Regression when reading CCITTFAX4 files due to fix for CVE-2011-0192 (tif_fax3.h)

Bug #731540 reported by Even Rouault on 2011-03-08
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
LibTIFF
Fix Released
Medium
tiff (Fedora)
Fix Released
High
tiff (Ubuntu)
Medium
Kees Cook
Dapper
Medium
Kees Cook
Hardy
Medium
Kees Cook
Karmic
Medium
Kees Cook
Lucid
Medium
Kees Cook
Maverick
Medium
Kees Cook
Natty
Medium
Kees Cook

Bug Description

The "* SECURITY UPDATE: denial of service and possible code execution via
    buffer overflow in Fax4Decode
    - debian/patches/CVE-2011-0192.patch: check length in
      libtiff/tif_fax3.h.
    - CVE-2011-0192" causes a regression when reading CCITFAX4 compressed
TIFF file that could be read successfully before. (before updating to 3.9.2-2ubuntu0.4 it worked, just after it fails)

Reported upstream as http://bugzilla.maptools.org/show_bug.cgi?id=2297
Also reported to https://bugzilla.redhat.com/show_bug.cgi?id=678635

A heap-based buffer overflow was found in the way TIFF (Tagged Image File
Format) image files manipulating library expanded certain rows of 2D-encoded
data, when processing TIFF Internet Fax image files, compressed with CCITT
group 4 compression algorithm. If an attacker created a specially-crafted
image file and tricked a local, unsuspecting user into loading the image
file in an application that uses the TIFF image manipulating library, it
could cause that application to crash or, potentially, execute arbitrary
code with the privileges of the user running the application.

This issue affects the version of the libtiff package, as shipped
with Red Hat Enterprise Linux 4, 5, and 6.

--

This issue affects the versions of the libtiff package, as shipped
with Fedora release of 13 and 14.

Acknowledgements:

Red Hat would like to thank Apple Product Security for reporting this issue.

Created libtiff tracking bugs for this issue

Affects: fedora-all [bug 681672]

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4

Via RHSA-2011:0318 https://rhn.redhat.com/errata/RHSA-2011-0318.html

This fix is believed to cause a regression when reading CCITFAX4 compressed TIFF file that could be read successfully before. See http://bugzilla.maptools.org/show_bug.cgi?id=2297

Hatem (hatemben) wrote :

Seems that this bug is causing serious rendering issue for my CCITFAX4 compressed TIFF images. Confirmed on maverick 10.10 both 2.6.35-27-server x86_64 and 2.6.35-27-generic i686

I just notice it by converting tiff to jpeg ($ convert xd.tiff -quality 100 -resize 50% xd.jpg)
....
Fax4Decode' @ warning/tiff.c/TIFFErrors/494.
convert: 24202154888-0-2.tiff: Premature EOL at line 1870 of strip 0 (got 1335, expected 1336). `Fax4Decode' @ warning/tiff.c/TIFFWarnings/704.
convert: 24202154888-0-2.tiff: Line length mismatch at line 1874 of strip 0 (got 1344, expected 1336). `Fax4Decode' @ warning/tiff.c/TIFFWarnings/704.
convert: 24202154888-0-2.tiff: Bad code word at line 1883 of strip 0 (x 40). `Fax4Decode' @ warning/tiff.c/TIFFErrors/494.
convert: 24202154888-0-2.tiff: Premature EOL at line 1883 of strip 0 (got 40, expected 1336). `Fax4Decode' @ warning/tiff.c/TIFFWarnings/704.
convert: 24202154888-0-2.tiff: Line length mismatch at line 1884 of strip 0 (got 2627, expected 1336). `Fax4Decode' @ warning/tiff.c/TIFFWarnings/704.
convert: 24202154888-0-2.tiff: Line length mismatch at line 1891 of strip 0 (got 1339, expected 1336). `Fax4Decode' @ warning/tiff.c/TIFFWarnings/704.

Hatem (hatemben) on 2011-03-09
Changed in tiff (Ubuntu):
status: New → Confirmed

Sigh. Even is right: this fix is busted and will reject files that should be accepted, including some produced by libtiff itself. See analysis and corrected patch at the upstream bug linked in comment #23.

