A security bug in Debian Squeeze libtiff (+ non-updated ia32-libs??)
Hi
There is a security bug in Debian Squeeze libtiff 3.9.4-5+sq.
When loading corrupted images and with ElectricFence memory debugging
enabled, programs using libtiff crash.
How to reproduce: Download corrupted images from here:
http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/
These tiff images were created by running fsfuzzer
(http://people.redhat.com/sgrubb/files/fsfuzzer-0.7.tar.gz) over normal
valid tiff images.
Install electric-fence package from Debian.
Run programs that use libtiff with electric fence, for example:
LD_PRELOAD=/usr/lib/libefence.so links2 -g tiff1.tif
LD_PRELOAD=/usr/lib/libefence.so xloadimage tiff1.tif
LD_PRELOAD=/usr/lib/libefence.so xpaint tiff1.tif
All the programs crash in TIFFReadDirectory (I tested it on amd64) --- so
it is a bug in libtiff.
I reproduced this bug on upstream libtiff 3.9.4, but couldn't reproduce it
on 3.9.5, 3.9.6 or 4.0.1 --- so the bug was fixed upstream and Debian
didn't backport it.
BTW. how does Debian security deal with the ia32-libs package? There is a
32-bit version of libtiff in the package ia32-libs in
/usr/lib32/libtiff.so.4.3.3 and it seems that it isn't being updated it at
all !
Mikulas
Reply to: