** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **
Libtiff software package includes a library, libtiff, for reading and
writing TIFF (/Tag Image File Format/), a small collection of tools (such
as tiff2pdf, tiff2ps, tiff2rgba, rgb2ycbcr) for doing simple manipulations
of TIFF images on UNIX systems. I find two tools tiff2rgba and
rgb2ycbcr suffer from integer overflow vulnerabilities. The two integer
overflow vulnerabilities could cause heap overflows and may result in
arbitrary code execution.
tiff2rgba is used to convert a TIFF image to RGBA color space and
rgb2ycbcr is used to convert non-YCbCr TIFF images to a YCbCr TIFF image.
For tiff2rgba, the vulnerability is in function cvt_whole_image() in
The vulnerable code is shown as below. TIFFGetField is used to read the
specified field from an input tiff image. Both width (line 332) and
height (line 333) originate from the input image. cvt_whole_image() does
not properly check width and height so that width * height * sizeof
(uint32) in line 338 could overflow. The overflowed value is used in
memory allocation function, which causes an insufficient memory
allocation. Heap overflow occurs when function TIFFReadRGBAImageOriented()
in line 345 reads the actual image data to memory.
For rgb2ycbcr, the vulnerability is in function tiffcvt() in
tiff-3.8.2/tools/rgb2ycbcr.c. Similar with the vulnerability discussed
above, function tiffcvt() does not also check width and height read
from input file (line 282, 283). Thus, width * height * sizeof (uint32)
could overflow so that raster points to a smaller-than-expected buffer.
Heap overflow occurs when function TIFFReadRGBAImage() in line 289 reads
the actual image data to memory.
The vulnerability is reported by
Tielei Wang, ICST-ERCIS (Engineering Research Center of Info Security,
Institute of Computer Science & Technology, Peking University / China).
I know we are stabling another version of tiff in bug 276339, but let's get the prestabling of another new version going on here. Please attach an ebuild applying the patch. Thanks!
Created attachment 197131 [details, diff]
Patch by Andrey Kiselev.
Created attachment 197267 [details]
here's a tarball with all the patches and -r8 ebuild, which applies tiff-3.8.2-CVE-2009-2347.patch (only difference to -r7).
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
CC'ing current Liaisons:
alpha : armin76, klausman
amd64 : keytoaster, tester
hppa : jer
ppc : josejx, ranger
ppc64 : josejx, ranger
sparc : fmccor
x86 : fauli, maekke
Looks good on sparc.
x86 ok. Hey, there was just a stabilisation, that's 70 packages to recompile.
Don't forget to add the changes done in the main tree when importing the final -r8 revision.
HPPA is OK.
Created attachment 197767 [details, diff]
Tom Lane did additional analysis on the issue and sent in a revised patch:
The original patch missed two out of three places with the same bug in
tiff2rgba. (I looked around for additional occurrences and didn't find any,
though I can't swear there are none.) Also, I checked with Frank Warmerdam who
disapproved of letting the tools/ files use tiffiop.h, so the revised patch
does not use _TIFFCheckMalloc. Some other cleanup too, mostly around being
careful if size_t is wider than 32 bits and not claiming that
possibly-perfectly-legal files are "malformed".
given that only few arches responded and that disclosure is later today, let's stable this in-tree. Also, upstream has yet to approve the revised patch.
public via https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2347
please bump in the tree, and we'll do stabling there.
On behalf of maekke I bumped the ebuild with the updated patch. Stable for x86 and ccing other arches.
Stable for HPPA.
Multiple integer overflows in inter-color spaces conversion tools in
libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent
attackers to execute arbitrary code via a TIFF image with large (1)
width and (2) height values, which triggers a heap-based buffer
overflow in the (a) cvt_whole_image function in tiff2rgba and (b)
tiffcvt function in rgb2ycbcr.
amd64 stable, all arches done.
sorry about closing the bug...
GLSA with bug 276339.