234080 CVE-2008-2327 2008-08-06 12:15 0000 media-libs/tiff <3.8.2-r4 buffer underflow in LZW decoding (CVE-2008-2327) 2008-09-08 18:01:22 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED A2 [glsa] P2 normal --- 1 rbu@gentoo.org security@gentoo.org arm@gentoo.org graphics@gentoo.org m68k@gentoo.org nerdboy@gentoo.org s390@gentoo.org sh@gentoo.org rbu@gentoo.org 2008-08-06 12:15:21 0000 ** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Drew Yao writes: We have found a security issue in libTIFF's handling of LZW-encoded images. The use of uninitialized data could lead to a buffer underflow and a crash or arbitrary code execution. CVE-ID: CVE-2008-2327 Versions known to be affected: v3.8.2 Timing: This issue should remain embargoed until 8/25/2008. Credit: Drew Yao of Apple Product Security We have contacted the libTIFF maintainers about this issue. A brief introduction to LZW decoding: http://www.fileformat.info/format/tiff/corion-lzw.htm http://en.wikipedia.org/wiki/Lzw#Decoding The LZW algorithm is based on a translation table, or string table, that maps strings of input characters into codes. The TIFF implementation uses variable-length codes, with a maximum code length of 12 bits The string table is initialized to contain all possible single- character strings. There are 256 of them, numbered 0 through 255, since our characters are bytes. There are also special codes: #define CODE_CLEAR 256 /* code to clear string table */ #define CODE_EOI 257 /* end-of-information code */ #define CODE_FIRST 258 /* first free code entry */ As decoding continues, longer strings are added to the string table as linked lists of characters. If the string table gets full(4096 entries), there is a "Clear code" which signals to reinitialize the string table. tif_lzw.c In LZWSetupDecode(): sp->dec_codetab = (code_t*)_TIFFmalloc(CSIZE*sizeof (code_t)); In LZWPreDecode(): sp->dec_free_entp = sp->dec_codetab + CODE_FIRST; /* * Zero entries that are not yet filled in. We do * this to guard against bogus input data that causes * us to index into undefined entries. If you can * come up with a way to safely bounds-check input codes * while decoding then you can remove this operation. */ _TIFFmemset(sp->dec_free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); In LZWDecodeCompat(), LZWDecode(), and LZWDecodeVector(), when a CODE_CLEAR code is received, the string table does not get re-zeroed, leading to uninitialized data in the table being used, if the next code after the CODE_CLEAR is > CODE_FIRST. For example in LZWDecodeCompat(): while (occ > 0) { NextCode(tif, sp, bp, code, GetNextCodeCompat); if (code == CODE_EOI) break; if (code == CODE_CLEAR) { free_entp = sp->dec_codetab + CODE_FIRST; <-- free_entp points to the first free entry after the constant entries. nbits = BITS_MIN; nbitsmask = MAXCODE(BITS_MIN); maxcodep = sp->dec_codetab + nbitsmask; NextCode(tif, sp, bp, code, GetNextCodeCompat); <-- get the next code. The implementation expects it to be < CODE_FIRST, but that might not be true in a malicious file. if (code == CODE_EOI) break; *op++ = code, occ--; oldcodep = sp->dec_codetab + code; continue; } codep = sp->dec_codetab + code; <--codep points into uninitialized data ... do { *--tp = codep->value; <-- potential buffer underflow } while( (codep = codep->next) != NULL); [...] A simple fix is to zero out the whole string table starting at CODE_FIRST whenever a CODE_CLEAR is received. The attached patch against 3.8.2 does this. I have tested this fix to properly display a bunch of valid files, and not crash after heavy fuzzing. rbu@gentoo.org 2008-08-06 12:39:06 0000 Drew also informed us about the following issue: http://bugzilla.maptools.org/show_bug.cgi?id=1929 rbu@gentoo.org 2008-08-06 12:44:31 0000 Created an attachment (id=162354) tiff-3.8.2-CVE-2008-2327.patch rbu@gentoo.org 2008-08-06 12:44:51 0000 Created an attachment (id=162356) tiff-3.8.2-bug1929.patch rbu@gentoo.org 2008-08-20 12:48:15 0000 We have no upstream comment on either of the two patches, and probably won't have until after the embargo timeline. I'll attach an ebuild applying the existing patches, and we can update them later if upstream decides otherwise. rbu@gentoo.org 2008-08-20 12:48:34 0000 Created an attachment (id=163378) tiff-3.8.2-r4.ebuild rbu@gentoo.org 2008-08-20 12:49:25 0000 Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink, armin76 amd64 : keytoaster, tester hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : maekke, armin76 jer@gentoo.org 2008-08-20 15:47:43 0000 HPPA is OK. maekke@gentoo.org 2008-08-20 17:50:38 0000 looks good on amd64/x86. corsair@gentoo.org 2008-08-20 22:39:48 0000 looks good on ppc64 yoswink@gentoo.org 2008-08-20 23:24:44 0000 alpha is ok rbu@gentoo.org 2008-08-26 14:32:05 0000 now public via http://secunia.com/advisories/31610/ rbu@gentoo.org 2008-08-26 14:53:44 0000 I combined both patches into one because it was decided to combine both issues (Drew Yao and the upstream bug) into the CVE. Committed the ebuild to the tree with the gathered keywords, still to do: Arches, please test and mark stable: =media-libs/tiff-3.8.2-r4 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Already stabled : "alpha amd64 hppa ppc64 x86" Missing keywords: "arm ia64 m68k ppc s390 sh sparc" armin76@gentoo.org 2008-08-26 15:04:09 0000 ia64/sparc stable dertobi123@gentoo.org 2008-08-30 11:30:45 0000 ppc stable keytoaster@gentoo.org 2008-09-02 17:01:59 0000 GLSA request filed. py@gentoo.org 2008-09-08 18:01:22 0000 GLSA 200809-07 162354 2008-08-06 12:44 0000 tiff-3.8.2-CVE-2008-2327.patch tiff-3.8.2-CVE-2008-2327.patch text/plain SW5kZXg6IHRpZmYtMy44LjIvbGlidGlmZi90aWZfbHp3LmMKPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gdGlmZi0z LjguMi5vcmlnL2xpYnRpZmYvdGlmX2x6dy5jCisrKyB0aWZmLTMuOC4yL2xpYnRpZmYvdGlmX2x6 dy5jCkBAIC00MDgsNiArNDA4LDcgQEAgTFpXRGVjb2RlKFRJRkYqIHRpZiwgdGlkYXRhX3Qgb3Aw LCB0c2l6ZQogCQkJYnJlYWs7CiAJCWlmIChjb2RlID09IENPREVfQ0xFQVIpIHsKIAkJCWZyZWVf ZW50cCA9IHNwLT5kZWNfY29kZXRhYiArIENPREVfRklSU1Q7CisJCQlfVElGRm1lbXNldChmcmVl X2VudHAsIDAsIChDU0laRS1DT0RFX0ZJUlNUKSpzaXplb2YgKGNvZGVfdCkpOwogCQkJbmJpdHMg PSBCSVRTX01JTjsKIAkJCW5iaXRzbWFzayA9IE1BWENPREUoQklUU19NSU4pOwogCQkJbWF4Y29k ZXAgPSBzcC0+ZGVjX2NvZGV0YWIgKyBuYml0c21hc2stMTsKQEAgLTYwNCw2ICs2MDUsNyBAQCBM WldEZWNvZGVDb21wYXQoVElGRiogdGlmLCB0aWRhdGFfdCBvcDAsCiAJCQlicmVhazsKIAkJaWYg KGNvZGUgPT0gQ09ERV9DTEVBUikgewogCQkJZnJlZV9lbnRwID0gc3AtPmRlY19jb2RldGFiICsg Q09ERV9GSVJTVDsKKwkJCV9USUZGbWVtc2V0KGZyZWVfZW50cCwgMCwgKENTSVpFLUNPREVfRklS U1QpKnNpemVvZiAoY29kZV90KSk7CiAJCQluYml0cyA9IEJJVFNfTUlOOwogCQkJbmJpdHNtYXNr ID0gTUFYQ09ERShCSVRTX01JTik7CiAJCQltYXhjb2RlcCA9IHNwLT5kZWNfY29kZXRhYiArIG5i aXRzbWFzazsK 162356 2008-08-06 12:44 0000 tiff-3.8.2-bug1929.patch tiff-3.8.2-bug1929.patch text/plain SW5kZXg6IHRpZmYtMy44LjIvbGlidGlmZi90aWZfbHp3LmMKPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gdGlmZi0z LjguMi5vcmlnL2xpYnRpZmYvdGlmX2x6dy5jCisrKyB0aWZmLTMuOC4yL2xpYnRpZmYvdGlmX2x6 dy5jCkBAIC0yMzcsNiArMjM3LDEyIEBAIExaV1NldHVwRGVjb2RlKFRJRkYqIHRpZikKICAgICAg ICAgICAgICAgICAgICAgc3AtPmRlY19jb2RldGFiW2NvZGVdLmxlbmd0aCA9IDE7CiAgICAgICAg ICAgICAgICAgICAgIHNwLT5kZWNfY29kZXRhYltjb2RlXS5uZXh0ID0gTlVMTDsKICAgICAgICAg ICAgICAgICB9IHdoaWxlIChjb2RlLS0pOworCQkvKgorCQkqIFplcm8tb3V0IHRoZSB1bnVzZWQg ZW50cmllcworCQkqLworCQlfVElGRm1lbXNldCgmc3AtPmRlY19jb2RldGFiW0NPREVfQ0xFQVJd LCAwLAorCQkoQ09ERV9GSVJTVC1DT0RFX0NMRUFSKSpzaXplb2YgKGNvZGVfdCkpOworCiAJfQog CXJldHVybiAoMSk7CiB9CkBAIC00MTUsNiArNDIxLDEyIEBAIExaV0RlY29kZShUSUZGKiB0aWYs IHRpZGF0YV90IG9wMCwgdHNpemUKIAkJCU5leHRDb2RlKHRpZiwgc3AsIGJwLCBjb2RlLCBHZXRO ZXh0Q29kZSk7CiAJCQlpZiAoY29kZSA9PSBDT0RFX0VPSSkKIAkJCQlicmVhazsKKwkJCWlmIChj b2RlID09IENPREVfQ0xFQVIpIHsKKwkJCQlUSUZGRXJyb3JFeHQodGlmLT50aWZfY2xpZW50ZGF0 YSwgdGlmLT50aWZfbmFtZSwKKwkJCQkiTFpXRGVjb2RlOiBDb3JydXB0ZWQgTFpXIHRhYmxlIGF0 IHNjYW5saW5lICVkIiwKKwkJCQl0aWYtPnRpZl9yb3cpOworCQkJCXJldHVybiAoMCk7CisJCQl9 CiAJCQkqb3ArKyA9IChjaGFyKWNvZGUsIG9jYy0tOwogCQkJb2xkY29kZXAgPSBzcC0+ZGVjX2Nv ZGV0YWIgKyBjb2RlOwogCQkJY29udGludWU7CkBAIC02MTIsNiArNjI0LDEyIEBAIExaV0RlY29k ZUNvbXBhdChUSUZGKiB0aWYsIHRpZGF0YV90IG9wMCwKIAkJCU5leHRDb2RlKHRpZiwgc3AsIGJw LCBjb2RlLCBHZXROZXh0Q29kZUNvbXBhdCk7CiAJCQlpZiAoY29kZSA9PSBDT0RFX0VPSSkKIAkJ CQlicmVhazsKKwkJCWlmIChjb2RlID09IENPREVfQ0xFQVIpIHsKKwkJCQlUSUZGRXJyb3JFeHQo dGlmLT50aWZfY2xpZW50ZGF0YSwgdGlmLT50aWZfbmFtZSwKKwkJCQkiTFpXRGVjb2RlOiBDb3Jy dXB0ZWQgTFpXIHRhYmxlIGF0IHNjYW5saW5lICVkIiwKKwkJCQl0aWYtPnRpZl9yb3cpOworCQkJ CXJldHVybiAoMCk7CisJCQl9CiAJCQkqb3ArKyA9IGNvZGUsIG9jYy0tOwogCQkJb2xkY29kZXAg PSBzcC0+ZGVjX2NvZGV0YWIgKyBjb2RlOwogCQkJY29udGludWU7Cg== 163378 2008-08-20 12:48 0000 tiff-3.8.2-r4.ebuild tiff-3.8.2-r4.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA4IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L21lZGlhLWxpYnMvdGlmZi90aWZmLTMuOC4yLXIz LmVidWlsZCx2IDEuOSAyMDA4LzAzLzA0IDIyOjQxOjUyIG1hZWtrZSBFeHAgJAoKaW5oZXJpdCBl dXRpbHMgbGlidG9vbAoKREVTQ1JJUFRJT049IkxpYnJhcnkgZm9yIG1hbmlwdWxhdGlvbiBvZiBU SUZGIChUYWcgSW1hZ2UgRmlsZSBGb3JtYXQpIGltYWdlcyIKSE9NRVBBR0U9Imh0dHA6Ly93d3cu cmVtb3Rlc2Vuc2luZy5vcmcvbGlidGlmZi8iClNSQ19VUkk9ImZ0cDovL2Z0cC5yZW1vdGVzZW5z aW5nLm9yZy9wdWIvbGlidGlmZi8ke1B9LnRhci5negoJbWlycm9yOi8vZ2VudG9vLyR7UH0tdGlm ZjJwZGYucGF0Y2guYnoyIgoKTElDRU5TRT0iYXMtaXMiClNMT1Q9IjAiCktFWVdPUkRTPSJ+YWxw aGEgfmFtZDY0IH5hcm0gfmhwcGEgfmlhNjQgfm02OGsgfm1pcHMgfnBwYyB+cHBjNjQgfnMzOTAg fnNoIH5zcGFyYyB+c3BhcmMtZmJzZCB+eDg2IH54ODYtZmJzZCIKSVVTRT0ianBlZyBqYmlnIG5v Y3h4IHpsaWIiCgpERVBFTkQ9ImpwZWc/ICggPj1tZWRpYS1saWJzL2pwZWctNmIgKQoJamJpZz8g KCA+PW1lZGlhLWxpYnMvamJpZ2tpdC0xLjYtcjEgKQoJemxpYj8gKCA+PXN5cy1saWJzL3psaWIt MS4xLjMtcjIgKSIKCnNyY191bnBhY2soKSB7Cgl1bnBhY2sgJHtBfQoJY2QgIiR7U30iCgllcGF0 Y2ggIiR7V09SS0RJUn0iLyR7UH0tdGlmZjJwZGYucGF0Y2gKCWVwYXRjaCAiJHtGSUxFU0RJUn0i LyR7UH0tdGlmZnNwbGl0LnBhdGNoCglpZiB1c2UgamJpZzsgdGhlbgoJCWVwYXRjaCAiJHtGSUxF U0RJUn0iLyR7UE59LWpiaWcucGF0Y2gKCWZpCgllcGF0Y2ggIiR7RklMRVNESVJ9Ii8ke1B9LWdv by1zZWMucGF0Y2gKCWVwYXRjaCAiJHtGSUxFU0RJUn0iLyR7UH0tQ1ZFLTIwMDgtMjMyNy5wYXRj aAoJZXBhdGNoICIke0ZJTEVTRElSfSIvJHtQfS1idWcxOTI5LnBhdGNoCgllbGlidG9vbGl6ZQp9 CgpzcmNfY29tcGlsZSgpIHsKCWVjb25mIFwKCQkkKHVzZV9lbmFibGUgIW5vY3h4IGN4eCkgXAoJ CSQodXNlX2VuYWJsZSB6bGliKSBcCgkJJCh1c2VfZW5hYmxlIGpwZWcpIFwKCQkkKHVzZV9lbmFi bGUgamJpZykgXAoJCS0td2l0aC1waWMgLS13aXRob3V0LXggXAoJCS0td2l0aC1kb2NkaXI9L3Vz ci9zaGFyZS9kb2MvJHtQRn0gXAoJCXx8IGRpZSAiZWNvbmYgZmFpbGVkIgoJZW1ha2UgfHwgZGll ICJlbWFrZSBmYWlsZWQiCn0KCnNyY19pbnN0YWxsKCkgewoJbWFrZSBpbnN0YWxsIERFU1RESVI9 IiR7RH0iIHx8IGRpZSAibWFrZSBpbnN0YWxsIGZhaWxlZCIKCWRvZG9jIFJFQURNRSBUT0RPIFZF UlNJT04KfQoKcGtnX3Bvc3RpbnN0KCkgewoJZWNobwoJZWxvZyAiSkJJRyBzdXBwb3J0IGlzIGlu dGVuZGVkIGZvciBIeWxhZmF4IGZheCBjb21wcmVzc2lvbiwgc28gd2UiCgllbG9nICJyZWFsbHkg bmVlZCBtb3JlIGZlZWRiYWNrIGluIG90aGVyIGFyZWFzIChtb3N0IHRlc3RpbmcgaGFzIgoJZWxv ZyAiYmVlbiBkb25lIHdpdGggZmF4KS4gIEJlIHN1cmUgdG8gcmVjb21waWxlIGFueXRoaW5nIGxp bmtlZCIKCWVsb2cgImFnYWluc3QgdGlmZiBpZiB5b3UgcmVidWlsZCBpdCB3aXRoIGpiaWcgc3Vw cG9ydC4iCgllY2hvCn0K