Ubuntu
tiff package

eog crashed with SIGSEGV in TIFFVGetField()

  1. Lucid (10.04)
  2. Bug #589145
Bug #589145 reported by smpahlman
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tiff (Ubuntu)
Fix Released
Medium
Unassigned
Lucid
Fix Released
Medium
Unassigned
Maverick
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: libtiff4

Any application using libtiff will segfault because of a null dereference when opening the attached TIFF-file. I seem to be missing some debug symbols for libtiff4 (I couldn't find installation package for them), but here's the not-too-helpful valgrind output I got:

==5908== Process terminating with default action of signal 11 (SIGSEGV)
==5908== Access not within mapped region at address 0x0
==5908== at 0x7CB1ED0: ??? (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CB2F4E: ??? (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CB3F38: ??? (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CB41A5: ??? (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7C92E79: TIFFVGetField (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7C9391A: TIFFGetField (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CBFD8B: TIFFScanlineSize (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7C98581: TIFFReadDirectory (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x7CB62CB: TIFFClientOpen (in /usr/lib/libtiff.so.4.3.2)
==5908== by 0x647F205: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:485)
==5908== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==5908== by 0x807C6F1: eog_image_load (eog-image.c:1056)

I am initially marking this as a security vulnerability since the file makes all the nautilus etc crash too which is bit annoying even though it does not seem to allow code execution. Remove the security vuln tag if this is not considered as security issue.

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: eog 2.30.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Thu Jun 3 15:17:33 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: eog fubwt-491.tif
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.utf8
SegvAnalysis:
 Segfault happened at: 0x5214ed0: mov (%ecx,%eax,4),%ecx
 PC (0x05214ed0) ok
 source "(%ecx,%eax,4)" (0x00000000) not located in a known VMA region (needed readable region)!
 destination "%ecx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: eog
StacktraceTop:
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 TIFFVGetField () from /usr/lib/libtiff.so.4
Title: eog crashed with SIGSEGV in TIFFVGetField()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
 (polkit-gnome-authentication-agent-1:5468): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (gnome-terminal:5577): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

CVE References

Revision history for this message
smpahlman (sauli-pahlman) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 OJPEGReadBufferFill (sp=0xa8ae200) at tif_ojpeg.c:1912
 OJPEGReadHeaderInfoSec (tif=<value optimized out>)
 OJPEGSubsamplingCorrect (tif=0xbdbe100) at tif_ojpeg.c:959
 OJPEGVGetField (tif=0x0, tag=0,
 TIFFVGetField (tif=0xbdbe100, tag=530,

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in tiff (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Revision history for this message
Tomas Hoger (thoger) wrote :
Tomas Hoger (thoger)
Changed in tiff (Ubuntu):
status: New → Confirmed
Revision history for this message
Tomas Hoger (thoger) wrote :

Patch attached in comment #5 is now included in libtiff version 3.9.3.

Revision history for this message
Kees Cook (kees) wrote :

Fixed as part of CVE-2010-2065

Kees Cook (kees)
visibility: private → public
Kees Cook (kees)
Changed in tiff (Ubuntu Lucid):
status: New → Fix Committed
Changed in tiff (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in tiff (Ubuntu Lucid):
importance: Undecided → Medium
Revision history for this message
Tomas Hoger (thoger) wrote :

This is not really related to CVE-2010-2065, even tough fixes were committed at the same time.

Revision history for this message
Kees Cook (kees) wrote :

https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-June/001109.html

Changed in tiff (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.