Bug 1475530 (CVE-2017-11613)

Summary: CVE-2017-11613 libtiff: Memory leak via corrupt td_imagelength in TIFFOpen function
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: erik-fedora, mike, nforro, phracek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-30 08:25:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1475531, 1475532    
Bug Blocks: 1475533    

Description Pedro Sampaio 2017-07-26 20:47:58 UTC
In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer. 

References:

https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869823

Comment 1 Pedro Sampaio 2017-07-26 20:48:24 UTC
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1475531]


Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1475532]

Comment 2 Stefan Cornelius 2017-08-24 10:26:58 UTC
LibTIFF simply tries to allocate the memory based on the information in the image. If there's not enough RAM, the OOM killer steps in and terminates the process. If you have enough RAM, all is fine.

Although one could implement mechanisms to catch this corner case early in order to handle it in a more graceful manner, I'm not sure if the library itself is the right place for that - I'll leave that to upstream.

Comment 3 Doran Moppert 2020-02-11 00:29:59 UTC
Statement:

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.