Ubuntu

eog crashed with SIGSEGV in TIFFVGetField()

Reported by smpahlman on 2010-06-03
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tiff (Ubuntu)
Medium
Unassigned
Lucid
Medium
Unassigned
Maverick
Medium
Unassigned

Bug Description

Binary package hint: libtiff4

Any application using libtiff will segfault because of a null dereference when opening the attached TIFF-file. I seem to be missing some debug symbols for libtiff4 (I couldn't find installation package for them), but here's the not-too-helpful valgrind output I got:

==5908== Process terminating with default action of signal 11 (SIGSEGV)
==5908== Access not within mapped region at address 0x0
==5908== at 0x7CB1ED0: ??? (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CB2F4E: ??? (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CB3F38: ??? (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CB41A5: ??? (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7C92E79: TIFFVGetField (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7C9391A: TIFFGetField (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CBFD8B: TIFFScanlineSize (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7C98581: TIFFReadDirectory (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CB62CB: TIFFClientOpen (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x647F205: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:485)
==5908== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==5908== by 0x807C6F1: eog_image_load (eog-image.c:1056)

I am initially marking this as a security vulnerability since the file makes all the nautilus etc crash too which is bit annoying even though it does not seem to allow code execution. Remove the security vuln tag if this is not considered as security issue.

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: eog 2.30.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Thu Jun 3 15:17:33 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: eog fubwt-491.tif
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.utf8
SegvAnalysis:
 Segfault happened at: 0x5214ed0: mov (%ecx,%eax,4),%ecx
 PC (0x05214ed0) ok
 source "(%ecx,%eax,4)" (0x00000000) not located in a known VMA region (needed readable region)!
 destination "%ecx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: eog
StacktraceTop:
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 TIFFVGetField () from /usr/lib/libtiff.so.4
Title: eog crashed with SIGSEGV in TIFFVGetField()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
 (polkit-gnome-authentication-agent-1:5468): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (gnome-terminal:5577): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

CVE References

smpahlman (sauli-pahlman) wrote :

StacktraceTop:
 OJPEGReadBufferFill (sp=0xa8ae200) at tif_ojpeg.c:1912
 OJPEGReadHeaderInfoSec (tif=<value optimized out>)
 OJPEGSubsamplingCorrect (tif=0xbdbe100) at tif_ojpeg.c:959
 OJPEGVGetField (tif=0x0, tag=0,
 TIFFVGetField (tif=0xbdbe100, tag=530,

Changed in tiff (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Tomas Hoger (thoger) wrote :
Tomas Hoger (thoger) on 2010-06-10
Changed in tiff (Ubuntu):
status: New → Confirmed
Tomas Hoger (thoger) wrote :

Patch attached in comment #5 is now included in libtiff version 3.9.3.

Kees Cook (kees) wrote :

Fixed as part of CVE-2010-2065

Kees Cook (kees) on 2010-06-14
visibility: private → public
Kees Cook (kees) on 2010-06-14
Changed in tiff (Ubuntu Lucid):
status: New → Fix Committed
Changed in tiff (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in tiff (Ubuntu Lucid):
importance: Undecided → Medium
Tomas Hoger (thoger) wrote :

This is not really related to CVE-2010-2065, even tough fixes were committed at the same time.

Kees Cook (kees) wrote :
Changed in tiff (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers