Misapplied patches in 4.0.6-2ubuntu0.1 break reading and writing JPEG compressed files

Bug #1670036 reported by John Cupitt on 2017-03-04
266
This bug affects 3 people
Affects Status Importance Assigned to Milestone
LibTIFF
Fix Released
Unknown
tiff (Ubuntu)
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers
Xenial
Undecided
Marc Deslauriers
Yakkety
Undecided
Marc Deslauriers

Bug Description

The patches applied to libtiff 4.0.6 in 4.0.6-2ubuntu01 seem to break JPEG tiff read and write.

To reproduce:

$ tiffcp -c jpeg k2a.tif x.tif

(where k2a.tif is a simple uncompressed RGB strip tiff) appears to work. However, x.tif, the output, will now not read without warnings:

$ tiffcp x.tif y.tif
TIFFFetchNormalTag: Warning, ASCII value for tag "JPEGTables" does not end in null byte. Forcing it to be null.
JPEGLib: Warning, Premature end of JPEG file.

This was working fine until a couple of days ago, so I guess it's one of the most recent patches.

Some packages using libtiff seem to be broken too. For example, openslide, which uses libtiff to load jp2k-compressed slide images, is no longer working:

$ openslide-write-png CMU-1-Small-Region.svs 0 0 0 100 100 x.png
TIFFFetchNormalTag: Warning, ASCII value for tag "JPEGTables" does not end in null byte. Forcing it to be null.
TIFFFetchNormalTag: Warning, ASCII value for tag "JPEGTables" does not end in null byte. Forcing it ... repeats 8 more times
openslide-write-png: Premature end of JPEG file

and x.png is not a valid PNG image. The test .svs image may be downloaded here:

http://openslide.cs.cmu.edu/download/openslide-testdata/Aperio/

CVE References

John Cupitt (jcupitt) wrote :

Even Rouault on the libtiff mailing list has looked into this as well -- he says the cause is a misapplied patch.

Unfortunately i can't link to his mail as the libtiff mailing list archive index has stopped being updated, but I copy-paste his mail below:

-----------
Even Rouault <email address hidden>
to tiff, me

On samedi 4 mars 2017 18:51:20 CET <email address hidden> wrote:
> tar xf tiff_4.0.6-2ubuntu0.1.debian.tar.xz
> tar xf tiff_4.0.6.orig.tar.gz
> cd tiff-4.0.6
> for i in ../debian/patches/*.patch; do patch -p1 < $i; done

Actually to reproduce, you need to apply the patches in a precise order with

for i in `cat ../debian/patches/series`; do \
 patch -p1 <../debian/patches/$i; done

I've then compared the patched libtiff/tif_dirread.c with the official one from CVS, and I understand now what happens in Debian/Ubuntu.

It appears that the following snippet

                  if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )

                        {

                            TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);

                            data[dp->tdir_count-1] = '\0';

                        }

that in official libtiff is applied in the TIFF_SETGET_C16_ASCII cases (line 5017 in HEAD) and in the TIFF_SETGET_C32_ASCII cases (line 5194 in CVS HEAD) has been wrongly applied in Debian in the TIFF_SETGET_C16_UINT8 case (line 5008) and TIFF_SETGET_C32_UINT8 case (line 5180)...

This explains the warning about the JPEGTables...

Unfortunately "make check" in the Debian patched libtiff still passes, so they have some excuse. Not so surprised since the test suite is rather small.

Even
--
Spatialys - Geospatial professional services
http://www.spatialys.com

The libtiff mailing list index has now updated, so here's the thread discussing this issue:

http://www.asmail.be/msg0055405792.html

summary: - 4.0.6-2ubuntu01 has problems reading and writing JPEG compressed images
+ Misapplied patches in 4.0.6-2ubuntu01 break reading and writing JPEG
+ compressed files
Changed in libtiff:
status: Unknown → New
John Cupitt (jcupitt) wrote :

Looks like this is broken on 16.04 as well as 16.10, I'm getting reports there too:

https://github.com/jcupitt/libvips/issues/621

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in tiff (Ubuntu):
status: New → Confirmed
Even Rouault (even-rouault) wrote :

I'm attaching a new patch CVE-2016-9297_and_CVE-2016-9448_correct.patch that should be used in replacement of (so, *not* on top of) CVE-2016-9297.patch and CVE-2016-9448.patch

The attachment "Patch that should replace CVE-2016-9297.patch and CVE-2016-9448.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
information type: Public → Public Security
tags: added: regression-update
Steve Langasek (vorlon) on 2017-05-28
summary: - Misapplied patches in 4.0.6-2ubuntu01 break reading and writing JPEG
+ Misapplied patches in 4.0.6-2ubuntu0.1 break reading and writing JPEG
compressed files
Changed in tiff (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue and for the updated patch. I'll prepare a security regression updates and will publish them this week, likely tomorrow.

Thanks!

Changed in tiff (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in tiff (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in tiff (Ubuntu Trusty):
status: New → Confirmed
Changed in tiff (Ubuntu Xenial):
status: New → Confirmed
Changed in tiff (Ubuntu Yakkety):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in tiff (Ubuntu):
status: Confirmed → Invalid
Amr Ibrahim (amribrahim1987) wrote :

Thanks a lot John for catching this bug and helping make Ubuntu better.

In the future, in order to fix regressions in a timely manner, please see this guide:
https://wiki.ubuntu.com/StableReleaseUpdates#regressions

Please report bugs according to this guide to make it easier for developers to triage them:
https://help.ubuntu.com/community/ReportingBugs#How_to_report_bugs

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 4.0.6-1ubuntu0.2

---------------
tiff (4.0.6-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY REGRESSION: JPEG tiff read and write issue due to misapplied
    patches (LP: #1670036)
    - debian/patches/CVE-2016-9297_and_CVE-2016-9448_correct.patch: replace
      two previous patches with one that applies fix to correct location.
    - Thanks to John Cupitt and Even Rouault

 -- Marc Deslauriers <email address hidden> Mon, 29 May 2017 07:33:56 -0400

Changed in tiff (Ubuntu Xenial):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 4.0.6-2ubuntu0.2

---------------
tiff (4.0.6-2ubuntu0.2) yakkety-security; urgency=medium

  * SECURITY REGRESSION: JPEG tiff read and write issue due to misapplied
    patches (LP: #1670036)
    - debian/patches/CVE-2016-9297_and_CVE-2016-9448_correct.patch: replace
      two previous patches with one that applies fix to correct location.
    - Thanks to John Cupitt and Even Rouault

 -- Marc Deslauriers <email address hidden> Mon, 29 May 2017 07:29:06 -0400

Changed in tiff (Ubuntu Yakkety):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 4.0.3-7ubuntu0.7

---------------
tiff (4.0.3-7ubuntu0.7) trusty-security; urgency=medium

  * SECURITY REGRESSION: JPEG tiff read and write issue due to misapplied
    patches (LP: #1670036)
    - debian/patches/CVE-2016-9297_and_CVE-2016-9448_correct.patch: replace
      two previous patches with one that applies fix to correct location.
    - Thanks to John Cupitt and Even Rouault

 -- Marc Deslauriers <email address hidden> Mon, 29 May 2017 07:35:17 -0400

Changed in tiff (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in libtiff:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.