eog crashed with SIGSEGV in TIFFVGetField()

Bug #589145 reported by smpahlman on 2010-06-03
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tiff (Ubuntu)

Bug Description

Binary package hint: libtiff4

Any application using libtiff will segfault because of a null dereference when opening the attached TIFF-file. I seem to be missing some debug symbols for libtiff4 (I couldn't find installation package for them), but here's the not-too-helpful valgrind output I got:

==5908== Process terminating with default action of signal 11 (SIGSEGV)
==5908== Access not within mapped region at address 0x0
==5908== at 0x7CB1ED0: ??? (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CB2F4E: ??? (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CB3F38: ??? (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CB41A5: ??? (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7C92E79: TIFFVGetField (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7C9391A: TIFFGetField (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CBFD8B: TIFFScanlineSize (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7C98581: TIFFReadDirectory (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CB62CB: TIFFClientOpen (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x647F205: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:485)
==5908== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==5908== by 0x807C6F1: eog_image_load (eog-image.c:1056)

I am initially marking this as a security vulnerability since the file makes all the nautilus etc crash too which is bit annoying even though it does not seem to allow code execution. Remove the security vuln tag if this is not considered as security issue.

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: eog 2.30.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-22.33-generic
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Thu Jun 3 15:17:33 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: eog fubwt-491.tif
 Segfault happened at: 0x5214ed0: mov (%ecx,%eax,4),%ecx
 PC (0x05214ed0) ok
 source "(%ecx,%eax,4)" (0x00000000) not located in a known VMA region (needed readable region)!
 destination "%ecx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: eog
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 TIFFVGetField () from /usr/lib/libtiff.so.4
Title: eog crashed with SIGSEGV in TIFFVGetField()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
 (polkit-gnome-authentication-agent-1:5468): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (gnome-terminal:5577): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

CVE References

smpahlman (sauli-pahlman) wrote :

 OJPEGReadBufferFill (sp=0xa8ae200) at tif_ojpeg.c:1912
 OJPEGReadHeaderInfoSec (tif=<value optimized out>)
 OJPEGSubsamplingCorrect (tif=0xbdbe100) at tif_ojpeg.c:959
 OJPEGVGetField (tif=0x0, tag=0,
 TIFFVGetField (tif=0xbdbe100, tag=530,

Changed in tiff (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Tomas Hoger (thoger) wrote :
Tomas Hoger (thoger) on 2010-06-10
Changed in tiff (Ubuntu):
status: New → Confirmed
Tomas Hoger (thoger) wrote :

Patch attached in comment #5 is now included in libtiff version 3.9.3.

Kees Cook (kees) wrote :

Fixed as part of CVE-2010-2065

Kees Cook (kees) on 2010-06-14
visibility: private → public
Kees Cook (kees) on 2010-06-14
Changed in tiff (Ubuntu Lucid):
status: New → Fix Committed
Changed in tiff (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in tiff (Ubuntu Lucid):
importance: Undecided → Medium
Tomas Hoger (thoger) wrote :

This is not really related to CVE-2010-2065, even tough fixes were committed at the same time.

Kees Cook (kees) wrote :
Changed in tiff (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers