[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

A security bug in Debian Squeeze libtiff (+ non-updated ia32-libs??)


There is a security bug in Debian Squeeze libtiff 3.9.4-5+sq.

When loading corrupted images and with ElectricFence memory debugging 
enabled, programs using libtiff crash.

How to reproduce: Download corrupted images from here: 

These tiff images were created by running fsfuzzer 
(http://people.redhat.com/sgrubb/files/fsfuzzer-0.7.tar.gz) over normal 
valid tiff images.

Install electric-fence package from Debian.

Run programs that use libtiff with electric fence, for example:

LD_PRELOAD=/usr/lib/libefence.so links2 -g tiff1.tif

LD_PRELOAD=/usr/lib/libefence.so xloadimage tiff1.tif

LD_PRELOAD=/usr/lib/libefence.so xpaint tiff1.tif

All the programs crash in TIFFReadDirectory (I tested it on amd64) --- so 
it is a bug in libtiff.

I reproduced this bug on upstream libtiff 3.9.4, but couldn't reproduce it 
on 3.9.5, 3.9.6 or 4.0.1 --- so the bug was fixed upstream and Debian 
didn't backport it.

BTW. how does Debian security deal with the ia32-libs package? There is a 
32-bit version of libtiff in the package ia32-libs in 
/usr/lib32/libtiff.so.4.3.3 and it seems that it isn't being updated it at 
all !


Reply to: