Source: tiff Version: 4.0.9+git181026-1 Severity: important Tags: security upstream Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2820
Hi, The following vulnerability was published for tiff. CVE-2018-19210[0]: | In LibTIFF 4.0.9, there is a NULL pointer dereference in the | TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a | denial of service attack, as demonstrated by tiffset. The issue can be verified with the poc0 included upstream in the rar archive attached). ==23934== Memcheck, a memory error detector ==23934== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==23934== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==23934== Command: tiffset ~/poc0 ==23934== TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 390 (0x186) encountered. TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered. TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. ==23934== Invalid read of size 8 ==23934== at 0x483BA14: __memcmp_sse4_1 (vg_replace_strmem.c:1099) ==23934== by 0x4877929: TIFFWriteDirectoryTagTransferfunction (tif_dirwrite.c:1896) ==23934== by 0x4877929: TIFFWriteDirectorySec.part.12 (tif_dirwrite.c:628) ==23934== by 0x4878EEF: TIFFRewriteDirectory (tif_dirwrite.c:358) ==23934== by 0x109519: main (tiffset.c:361) ==23934== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==23934== ==23934== ==23934== Process terminating with default action of signal 11 (SIGSEGV) ==23934== Access not within mapped region at address 0x0 ==23934== at 0x483BA14: __memcmp_sse4_1 (vg_replace_strmem.c:1099) ==23934== by 0x4877929: TIFFWriteDirectoryTagTransferfunction (tif_dirwrite.c:1896) ==23934== by 0x4877929: TIFFWriteDirectorySec.part.12 (tif_dirwrite.c:628) ==23934== by 0x4878EEF: TIFFRewriteDirectory (tif_dirwrite.c:358) ==23934== by 0x109519: main (tiffset.c:361) ==23934== If you believe this happened as a result of a stack ==23934== overflow in your program's main thread (unlikely but ==23934== possible), you can try to increase the size of the ==23934== main thread stack using the --main-stacksize= flag. ==23934== The main thread stack size used in this run was 8388608. ==23934== ==23934== HEAP SUMMARY: ==23934== in use at exit: 9,087 bytes in 20 blocks ==23934== total heap usage: 47 allocs, 27 frees, 21,497 bytes allocated ==23934== ==23934== LEAK SUMMARY: ==23934== definitely lost: 504 bytes in 1 blocks ==23934== indirectly lost: 0 bytes in 0 blocks ==23934== possibly lost: 0 bytes in 0 blocks ==23934== still reachable: 8,583 bytes in 19 blocks ==23934== suppressed: 0 bytes in 0 blocks ==23934== Rerun with --leak-check=full to see details of leaked memory ==23934== ==23934== For counts of detected and suppressed errors, rerun with: -v ==23934== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-19210 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19210 [1] http://bugzilla.maptools.org/show_bug.cgi?id=2820 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
