[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tiff / CVE-2018-18661

Hi Brian

To me it looks like you have been able to reproduce the problem. You clearly get different results with and without the patch indicating that you have in fact triggered the problem. I do not see that you have run the program using a debugger, so are you sure that you did not end up in a crash?

// Ola

On Thu, 8 Nov 2018 at 07:33, Brian May <brian@linuxpenguins.xyz> wrote:
I applied the fix for this CVE. Patch attached.

However, then I found out I can't reproduce the bug under Debian/Jessie,
with or without the security update.

Version 4.0.3-12.3+deb8u7 in Jessie+security:

(jessie-i386-default)root@silverfish:/home/brian/tree/debian/lts/packages/tiff/tiff-4.0.3# tiff2bw /tmp/poc /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
TIFFScanlineSize: Integer arithmetic overflow.
TIFFReadDirectory: Cannot handle zero scanline size.
(jessie-i386-default)root@silverfish:/home/brian/tree/debian/lts/packages/tiff/tiff-4.0.3# echo $?

4.0.3-12.3+deb8u8 with patch applied:

(jessie-amd64-default)root@silverfish:/tmp/brian/tmpz5ka6n27/build/amd64# tiff2bw /tmp/poc /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
LZWDecode: Not enough data at scanline 0 (short 6442004472 bytes).
TIFFWriteDirectoryTagData: IO error writing tag data.
(jessie-amd64-default)root@silverfish:/tmp/brian/tmpz5ka6n27/build/amd64# echo $?

Diff attached. So I suspect this security issue may have already been

However it looks like this patch might also fixed some out-of-memory
conditions also. So maybe worth applying regardless.

Kind of troubling that it returns a 0 exit code after the patch.
Brian May <brian@linuxpenguins.xyz>

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: