Bug 1530440 (CVE-2017-18013)

Summary: CVE-2017-18013 libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes crash
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: nforro, phracek, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20171229,reported=20180103,source=debian,cvss3=7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-476,fedora-all/libtiff=affected,rhel-5/libtiff=notaffected,rhel-6/libtiff=notaffected,rhel-7/libtiff=notaffected,rhel-8/libtiff=notaffected
Fixed In Version: libtiff 4.0.9-3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-08 05:42:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1530441    
Bug Blocks: 1530443    

Description Sam Fowler 2018-01-03 04:01:56 UTC
LibTIFF 4.0.9 is vulnerable to a crash caused by a NULL pointer dereference in the TIFFPrintDirectory function in tif_print.c. An attacker could exploit this by supplying a specially crafted TIFF image, leading to a denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18013
http://www.cvedetails.com/cve/CVE-2017-18013/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013
https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
http://bugzilla.maptools.org/show_bug.cgi?id=2770

Comment 1 Sam Fowler 2018-01-03 04:03:12 UTC
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1530441]

Comment 2 Huzaifa S. Sidhpurwala 2018-01-08 05:41:27 UTC
It seems this flaw is triggered by the following changeset:
https://gitlab.com/libtiff/libtiff/commit/7057734d986001b7fd6d2afde9667da7754ff2cc

This was introduced in tiff-4.0.9, therefore older versions are not affected.