See also boo # 1022791

bugbot adjusting priority

This is actually not for tiff but for netpbm as the reporter indicated on
oss-sec. The crash happens in tiff but it is caused by invalid parameters
passed to tiff via netpbm.

Created attachment 712437 [details]
PoC tiff file to trigger the crash

Only netpbm SLE-12:Update seems to be affected (upstream bug also noted that
only newer versions are affected).

No upstream patch is available yet (from oss-sec mail):

> Then I mailed the maintainer of netpbm and he promised fix them in
> the next Netpbm Super Stable release (the release series I tested) at the
> end of March.

But the upstream bug gives us some hint where the problem lies:

http://bugzilla.maptools.org/show_bug.cgi?id=2654#c9:

> My analyis of the issue is that netpbm calls TIFFRGBAImageGet with width and
> height parameters switched because it looks at the TIFF orientation tag and
> thinks that TIFFRGBAImageGet will do a transposition. This is related to the
> tifftopnm warnBrokenTiffLibrary() and getTiffDimensions() functions.

QA reproducer:

Using the PoC file from attachment 712437 [details]

  tifftopnm 000017.tif

crashes with a SEGFAULT.

This gives me a headache. I've mixed up the two netpbm bugs. Redesignating
this bug to deal with the segfault in putgreytile() from upstream bug:

http://bugzilla.maptools.org/show_bug.cgi?id=2654

Sorry for the confusion.

CVE has been assigned, CVE-2017-5849 for both issues from this bug and bug
1022791.

Probably
https://sourceforge.net/p/netpbm/code/2881/

Both issues (tiff upstream bugzilla 2654 and 2655) came to a deadlock. Even R. says netpbm misuses TIFFRGBAImageGet() [0][1] and Bryan (netpbm upstream) knows about it [2] but there seems to be no action from his side. 

The commit from my previous comment does not solve it, r2881 is already part of 10.78.4 I tested with -- still segfaults.

Testcases for both issues segfaults for me for 12/netpbm and Tumbleweed/netpbm at time of writing. I get no segfault for 11/netpbm and 10sp3/netpbm.

[0] http://bugzilla.maptools.org/show_bug.cgi?id=2654#c9
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2655#c4
[2] http://bugzilla.maptools.org/show_bug.cgi?id=2654#c10

Reassigning bugs to its maintainer.

netpbm-10.86.3 still segfaults.

netpbm-10.98.2 still segfaults.

netpbm-11.5.2 still segfaults.

Let us consider Even's idea in:
http://bugzilla.maptools.org/show_bug.cgi?id=2654#c9
and force -byrow codepath when warnBrokenTiffLibrary() result is positive. However, that would mean yet another SUSE specific patch, I think so at least when reading this upstream bug.

@Pedro: what do you think about it?
@security-team: would that suffice? It should eliminate the code path leading to segfault.

BEFORE
:/022790 # tifftopnm 000017.tif
[..]
tifftopnm: WARNING: This TIFF image has an orientation that most TIFF libraries convert incorrectly.  Use -byrow to circumvent.
Segmentation fault (core dumped)
:/022790 #

AFTER
:/022790 # tifftopnm 000017.tif
[..]
tifftopnm: WARNING: This TIFF image has an orientation that most TIFF libraries convert incorrectly.  Using -byrow to circumvent.
TIFFFillStrip: Invalid strip byte count 0, strip 1.
tifftopnm: Unable to read row 32, plane 0 of input Tiff image.  TIFFReadScanline() failed.
:/022790 # P5
32800 32
255
pamflip: End of file encountered when trying to read a row from input file.
:/022790 #

Index: netpbm-11.5.2/converter/other/tifftopnm.c
===================================================================
--- netpbm-11.5.2.orig/converter/other/tifftopnm.c
+++ netpbm-11.5.2/converter/other/tifftopnm.c
@@ -1393,7 +1393,7 @@ convertRasterByRows(pnmOut *       const



