tiff / CVE-2018-18661

To: debian-lts@lists.debian.org
Subject: tiff / CVE-2018-18661
From: Brian May <brian@linuxpenguins.xyz>
Date: Thu, 08 Nov 2018 17:31:28 +1100
Message-id: <[🔎] 87efbwrsfz.fsf@silverfish.pri>

I applied the fix for this CVE. Patch attached.


However, then I found out I can't reproduce the bug under Debian/Jessie,
with or without the security update.

Version 4.0.3-12.3+deb8u7 in Jessie+security:

(jessie-i386-default)root@silverfish:/home/brian/tree/debian/lts/packages/tiff/tiff-4.0.3# tiff2bw /tmp/poc /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
TIFFScanlineSize: Integer arithmetic overflow.
TIFFReadDirectory: Cannot handle zero scanline size.
(jessie-i386-default)root@silverfish:/home/brian/tree/debian/lts/packages/tiff/tiff-4.0.3# echo $?
255


4.0.3-12.3+deb8u8 with patch applied:

(jessie-amd64-default)root@silverfish:/tmp/brian/tmpz5ka6n27/build/amd64# tiff2bw /tmp/poc /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
LZWDecode: Not enough data at scanline 0 (short 6442004472 bytes).
TIFFWriteDirectoryTagData: IO error writing tag data.
(jessie-amd64-default)root@silverfish:/tmp/brian/tmpz5ka6n27/build/amd64# echo $?
0


Diff attached. So I suspect this security issue may have already been
fixed.

However it looks like this patch might also fixed some out-of-memory
conditions also. So maybe worth applying regardless.

Kind of troubling that it returns a 0 exit code after the patch.
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

diff -Nru tiff-4.0.3/debian/changelog tiff-4.0.3/debian/changelog
--- tiff-4.0.3/debian/changelog	2018-10-28 22:03:02.000000000 +1100
+++ tiff-4.0.3/debian/changelog	2018-11-07 17:11:57.000000000 +1100
@@ -1,3 +1,12 @@
+tiff (4.0.3-12.3+deb8u8) jessie-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2018-18661
+    Fix NULL pointer dereference in the function LZWDecode in the file
+    tif_lzw.c.
+
+ -- Brian May <bam@debian.org>  Wed, 07 Nov 2018 17:11:57 +1100
+
 tiff (4.0.3-12.3+deb8u7) jessie-security; urgency=high
 
   * Non-maintainer upload by the LTS Team. 
diff -Nru tiff-4.0.3/debian/patches/CVE-2018-18661.patch tiff-4.0.3/debian/patches/CVE-2018-18661.patch
--- tiff-4.0.3/debian/patches/CVE-2018-18661.patch	1970-01-01 10:00:00.000000000 +1000
+++ tiff-4.0.3/debian/patches/CVE-2018-18661.patch	2018-11-07 17:11:57.000000000 +1100
@@ -0,0 +1,72 @@
+--- a/tools/tiff2bw.c
++++ b/tools/tiff2bw.c
+@@ -40,6 +40,7 @@
+ #endif
+ 
+ #include "tiffio.h"
++#include "tiffiop.h"
+ 
+ #define	streq(a,b)	(strcmp((a),(b)) == 0)
+ #define	strneq(a,b,n)	(strncmp(a,b,n) == 0)
+@@ -214,6 +215,11 @@
+ 	TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
+ 	TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
+ 	outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++        if( !outbuf )
++        {
++            fprintf(stderr, "Out of memory\n");
++            return (-1);
++        }
+ 	TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
+ 	    TIFFDefaultStripSize(out, rowsperstrip));
+ 
+@@ -237,6 +243,11 @@
+ #undef CVT
+ 		}
+ 		inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
++                if( !inbuf )
++                {
++                    fprintf(stderr, "Out of memory\n");
++                    return (-1);
++                }
+ 		for (row = 0; row < h; row++) {
+ 			if (TIFFReadScanline(in, inbuf, row, 0) < 0)
+ 				break;
+@@ -247,6 +258,11 @@
+ 		break;
+ 	case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):
+ 		inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
++                if( !inbuf )
++                {
++                    fprintf(stderr, "Out of memory\n");
++                    return (-1);
++                }
+ 		for (row = 0; row < h; row++) {
+ 			if (TIFFReadScanline(in, inbuf, row, 0) < 0)
+ 				break;
+@@ -256,8 +272,16 @@
+ 		}
+ 		break;
+ 	case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):
++        {
++                tmsize_t inbufsize;
+ 		rowsize = TIFFScanlineSize(in);
+-		inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);
++                inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);
++		inbuf = (unsigned char *)_TIFFmalloc(inbufsize);
++                if( !inbuf )
++                {
++                    fprintf(stderr, "Out of memory\n");
++                    return (-1);
++                }
+ 		for (row = 0; row < h; row++) {
+ 			for (s = 0; s < 3; s++)
+ 				if (TIFFReadScanline(in,
+@@ -269,6 +293,7 @@
+ 				break;
+ 		}
+ 		break;
++        }
+ 	}
+ #undef pack
+ 	TIFFClose(out);
diff -Nru tiff-4.0.3/debian/patches/series tiff-4.0.3/debian/patches/series
--- tiff-4.0.3/debian/patches/series	2018-10-28 22:03:02.000000000 +1100
+++ tiff-4.0.3/debian/patches/series	2018-11-07 17:11:10.000000000 +1100
@@ -80,3 +80,4 @@
 
 CVE-2018-17100-17101.patch
 CVE-2018-18557.patch
+CVE-2018-18661.patch

Reply to:

Follow-Ups:
- Re: tiff / CVE-2018-18661
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: [SECURITY] [DLA 1569-1] libdatetime-timezone-perl new upstream release
Next by Date: Re: Removing no-dsa entries when releasing a DLA
Previous by thread: Re: [SECURITY] [DLA 1569-1] libdatetime-timezone-perl new upstream release
Next by thread: Re: tiff / CVE-2018-18661
Index(es):
- Date
- Thread