246 Reference: MLIST: http://www.openwall.com/lists/oss-security/2010/06/30/22 Reference: SECUNIA: http://secunia.com/advisories/40422 Reference: MLIST: http://marc.info/?l=oss-security&m=127797353202873&w=2 Reference: MLIST: http://marc.info/?l=oss-security&m=127738540902757&w=2 Reference: MLIST: http://marc.info/?l=oss-security&m=127736307002102&w=2 Reference: CONFIRM: http://bugzilla.maptools.org/show_bug.cgi?id=1996 ====================================================== Name: CVE-2010-2483 The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a TIFF file with an invalid combination of SamplesPerPixel and Photometric values. Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=603081 Reference: CONFIRM: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605 Reference: MLIST: http://www.openwall.com/lists/oss-security/2010/06/30/22 Reference: SECUNIA: http://secunia.com/advisories/40422 Reference: MLIST: http://marc.info/?l=oss-security&m=127797353202873&w=2 Reference: MLIST: http://marc.info/?l=oss-security&m=127781315415896&w=2 Reference: MLIST: http://marc.info/?l=oss-security&m=127738540902757&w=2 Reference: MLIST: http://marc.info/?l=oss-security&m=127736307002102&w=2 Reference: MLIST: http://marc.info/?l=oss-security&m=127731610612908&w=2 Reference: CONFIRM: http://bugzilla.maptools.org/show_bug.cgi?id=2216
Petr, do we also need fixed packages for the CVEs above? Maybe for Factory or for the running update?
CVE-2010-2065 3.9 only. fix in 11.3 (tiff-3.9.2-integer-overflow.patch) is not 100% complete. There are two lines missing that prevent a malloc(0). Shouldn't be worse than a crash though. CVE-2010-2233 is fixed in 11.3 (tiff-3.9.2-getimage-64bit.patch), probably affects older versions too but it's just a crash. CVE-2010-2443 is fixed in 11.3 (tiff-3.9.2-NULL-deref.patch). 3.9 only. CVE-2010-2481 probably affects older versions than 3.9, crash only. CVE-2010-2482 is 3.9 only, similar bug as CVE-2010-2443 CVE-2010-2483 just a crash (oob read) CVE-2010-2595 another crash CVE-2010-2596 assertion failue, no patch available yet CVE-2010-2597 div by zero CVE-2010-2598 other crash Unless someone finds a use case where a crashing libtiff is security relevant beyond annoyance I'd ignore the crashers. So we can close this bug. We still need a security update for bug 612787 on 11.3 though.
Note: I have updated tiff to 3.9.4 in Factory, which fixes CVE-2010-2067 (bug 612787) and CVE-2010-2065 too. tiff-3.9.4-oob-read.patch and tiff-3.9.4-getimage-64bit.patch are still needed though.
Update released for: tiff Products: openSUSE 11.3 (debug, i586, x86_64)
So can I close this bug? Or should it be reassigned to security team?
both :)
This is an autogenerated message for OBS integration: This bug (612879) was mentioned in https://build.opensuse.org/request/show/41989 Factory / tiff