Here's a summary of all the separate bugs which for some reason got grouped together into only 4 CVE IDs. I'm also attaching all the samples that were provided to reproduce these (which are tiny).
N.B. that although all these bugs were reported against specific tools,
most bugs are in libtiff itself. This means tiff3 in wheezy is still
affected!
I tested all these in squeeze-lts while preparing an update there and
included the results below.
The giant "Fix various crasher bugs on fuzzed images" change addresses
parts of CVE-2014-{8127,8128,8129} and CVE-2014-9330, but only the part
addressing the last issue has been applied in sid. I expect the wheezy
and jessie updates were similar but didn't check.
Ben.
CVE-2014-8127
- thumbnail: http://bugzilla.maptools.org/show_bug.cgi?id=2484
- repro: thumbnail 01_thumbnail.tiff out.tiff
- squeeze: no segv, errors detected by valgrind
- fix: 2014-12-21 Even Rouault <even.roua...@spatialys.com>
* tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling
TIFFTAG_INKNAMES
copying. The right fix would be to properly copy it, but not worth the
burden
for those esoteric utilities.
http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
- patch: CVE-2014-8127.patch
- fix result:
- squeeze: still has an invalid read but appears to be harmless
- tiff2bw: http://bugzilla.maptools.org/show_bug.cgi?id=2485
- repro: tiff2bw 04_tiff2bw.tiff out.tiff
- squeeze: no segv, no error detected by valgrind
- fix: 2014-12-21 Even Rouault <even.roua...@spatialys.com>
* tools/tiff2bw.c: when Photometric=RGB, the utility only works if
SamplesPerPixel = 3. Enforce that
http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)
- patch: tools-tiff2bw.c-when-photometric-rgb-the-utility-onl.patch
- fix result:
- squeeze: no regression
- tiff2rgba: http://bugzilla.maptools.org/show_bug.cgi?id=2486
- repro: tiff2rgba 09_tiff2rgba.tiff out.tiff
- squeeze: no segv, errors detected by valgrind
- fix: 2014-12-21 Even Rouault <even.roua...@spatialys.com>
Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or
BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP
dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be
checked by
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for
CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.
- patch: fix-various-crasher-bugs-on-fuzzed-images.patch
- fix result:
- squeeze: fixed
- tiff2ps & tiffdither: http://bugzilla.maptools.org/show_bug.cgi?id=2496
- repro: tiff2ps -O out.ps 08_tiff2ps.tiff
- squeeze: no segv, no error detected by valgrind
- repro: tiffdither 12_tiffdither.tiff out.tiff
- squeeze: no segv, no error detected by valgrind
- fix: 2014-12-23 Even Rouault <even.roua...@spatialys.com>
* libtiff/tif_read.c: fix several invalid comparisons of a uint64 value with
<= 0 by casting it to int64 first. This solves crashing bug on corrupted
images generated by afl.
- patch: libtiff-tif_read.c-fix-several-invalid-comparisons-o.patch
- squeeze: This is not applicable without other changes to use 64-bit
bytecount
- tiffmedian: http://bugzilla.maptools.org/show_bug.cgi?id=2497
- repro: tiffmedian 16_tiffmedian.tiff out.tiff
- squeeze: no segv, no error detected by valgrind
- fix: 2014-12-23 Even Rouault <even.roua...@spatialys.com>
* libtiff/tif_read.c: fix several invalid comparisons of a uint64 value with
<= 0 by casting it to int64 first. This solves crashing bug on corrupted
images generated by afl.
- patch: libtiff-tif_read.c-fix-several-invalid-comparisons-o.patch
- squeeze: This is not applicable without other changes to use 64-bit
bytecount
- tiffset: http://bugzilla.maptools.org/show_bug.cgi?id=2500
- repro: cp 19_tiffset.tiff out.tiff && tiffset out.tiff
- squeeze: segv
CVE-2014-8128
- [0] thumbnail: http://bugzilla.maptools.org/show_bug.cgi?id=2489
- repro: thumbnail 03_thumbnail.tiff out.tiff
- squeeze: no segv, no error detected by valgrind
- fix: 2014-12-21 Even Rouault <even.roua...@spatialys.com>
* tools/thumbnail.c: fix out-of-buffer write
http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)
- patch: CVE-2014-8128-1.patch
- fix result:
- squeeze: no regression
- [1] tiffdither: http://bugzilla.maptools.org/show_bug.cgi?id=2490
- repro: tiffdither 11_tiffdither.tiff out.tiff
- squeeze: no segv, no error detected by valgrind
- fix: unknown, "Doesn't crash for me with libtiff CVS head."
- [2] tiffdither: http://bugzilla.maptools.org/show_bug.cgi?id=2491
- repro: tiffdither 13_tiffdither.tiff out.tiff
- squeeze: no segv, no error detected by valgrind
- fix: unknown, "Doesn't crash for me with libtiff CVS head."
