** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Libtiff software package includes a library, libtiff, for reading and writing TIFF (/Tag Image File Format/), a small collection of tools (such as tiff2pdf, tiff2ps, tiff2rgba, rgb2ycbcr) for doing simple manipulations of TIFF images on UNIX systems. I find two tools tiff2rgba and rgb2ycbcr suffer from integer overflow vulnerabilities. The two integer overflow vulnerabilities could cause heap overflows and may result in arbitrary code execution. tiff2rgba is used to convert a TIFF image to RGBA color space and rgb2ycbcr is used to convert non-YCbCr TIFF images to a YCbCr TIFF image. For tiff2rgba, the vulnerability is in function cvt_whole_image() in tiff-3.8.2/tools/tiff2rgba.c. The vulnerable code is shown as below. TIFFGetField is used to read the specified field from an input tiff image. Both width (line 332) and height (line 333) originate from the input image. cvt_whole_image() does not properly check width and height so that width * height * sizeof (uint32) in line 338 could overflow. The overflowed value is used in memory allocation function, which causes an insufficient memory allocation. Heap overflow occurs when function TIFFReadRGBAImageOriented() in line 345 reads the actual image data to memory. For rgb2ycbcr, the vulnerability is in function tiffcvt() in tiff-3.8.2/tools/rgb2ycbcr.c. Similar with the vulnerability discussed above, function tiffcvt() does not also check width and height read from input file (line 282, 283). Thus, width * height * sizeof (uint32) could overflow so that raster points to a smaller-than-expected buffer. Heap overflow occurs when function TIFFReadRGBAImage() in line 289 reads the actual image data to memory. The vulnerability is reported by Tielei Wang, ICST-ERCIS (Engineering Research Center of Info Security, Institute of Computer Science & Technology, Peking University / China).
I know we are stabling another version of tiff in bug 276339, but let's get the prestabling of another new version going on here. Please attach an ebuild applying the patch. Thanks!
Created attachment 197131 [details, diff] tiff-3.8.2-CVE-2009-2347.patch Patch by Andrey Kiselev.
Created attachment 197267 [details] tiff-3.8.2-r8.tar.bz2 here's a tarball with all the patches and -r8 ebuild, which applies tiff-3.8.2-CVE-2009-2347.patch (only difference to -r7).
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug: =media-libs/tiff-3.8.2-r8 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, tester hppa : jer ppc : josejx, ranger ppc64 : josejx, ranger sparc : fmccor x86 : fauli, maekke
Looks good on sparc.
x86 ok. Hey, there was just a stabilisation, that's 70 packages to recompile. Don't forget to add the changes done in the main tree when importing the final -r8 revision.
HPPA is OK.
Created attachment 197767 [details, diff] tiff-3.8.2-CVE-2009-2347.patch Tom Lane did additional analysis on the issue and sent in a revised patch: The original patch missed two out of three places with the same bug in tiff2rgba. (I looked around for additional occurrences and didn't find any, though I can't swear there are none.) Also, I checked with Frank Warmerdam who disapproved of letting the tools/ files use tiffiop.h, so the revised patch does not use _TIFFCheckMalloc. Some other cleanup too, mostly around being careful if size_t is wider than 32 bits and not claiming that possibly-perfectly-legal files are "malformed".
given that only few arches responded and that disclosure is later today, let's stable this in-tree. Also, upstream has yet to approve the revised patch.
public via https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2347 please bump in the tree, and we'll do stabling there.
On behalf of maekke I bumped the ebuild with the updated patch. Stable for x86 and ccing other arches.
Stable for HPPA.
alpha/arm/ia64/m68k/s390/sh/sparc stable
CVE-2009-2347 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2347): Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.
ppc stable
ppc64 done
amd64 stable, all arches done.
sorry about closing the bug...
GLSA with bug 276339.
GLSA 200908-03