-static void
+static int
 warnBrokenTiffLibrary(TIFF * const tiffP) {

 /* TIFF library bug:
@@ -1423,6 +1423,7 @@ warnBrokenTiffLibrary(TIFF * const tiffP

     unsigned short tiffOrientation;
     int fldPresent;
+    int broken = false;
     fldPresent = TIFFGetField(tiffP, TIFFTAG_ORIENTATION, &tiffOrientation);
     if (fldPresent) {
         switch (tiffOrientation) {
@@ -1432,10 +1433,12 @@ warnBrokenTiffLibrary(TIFF * const tiffP
         case ORIENTATION_LEFTBOT:
             pm_message("WARNING: This TIFF image has an orientation that "
                        "most TIFF libraries convert incorrectly.  "
-                       "Use -byrow to circumvent.");
+                       "Using -byrow to circumvent.");
+            broken = true;
             break;
         }
     }
+    return broken;
 }


@@ -1562,8 +1565,6 @@ convertRasterInMemory(pnmOut *
     if (verbose)
         pm_message("Converting in memory ...");

-    warnBrokenTiffLibrary(tif);
-
     ok = TIFFRGBAImageOK(tif, emsg);
     if (!ok) {
         pm_message("%s", emsg);
@@ -1662,7 +1663,7 @@ convertImage(TIFF *             const ti
     xelval maxval;
     xel colormap[MAXCOLORS];
     unsigned short fillorder;
-    bool flipOk, noflipOk;
+    bool flipOk, noflipOk, byrow;
     pnmOut pnmOut;

     readDirectory(tifP, cmdline.headerdump, &tiffDir);
@@ -1674,15 +1675,21 @@ convertImage(TIFF *             const ti

     pm_message("writing %s file", pnm_formattypenm(format));

+    byrow = cmdline.byrow;
+    if (warnBrokenTiffLibrary(tifP)) {
+       /* force byrow true: http://bugzilla.maptools.org/show_bug.cgi?id=2654#c9 */
+       byrow = true;
+    }
+
     pnmOut_init(imageoutFileP, alphaFileP, tiffDir.width, tiffDir.height,
                 tiffDir.orientation, maxval, format, maxval,
-                cmdline.byrow, cmdline.orientraw,
+                byrow, cmdline.orientraw,
                 cmdline.verbose,
                 &flipOk, &noflipOk,
                 &pnmOut);

     convertRaster(&pnmOut, tifP, tiffDir, maxval,
-                  fillorder, colormap, cmdline.byrow, flipOk, noflipOk,
+                  fillorder, colormap, byrow, flipOk, noflipOk,
                   cmdline.verbose);

     pnmOut_term(&pnmOut, cmdline.verbose);

Pedro is not maintainer for a long time, sorry

BEFORE
:/022790 # tifftopnm 000017.tif
[..]
tifftopnm: WARNING: This TIFF image has an orientation that most TIFF libraries convert incorrectly.  Use -byrow to circumvent.
                      ^^^
[..]
:/022790 #

AFTER
:/022790 # tifftopnm 000017.tif
[..]
tifftopnm: WARNING: This TIFF image has an orientation that most TIFF libraries convert incorrectly.  Using -byrow to circumvent.
                      ^^^^^
[..]
:/022790 #

Submitted for: 15,12/netpbm.

I believe all fixed.

Submit request into devel project:
https://build.opensuse.org/request/show/1143652

SUSE-SU-2024:0435-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1022790, 1022791
CVE References: CVE-2017-5849
Sources used:
openSUSE Leap 15.5 (src): netpbm-10.80.1-150000.3.14.1
Basesystem Module 15-SP5 (src): netpbm-10.80.1-150000.3.14.1
Desktop Applications Module 15-SP5 (src): netpbm-10.80.1-150000.3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:0434-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1022790, 1022791
CVE References: CVE-2017-5849
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): netpbm-10.66.3-8.10.1
SUSE Linux Enterprise Server 12 SP5 (src): netpbm-10.66.3-8.10.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): netpbm-10.66.3-8.10.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): netpbm-10.66.3-8.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.