- [3] tiffdither: http://bugzilla.maptools.org/show_bug.cgi?id=2492
- repro: tiffdither 14_tiffdither.tiff out.tiff
- squeeze: no segv, no error detected by valgrind
- fix: 2014-12-21 Even Rouault <even.roua...@spatialys.com>
* libtiff/tif_next.c: check that BitsPerSample = 2. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)
- patch: CVE-2014-8129.patch
- fix result:
- squeeze: no regression
- [4] thumbnail & tiffcmp: http://bugzilla.maptools.org/show_bug.cgi?id=2493
- repro: thumbnail 02_thumbnail.tiff out.tiff
- squeeze: segv
- repro: tiffcmp 10_tiffcmp.tiff 00_basefile.tiff
- squeeze: segv
- fix: 2014-12-21 Even Rouault <even.roua...@spatialys.com>
* tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS
or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
COMPRESSION_CCITTFAX4
http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)
- patch: CVE-2014-8128-2.patch
- fix result:
- squeeze: segv's fixed, but first sample still has an invalid read
- [5] tiff2pdf: http://bugzilla.maptools.org/show_bug.cgi?id=2495
- repro: tiff2pdf 06_tiff2pdf.tiff
- squeeze: segv
- fix: 2014-12-21 Even Rouault <even.roua...@spatialys.com>
Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or
BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP
dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be
checked by
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for
CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.
- patch: fix-various-crasher-bugs-on-fuzzed-images.patch
- fix: 2014-12-21 Even Rouault <even.roua...@spatialys.com>
* tools/tiff2pdf.c: check return code of TIFFGetField() when reading
TIFFTAG_SAMPLESPERPIXEL
- patch: CVE-2014-8128-3.patch
- fix result:
- squeeze: fixed
- [6] thumbnail & tiffcmp: http://bugzilla.maptools.org/show_bug.cgi?id=2499
- repro: thumbnail 17_thumbnail.tiff out.tiff
- squeeze: no segv, error detected by valgrind
- repro: tiffcmp 00_basefile.tiff 18_tiffcmp.tiff
- squeeze: segv
- fix: http://bugzilla.maptools.org/attachment.cgi?id=622
http://bugzilla.maptools.org/attachment.cgi?id=623
- patch: CVE-2014-8128-5-fixed.patch
- regression: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1439186
- fix result:
- squeeze: segv fixed; first sample still has an invalid read and
use of uninitialized value but appears to be harmless
- [7] tiffdither: http://bugzilla.maptools.org/show_bug.cgi?id=2501
- repro: tiffdither 20_tiffdither.tiff out.tiff
- squeeze: no segv, no error detected by valgrind
- repro: tiffdither 21_tiffdither.tiff out.tiff
- squeeze: no segv, no error detected by valgrind
- fix: 2015-03-02 Even Rouault <even.roua...@spatialys.com>
* tools/tiffdither.c: check memory allocations to avoid writing to
NULL pointer. Also check multiplication overflow. Fixes #2501,
CVE-2014-8128. Derived from patch by Petr Gajdos.
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.992; previous revision: 1.991
/cvs/maptools/cvsroot/libtiff/tools/tiffdither.c,v <-- tools/tiffdither.c
new revision: 1.15; previous revision: 1.14
- patch: CVE-2014-8128-4.patch
- fix result:
- squeeze: no regression
CVE-2014-8129
- http://bugzilla.maptools.org/show_bug.cgi?id=2487 (tiff2pdf)
- repro: tiff2pdf -o out.pdf 05_tiff2pdf.tiff
- squeeze: segv
- fix: 2014-12-21 Even Rouault <even.roua...@spatialys.com>
* libtiff/tif_next.c: check that BitsPerSample = 2. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)
- patch: CVE-2014-8129.patch
- fix result:
- squeeze: fixed
- http://bugzilla.maptools.org/show_bug.cgi?id=2488 (tiff2pdf)
- repro: tiff2pdf -o out.pdf 07_tiff2pdf.tiff
- squeeze: segv
- fix: 2014-12-21 Even Rouault <even.roua...@spatialys.com>
Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or
BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP
dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be
checked by
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for
CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.
- patch: fix-various-crasher-bugs-on-fuzzed-images.patch
- fix result:
- squeeze: fixed
CVE-2014-8130
- http://bugzilla.maptools.org/show_bug.cgi?id=2483
- repro: tiffdither 15_tiffdither.tiff out.tiff
- squeeze: no segv, no error reported by valgrind
- fix: unknown, "I cannot reproduced with latest libtiff CVS head."
--
Ben Hutchings
Q. Which is the greater problem in the world today, ignorance or apathy?
A. I don't know and I couldn't care less.
samples.tar.gz
Description: application/compressed-tar
signature.asc
Description: This is a digitally signed message part
