Ubuntu
tiff package

More crashes in libtiff

Bug #597061 reported by Robert Swiecki
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tiff (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

Binary package hint: libtiff4

I saw your recent USN-954-1 on the full-disclosure mailing list, and I recalled I have more libtiff crashes. I put them here

http://alt.swiecki.net/j/libtiff/

One is a NULL-ptr deref (DoS), the other two look more likely to be exploitable, but didn't dig deeper.

I sent these testcases around ~2 weeks ago to Frank Warmerdam and Andrey Kiselev, but no response so far.

Tested with your newest

libtiff-tools 3.9.2-2ubuntu0.3
libtiff4 3.9.2-2ubuntu0.3

on Ubuntu lucid amd64

please test with 'tiffinfo -d' (I was told that it's the only recommended way to test the libtiff API for bugs).

What is more, please, please disable support for old-jpeg in libtiff, it's full of well-known and easy to find security bugs.

Example:

$ tiffinfo -d "SIGSEGV.PC.0x49e69b.CODE.2.ADDR.0x7ffff7fd3b66.INSTR.repz_dec_eax.TIME.2010-06-03.16.51.35.PID.12987.tif" >/dev/null 2>&1
Segmentation fault (core dumped)

$ gdb /usr/bin/tiffinfo

(gdb) r -d "SIGSEGV.PC.0x49e69b.CODE.2.ADDR.0x7ffff7fd3b66.INSTR.repz_dec_eax.TIME.2010-06-03.16.51.35.PID.12987.tif" >/dev/null 2>&1
Starting program: /usr/bin/tiffinfo -d "SIGSEGV.PC.0x49e69b.CODE.2.ADDR.0x7ffff7fd3b66.INSTR.repz_dec_eax.TIME.2010-06-03.16.51.35.PID.12987.tif" >/dev/null 2>&1

Program received signal SIGSEGV, Segmentation fault.
memcpy () at ../sysdeps/x86_64/memcpy.S:267
267 ../sysdeps/x86_64/memcpy.S: No such file or directory.
 in ../sysdeps/x86_64/memcpy.S
(gdb) bt
#0 memcpy () at ../sysdeps/x86_64/memcpy.S:267
#1 0x00007ffff7baf7de in ?? () from /usr/lib/libtiff.so.4
#2 0x00007ffff7baf9b4 in TIFFFillStrip () from /usr/lib/libtiff.so.4
#3 0x00007ffff7baff64 in TIFFReadEncodedStrip () from /usr/lib/libtiff.so.4
#4 0x0000000000401cdf in ?? ()
#5 0x0000000000401d98 in ?? ()
#6 0x0000000000401e74 in ?? ()
#7 0x000000000040218e in ?? ()
#8 0x00007ffff7157c4d in __libc_start_main (main=<value optimized out>, argc=<value optimized out>, ubp_av=<value optimized out>, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>,
    stack_end=0x7fffffffe2a8) at libc-start.c:226
#9 0x0000000000401219 in ?? ()
#10 0x00007fffffffe2a8 in ?? ()
#11 0x000000000000001c in ?? ()
#12 0x0000000000000003 in ?? ()
#13 0x00007fffffffe580 in ?? ()
#14 0x00007fffffffe592 in ?? ()
#15 0x00007fffffffe595 in ?? ()
#16 0x0000000000000000 in ?? ()

Robert Swiecki (robert+ubuntu)
summary: - More crashed in libtiff
+ More crashes in libtiff
Marc Deslauriers (mdeslaur)
Changed in tiff (Ubuntu):
assignee: nobody → Kees Cook (kees)
Revision history for this message
Robert Swiecki (robert+ubuntu) wrote :

Here's list of what I've reported:

http://bugzilla.maptools.org/buglist.cgi?bug_file_loc=&bug_file_loc_type=allwordssubstr&bug_id=&bugidtype=include&chfieldfrom=&chfieldto=Now&chfieldvalue=&email1=robert%40swiecki.net&email2=&emailassigned_to2=1&emailcc2=1&emailreporter1=1&emailreporter2=1&emailtype1=substring&emailtype2=substring&field-1-0-0=reporter&field0-0-0=noop&keywords=&keywords_type=allwords&long_desc=&long_desc_type=allwordssubstr&query_format=advanced&remaction=&short_desc=&short_desc_type=allwordssubstr&status_whiteboard=&status_whiteboard_type=allwordssubstr&type-1-0-0=substring&type0-0-0=noop&value-1-0-0=robert%40swiecki.net&value0-0-0=&votes=&order=bugs.bug_id%20desc&query_based_on=

Revision history for this message
Kees Cook (kees) wrote :

Since these are open upstream, I've marked this bug as public so it can maybe get more developer attention. Thanks again for the report!

Changed in tiff (Ubuntu):
assignee: Kees Cook (kees) → nobody
status: New → Incomplete
status: Incomplete → Confirmed
importance: Undecided → Low
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I am going to unmark this as a security issue for now since upstream seems to have addressed the crashers that warranted a CVE. If this is in error, please subscribe ubuntu-security and recheck this as security.

security vulnerability: yes → no
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.