Bugzilla – Bug 1011107
VUL-0: CVE-2016-9453: tiff: Out-of-bounds Write memcpy and less bound check in tiff2pdf
Last modified: 2019-11-14 15:38:01 UTC
Reference: =================================================== http://bugzilla.maptools.org/show_bug.cgi?id=2579 fixed: * tools/tiff2pdf.c: fix read -largely- outsize of buffer in t2p_readwrite_pdf_image_tile(), causing crash, when reading a JPEG compressed image with TIFFTAG_JPEGTABLES length being one. Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. ===================================================
bugbot adjusting priority
Reassigning to tiff maintainer.
Upstream Fix: https://github.com/vadz/libtiff/commit/d2955714a4a0b8ca10941550cfbf64c7e111fbf1
openSUSE-SU-2016:3035-1: An update that fixes 14 vulnerabilities is now available. Category: security (important) Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351 CVE References: CVE-2014-8127,CVE-2015-7554,CVE-2015-8665,CVE-2015-8683,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453 Sources used: openSUSE 13.2 (src): tiff-4.0.7-10.35.1
SUSE-SU-2016:3301-1: An update that fixes 11 vulnerabilities is now available. Category: security (moderate) Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351 CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): tiff-4.0.7-35.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): tiff-4.0.7-35.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): tiff-4.0.7-35.1 SUSE Linux Enterprise Server 12-SP2 (src): tiff-4.0.7-35.1 SUSE Linux Enterprise Server 12-SP1 (src): tiff-4.0.7-35.1 SUSE Linux Enterprise Desktop 12-SP2 (src): tiff-4.0.7-35.1 SUSE Linux Enterprise Desktop 12-SP1 (src): tiff-4.0.7-35.1
openSUSE-SU-2017:0074-1: An update that fixes 11 vulnerabilities is now available. Category: security (moderate) Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351 CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453 Sources used: openSUSE Leap 42.2 (src): tiff-4.0.7-12.1 openSUSE Leap 42.1 (src): tiff-4.0.7-12.1
Is this one already fixed?
Still missing for SLE10/11. Upstream fix: https://gitlab.com/libtiff/libtiff/commit/7399a6f13bd6f4d0dfb7b9d0a25fafa86caa9b50
(POC can be found in upstream bug refernced in comment 0) BEFORE 12/tiff $ valgrind -q tiff2pdf 1.tiff 1.pdf TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: IO error during reading of "BitsPerSample". tiff2pdf: Can't open input file 1.tiff for reading. $ 11/tiff $ valgrind -q tiff2pdf 1.tiff 1.pdf TIFFReadDirectory: Warning, 1.tiff: invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, 1.tiff: unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, 1.tiff: unknown field with tag 3 (0x3) encountered. 1.tiff: Warning, incorrect count for field "BitsPerSample" (805306371, expecting 1); tag trimmed. 1.tiff: Error fetching data for field "BitsPerSample". tiff2pdf: Can't open input file 1.tiff for reading. $ [no issues observed via valgrind, also tried -j] PATCH see comment 8 12/tiff: have the check fixed, they even have if (count > 4) there 10sp3,11/tiff: fix is missing, will use if (count > 4) AFTER 11/tiff $ valgrind -q tiff2pdf 1.tiff 1.pdf TIFFReadDirectory: Warning, 1.tiff: invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, 1.tiff: unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, 1.tiff: unknown field with tag 3 (0x3) encountered. 1.tiff: Warning, incorrect count for field "BitsPerSample" (805306371, expecting 1); tag trimmed. 1.tiff: Error fetching data for field "BitsPerSample". tiff2pdf: Can't open input file 1.tiff for reading. $ [no change]
Will be submitted for 11/tiff and 10sp3/tiff.
At the end, I will try to fix by update of tiff2pdf.c to 4.0.9 version.
I believe all fixed in sr#163144, sr#163145 and sr#163146. I think this bug can be reassigned to security-team@ after review and creating maintenance request.
SR#164509 SLE-10-SP3 SR#164510 SLE-11
released
SUSE-SU-2018:1179-1: An update that solves 11 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1007280,1011107,1011845,1017688,1017690,1017691,1017692,1031255,1046077,1048937,1074318,960341,983436 CVE References: CVE-2015-7554,CVE-2016-10095,CVE-2016-10268,CVE-2016-3945,CVE-2016-5318,CVE-2016-5652,CVE-2016-9453,CVE-2016-9536,CVE-2017-11335,CVE-2017-17973,CVE-2017-9935 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.3.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.3.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2018-05-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64038