Even Rouault (even-rouault) wrote :

Bug has been fixed in upstream libtiff CVS. See http://bugzilla.maptools.org/show_bug.cgi?id=2297#c10

Please provide updated packages with that regression fix. Thanks

Hatem (hatemben) wrote :

patch tested, regression issue fixed. Thank you

Kees Cook (kees) on 2011-03-14
Changed in tiff (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Maverick):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Natty):
status: Confirmed → In Progress
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Dapper):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Karmic):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.9.4-5ubuntu3

---------------
tiff (3.9.4-5ubuntu3) natty; urgency=low

  * debian/patches/CVE-2011-0192.patch: update for regression in
    processing of certain CCITTFAX4 files (LP: #731540).
    - http://bugzilla.maptools.org/show_bug.cgi?id=2297
 -- Kees Cook <email address hidden> Mon, 14 Mar 2011 10:41:44 -0700

Changed in tiff (Ubuntu Natty):
status: In Progress → Fix Released
Kees Cook (kees) on 2011-03-15
Changed in tiff (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in tiff (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in tiff (Ubuntu Dapper):
status: In Progress → Fix Committed
Changed in tiff (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in tiff (Ubuntu Karmic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.9.4-2ubuntu0.2

---------------
tiff (3.9.4-2ubuntu0.2) maverick-security; urgency=low

  * debian/patches/CVE-2011-0192.patch: update for regression in
    processing of certain CCITTFAX4 files (LP: #731540).
    - http://bugzilla.maptools.org/show_bug.cgi?id=2297
 -- Kees Cook <email address hidden> Mon, 14 Mar 2011 10:40:32 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.9.2-2ubuntu0.5

---------------
tiff (3.9.2-2ubuntu0.5) lucid-security; urgency=low

  * debian/patches/CVE-2011-0192.patch: update for regression in
    processing of certain CCITTFAX4 files (LP: #731540).
    - http://bugzilla.maptools.org/show_bug.cgi?id=2297
 -- Kees Cook <email address hidden> Mon, 14 Mar 2011 10:47:02 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.8.2-13ubuntu0.5

---------------
tiff (3.8.2-13ubuntu0.5) karmic-security; urgency=low

  * debian/patches/CVE-2011-0192.patch: update for regression in
    processing of certain CCITTFAX4 files (LP: #731540).
    - http://bugzilla.maptools.org/show_bug.cgi?id=2297
 -- Kees Cook <email address hidden> Mon, 14 Mar 2011 10:53:22 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.8.2-7ubuntu3.8

---------------
tiff (3.8.2-7ubuntu3.8) hardy-security; urgency=low

  * debian/patches/CVE-2011-0192.patch: update for regression in
    processing of certain CCITTFAX4 files (LP: #731540).
    - http://bugzilla.maptools.org/show_bug.cgi?id=2297
 -- Kees Cook <email address hidden> Mon, 14 Mar 2011 11:16:23 -0700

Changed in tiff (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in tiff (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in tiff (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in tiff (Ubuntu Maverick):
status: Fix Committed → Fix Released
Kees Cook (kees) on 2011-03-15
Changed in tiff (Ubuntu Dapper):
status: Fix Committed → Fix Released
Kees Cook (kees) on 2011-03-15
Changed in tiff (Ubuntu Natty):
milestone: none → ubuntu-11.04-beta-1
Changed in libtiff:
importance: Unknown → Medium
status: Unknown → Confirmed
Paul Crawford (psc-sat) wrote :

This update seems to have fixed it for me (reported originally as Bug #731931). Thanks!

Changed in libtiff:
status: Confirmed → Fix Released

(In reply to comment #23)
> This fix is believed to cause a regression when reading CCITFAX4 compressed
> TIFF file that could be read successfully before. See
> http://bugzilla.maptools.org/show_bug.cgi?id=2297

This regression was fixed in RHSA-2011:0392:
  https://rhn.redhat.com/errata/RHSA-2011-0392.html

Changed in tiff (Fedora):
importance: Unknown → High
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.