Regression when reading CCITTFAX4 files due to fix for CVE-2011-0192 (tif_fax3.h)

Bug #731540 reported by Even Rouault on 2011-03-08
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
LibTIFF
Fix Released
Medium
tiff (Fedora)
Unknown
Unknown
tiff (Ubuntu)
Medium
Kees Cook
Dapper
Medium
Kees Cook
Hardy
Medium
Kees Cook
Karmic
Medium
Kees Cook
Lucid
Medium
Kees Cook
Maverick
Medium
Kees Cook
Natty
Medium
Kees Cook

Bug Description

The "* SECURITY UPDATE: denial of service and possible code execution via
    buffer overflow in Fax4Decode
    - debian/patches/CVE-2011-0192.patch: check length in
      libtiff/tif_fax3.h.
    - CVE-2011-0192" causes a regression when reading CCITFAX4 compressed
TIFF file that could be read successfully before. (before updating to 3.9.2-2ubuntu0.4 it worked, just after it fails)

Reported upstream as http://bugzilla.maptools.org/show_bug.cgi?id=2297
Also reported to https://bugzilla.redhat.com/show_bug.cgi?id=678635

Hatem (hatemben) wrote :

Seems that this bug is causing serious rendering issue for my CCITFAX4 compressed TIFF images. Confirmed on maverick 10.10 both 2.6.35-27-server x86_64 and 2.6.35-27-generic i686

I just notice it by converting tiff to jpeg ($ convert xd.tiff -quality 100 -resize 50% xd.jpg)
....
Fax4Decode' @ warning/tiff.c/TIFFErrors/494.
convert: 24202154888-0-2.tiff: Premature EOL at line 1870 of strip 0 (got 1335, expected 1336). `Fax4Decode' @ warning/tiff.c/TIFFWarnings/704.
convert: 24202154888-0-2.tiff: Line length mismatch at line 1874 of strip 0 (got 1344, expected 1336). `Fax4Decode' @ warning/tiff.c/TIFFWarnings/704.
convert: 24202154888-0-2.tiff: Bad code word at line 1883 of strip 0 (x 40). `Fax4Decode' @ warning/tiff.c/TIFFErrors/494.
convert: 24202154888-0-2.tiff: Premature EOL at line 1883 of strip 0 (got 40, expected 1336). `Fax4Decode' @ warning/tiff.c/TIFFWarnings/704.
convert: 24202154888-0-2.tiff: Line length mismatch at line 1884 of strip 0 (got 2627, expected 1336). `Fax4Decode' @ warning/tiff.c/TIFFWarnings/704.
convert: 24202154888-0-2.tiff: Line length mismatch at line 1891 of strip 0 (got 1339, expected 1336). `Fax4Decode' @ warning/tiff.c/TIFFWarnings/704.

Hatem (hatemben) on 2011-03-09
Changed in tiff (Ubuntu):
status: New → Confirmed
Even Rouault (even-rouault) wrote :

Bug has been fixed in upstream libtiff CVS. See http://bugzilla.maptools.org/show_bug.cgi?id=2297#c10

Please provide updated packages with that regression fix. Thanks

Hatem (hatemben) wrote :

patch tested, regression issue fixed. Thank you

Kees Cook (kees) on 2011-03-14
Changed in tiff (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Maverick):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Natty):
status: Confirmed → In Progress
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Dapper):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Karmic):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Kees Cook (kees)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.9.4-5ubuntu3

---------------
tiff (3.9.4-5ubuntu3) natty; urgency=low

  * debian/patches/CVE-2011-0192.patch: update for regression in
    processing of certain CCITTFAX4 files (LP: #731540).
    - http://bugzilla.maptools.org/show_bug.cgi?id=2297
 -- Kees Cook <email address hidden> Mon, 14 Mar 2011 10:41:44 -0700

Changed in tiff (Ubuntu Natty):
status: In Progress → Fix Released
Kees Cook (kees) on 2011-03-15
Changed in tiff (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in tiff (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in tiff (Ubuntu Dapper):
status: In Progress → Fix Committed
Changed in tiff (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in tiff (Ubuntu Karmic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.9.4-2ubuntu0.2

---------------
tiff (3.9.4-2ubuntu0.2) maverick-security; urgency=low

  * debian/patches/CVE-2011-0192.patch: update for regression in
    processing of certain CCITTFAX4 files (LP: #731540).
    - http://bugzilla.maptools.org/show_bug.cgi?id=2297
 -- Kees Cook <email address hidden> Mon, 14 Mar 2011 10:40:32 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.9.2-2ubuntu0.5

---------------
tiff (3.9.2-2ubuntu0.5) lucid-security; urgency=low

  * debian/patches/CVE-2011-0192.patch: update for regression in
    processing of certain CCITTFAX4 files (LP: #731540).
    - http://bugzilla.maptools.org/show_bug.cgi?id=2297
 -- Kees Cook <email address hidden> Mon, 14 Mar 2011 10:47:02 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.8.2-13ubuntu0.5

---------------
tiff (3.8.2-13ubuntu0.5) karmic-security; urgency=low

  * debian/patches/CVE-2011-0192.patch: update for regression in
    processing of certain CCITTFAX4 files (LP: #731540).
    - http://bugzilla.maptools.org/show_bug.cgi?id=2297
 -- Kees Cook <email address hidden> Mon, 14 Mar 2011 10:53:22 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.8.2-7ubuntu3.8

---------------
tiff (3.8.2-7ubuntu3.8) hardy-security; urgency=low

  * debian/patches/CVE-2011-0192.patch: update for regression in
    processing of certain CCITTFAX4 files (LP: #731540).
    - http://bugzilla.maptools.org/show_bug.cgi?id=2297
 -- Kees Cook <email address hidden> Mon, 14 Mar 2011 11:16:23 -0700

Changed in tiff (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in tiff (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in tiff (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in tiff (Ubuntu Maverick):
status: Fix Committed → Fix Released
Kees Cook (kees) on 2011-03-15
Changed in tiff (Ubuntu Dapper):
status: Fix Committed → Fix Released
Kees Cook (kees) on 2011-03-15
Changed in tiff (Ubuntu Natty):
milestone: none → ubuntu-11.04-beta-1
Changed in libtiff:
importance: Unknown → Medium
status: Unknown → Confirmed
Paul Crawford (psc-sat) wrote :

This update seems to have fixed it for me (reported originally as Bug #731931). Thanks!

Changed in libtiff:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.