Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 142383 - media-libs/tiff Multiple issues (CVE-2006-34{59-65})
Summary: media-libs/tiff Multiple issues (CVE-2006-34{59-65})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-08-01 00:56 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2008-03-06 09:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
tiff-3.8.2-goo-sec.diff (tiff-3.8.2-goo-sec.diff,22.70 KB, patch)
2006-08-01 00:56 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
updated ebuild incorporating google-dude's patch (tiff-3.8.2-r2.ebuild,1.67 KB, text/plain)
2006-08-02 23:34 UTC, Steve Arnold
no flags Details
exploit for CVE-2006-3459. (tiffexploit.c,3.91 KB, text/plain)
2006-08-06 21:14 UTC, Tavis Ormandy (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-01 00:56:03 UTC
Hi there, Google have sponsored me to perform a security audit of
libtiff-3.8.2, in which a number of critical security flaws have been
uncovered. These flaws could be leveraged by an attacker to compromise
or disrupt any services that support the processing of tiff images.

Several buffer overflows have been discovered, including a stack
buffer overflow via TIFFFetchShortPair() in tif_dirread.c, which is
used to read two unsigned shorts from the input file. While a bounds
check is performed via CheckDirCount(), no action is taken on the
result allowing a pathological tdir_count to read an arbitrary number
of unsigned shorts onto a stack buffer. Exploitation of this error is
trivial, a tiff file with a pathological 'DotRange' (0x0150),
'YCbCrSubsampling' (0x0212), 'HalftoneHints' (0x0141) or 'PageNumber'
(0x0129) tag can be used to execute arbitrary code with the privileges
of the application using libtiff.

A heap overflow vulnerability was discovered in the jpeg decoder,
where TIFFScanLineSize() is  documented to return the size in bytes
that a subsequent call to TIFFReadScanline() would write, however the
encoded jpeg stream may disagree with these results and overrun the
buffer with more data than expected (tiff_jpeg.c ~725). A sanity check
is performed and prints a warning, however execution is permitted to
continue (presumbaly to permit truncated datastreams).

Another heap overflow exists in the PixarLog decoder where a run
length encoded data stream may specify a stride that is not an exact
multiple of the number of samples. The result is that on the final
decode operation the destination buffer is overrun, potentially
allowing an attacker to execute arbitrary code.

The NeXT RLE decoder was also vulnerable to a heap overflow
vulnerability, where no bounds checking was performed on the result of
certain RLE decoding operations. This was solved by ensuring the
number of pixels written did not exceed the size of the scanline
buffer already prepared.

An infinite loop was discovered in EstimateStripByteCounts(), where a
16bit unsigned short was used to iterate over a 32bit unsigned value,
should the unsigned int (td_nstrips) have exceeded USHORT_MAX, the
loop would never terminate and continue forever. This could have been
leveraged as a particularly effective DoS attack. The flaw was
corrected by widening the loop iterator to 32 bits.

Multiple unchecked arithmetic operations were uncovered, including a
number of the range checking operations deisgned to ensure the offsets
specified in tiff directories are legitimate. These  can be caused to
wrap for extreme values, bypassing sanity checks. Additionally, a
number of codepaths were uncovered where assertions did not hold true,
resulting in the client application calling abort().

A flaw was also uncovered in libtiffs custom tag support, as
documented here http://www.libtiff.org/v3.6.0.html. While well formed
tiff files must have correctly ordered directories, libtiff attempts
to support broken images that do not. However in certain
circumstances, creating anonymous fields prior to merging field
information from codec information can result in recognised fields
with unexpected values. This state results in abnormal behaviour,
crashes, or potentially arbitrary code execution. It is likely the
tiff maintainers may implement a different fix to my solution, I have
decided to disregard all unknown directories encoutered prior to
finding a 'Compression' tag.

These issues will be reported to the upstream authors once an embargo
date has been finalised.

Please credit "Tavis Ormandy, Google Security Team" in any advisories
relating to these issues.

Thanks, Tavis.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-01 00:56:39 UTC
Created attachment 93188 [details, diff]
tiff-3.8.2-goo-sec.diff
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-01 00:58:11 UTC
Steve please advise and attach an updated ebuild here for pretesting.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-02 01:08:52 UTC
This is now public.

Graphics please provide an updated ebuild.
Comment 4 Steve Arnold archtester gentoo-dev 2006-08-02 23:34:34 UTC
Created attachment 93315 [details]
updated ebuild incorporating google-dude's patch

Builds and installs fines, but I only had a chance to review the patch (and not any significant functional testing).
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-03 04:49:33 UTC
(In reply to comment #4)
> Created an attachment (id=93315) [edit]
> updated ebuild incorporating google-dude's patch
> 
> Builds and installs fines, but I only had a chance to review the patch (and not
> any significant functional testing).
> 

everything is right. It works for me.
Debian has used exactly the same patch :)

you can bump it into portage please
Comment 6 Steve Arnold archtester gentoo-dev 2006-08-03 20:07:59 UTC
Okay, I'm cleaning up the old versions as well...
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-04 01:21:45 UTC
Thank you Steve.

Hi arches, it's your turn now... please test and mark stable tiff-3.8.2-r2 ebuild so that we can issue the GLSA promptly.

mips: note that 3.7.x is also vulnerable, but has not been patched in portage. However it is technically possible to do so, if needed.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-04 02:34:03 UTC
This one is ready for GLSA.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-05 00:06:01 UTC
GLSA 200608-07
Comment 10 Steve Arnold archtester gentoo-dev 2006-08-05 12:43:49 UTC
Note: mips is now stable on 3.8.2-r2, however, jbig-kit is not, so the jbig USE flag is masked on mips until they decide they want it.
Comment 11 Tavis Ormandy (RETIRED) gentoo-dev 2006-08-06 21:14:51 UTC
Created attachment 93632 [details]
exploit for CVE-2006-3459.

Attaching exploit for the stack overflow issue, for future reference.
Comment 12 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:39:58 UTC
Does not affect current (2008.0) release. Removing release.