Regression when reading CCITTFAX4 files due to fix for CVE-2011-0192 (tif_fax3.h)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | LibTIFF |
Fix Released
|
Medium
|
||
| | tiff (Fedora) |
Fix Released
|
High
|
||
| | tiff (Ubuntu) |
Medium
|
Kees Cook | ||
| | Dapper |
Medium
|
Kees Cook | ||
| | Hardy |
Medium
|
Kees Cook | ||
| | Karmic |
Medium
|
Kees Cook | ||
| | Lucid |
Medium
|
Kees Cook | ||
| | Maverick |
Medium
|
Kees Cook | ||
| | Natty |
Medium
|
Kees Cook | ||
Bug Description
The "* SECURITY UPDATE: denial of service and possible code execution via
buffer overflow in Fax4Decode
- debian/
libtiff/
- CVE-2011-0192" causes a regression when reading CCITFAX4 compressed
TIFF file that could be read successfully before. (before updating to 3.9.2-2ubuntu0.4 it worked, just after it fails)
Reported upstream as http://
Also reported to https:/
|
|
#11 |
This issue affects the version of the libtiff package, as shipped
with Red Hat Enterprise Linux 4, 5, and 6.
--
This issue affects the versions of the libtiff package, as shipped
with Fedora release of 13 and 14.
|
|
#12 |
Acknowledgements:
Red Hat would like to thank Apple Product Security for reporting this issue.
|
|
#13 |
Created libtiff tracking bugs for this issue
Affects: fedora-all [bug 681672]
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 4
Via RHSA-2011:0318 https:/
|
|
#15 |
This fix is believed to cause a regression when reading CCITFAX4 compressed TIFF file that could be read successfully before. See http://
| Hatem (hatemben) wrote : | #1 |
Seems that this bug is causing serious rendering issue for my CCITFAX4 compressed TIFF images. Confirmed on maverick 10.10 both 2.6.35-27-server x86_64 and 2.6.35-27-generic i686
I just notice it by converting tiff to jpeg ($ convert xd.tiff -quality 100 -resize 50% xd.jpg)
....
Fax4Decode' @ warning/
convert: 24202154888-
convert: 24202154888-
convert: 24202154888-
convert: 24202154888-
convert: 24202154888-
convert: 24202154888-
| Changed in tiff (Ubuntu): | |
| status: | New → Confirmed |
|
|
#16 |
Sigh. Even is right: this fix is busted and will reject files that should be accepted, including some produced by libtiff itself. See analysis and corrected patch at the upstream bug linked in comment #23.
| Even Rouault (even-rouault) wrote : | #2 |
Bug has been fixed in upstream libtiff CVS. See http://
Please provide updated packages with that regression fix. Thanks
| Hatem (hatemben) wrote : | #3 |
patch tested, regression issue fixed. Thank you
| Changed in tiff (Ubuntu Lucid): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Kees Cook (kees) |
| Changed in tiff (Ubuntu Maverick): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Kees Cook (kees) |
| Changed in tiff (Ubuntu Natty): | |
| status: | Confirmed → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Kees Cook (kees) |
| Changed in tiff (Ubuntu Dapper): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Kees Cook (kees) |
| Changed in tiff (Ubuntu Hardy): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Kees Cook (kees) |
| Changed in tiff (Ubuntu Karmic): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Kees Cook (kees) |
| Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package tiff - 3.9.4-5ubuntu3
---------------
tiff (3.9.4-5ubuntu3) natty; urgency=low
* debian/
processing of certain CCITTFAX4 files (LP: #731540).
- http://
-- Kees Cook <email address hidden> Mon, 14 Mar 2011 10:41:44 -0700
| Changed in tiff (Ubuntu Natty): | |
| status: | In Progress → Fix Released |
| Changed in tiff (Ubuntu Lucid): | |
| status: | In Progress → Fix Committed |
| Changed in tiff (Ubuntu Maverick): | |
| status: | In Progress → Fix Committed |
| Changed in tiff (Ubuntu Dapper): | |
| status: | In Progress → Fix Committed |
| Changed in tiff (Ubuntu Hardy): | |
| status: | In Progress → Fix Committed |
| Changed in tiff (Ubuntu Karmic): | |
| status: | In Progress → Fix Committed |
| Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package tiff - 3.9.4-2ubuntu0.2
---------------
tiff (3.9.4-2ubuntu0.2) maverick-security; urgency=low
* debian/
processing of certain CCITTFAX4 files (LP: #731540).
- http://
-- Kees Cook <email address hidden> Mon, 14 Mar 2011 10:40:32 -0700
| Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package tiff - 3.9.2-2ubuntu0.5
---------------
tiff (3.9.2-2ubuntu0.5) lucid-security; urgency=low
* debian/
processing of certain CCITTFAX4 files (LP: #731540).
- http://
-- Kees Cook <email address hidden> Mon, 14 Mar 2011 10:47:02 -0700
| Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package tiff - 3.8.2-13ubuntu0.5
---------------
tiff (3.8.2-13ubuntu0.5) karmic-security; urgency=low
* debian/
processing of certain CCITTFAX4 files (LP: #731540).
- http://
-- Kees Cook <email address hidden> Mon, 14 Mar 2011 10:53:22 -0700
| Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package tiff - 3.8.2-7ubuntu3.8
---------------
tiff (3.8.2-7ubuntu3.8) hardy-security; urgency=low
* debian/
processing of certain CCITTFAX4 files (LP: #731540).
- http://
-- Kees Cook <email address hidden> Mon, 14 Mar 2011 11:16:23 -0700
| Changed in tiff (Ubuntu Hardy): | |
| status: | Fix Committed → Fix Released |
| Changed in tiff (Ubuntu Karmic): | |
| status: | Fix Committed → Fix Released |
| Changed in tiff (Ubuntu Lucid): | |
| status: | Fix Committed → Fix Released |
| Changed in tiff (Ubuntu Maverick): | |
| status: | Fix Committed → Fix Released |
| Changed in tiff (Ubuntu Dapper): | |
| status: | Fix Committed → Fix Released |
| Changed in tiff (Ubuntu Natty): | |
| milestone: | none → ubuntu-11.04-beta-1 |
| Changed in libtiff: | |
| importance: | Unknown → Medium |
| status: | Unknown → Confirmed |
| Paul Crawford (psc-sat) wrote : | #9 |
This update seems to have fixed it for me (reported originally as Bug #731931). Thanks!
| Changed in libtiff: | |
| status: | Confirmed → Fix Released |
|
|
#17 |
(In reply to comment #23)
> This fix is believed to cause a regression when reading CCITFAX4 compressed
> TIFF file that could be read successfully before. See
> http://
This regression was fixed in RHSA-2011:0392:
https:/
| Changed in tiff (Fedora): | |
| importance: | Unknown → High |
| status: | Unknown → Fix Released |
A heap-based buffer overflow was found in the way TIFF (Tagged Image File
Format) image files manipulating library expanded certain rows of 2D-encoded
data, when processing TIFF Internet Fax image files, compressed with CCITT
group 4 compression algorithm. If an attacker created a specially-crafted
image file and tricked a local, unsuspecting user into loading the image
file in an application that uses the TIFF image manipulating library, it
could cause that application to crash or, potentially, execute arbitrary
code with the privileges of the user running the application.