Bug 1475530 – CVE-2017-11613 libtiff: Memory leak via corrupt td_imagelength in TIFFOpen function

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1475530 - (CVE-2017-11613) CVE-2017-11613 libtiff: Memory leak via corrupt td_imagelength in TIFFOpen function

Summary:	CVE-2017-11613 libtiff: Memory leak via corrupt td_imagelength in TIFFOpen fu...

Status:	CLOSED NOTABUG

Aliases:	CVE-2017-11613

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20170726,reported=2...
Keywords:	Security

Depends On:	1475532 1475531
Blocks:	1475533
	Show dependency tree / graph

Reported:	2017-07-26 16:47 EDT by Pedro Sampaio
Modified:	2017-08-30 04:25 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-30 04:25:27 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Pedro Sampaio 2017-07-26 16:47:58 EDT

In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer. 

References:

https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869823

Comment 1 Pedro Sampaio 2017-07-26 16:48:24 EDT

Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1475531]


Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1475532]

Comment 2 Stefan Cornelius 2017-08-24 06:26:58 EDT

LibTIFF simply tries to allocate the memory based on the information in the image. If there's not enough RAM, the OOM killer steps in and terminates the process. If you have enough RAM, all is fine.

Although one could implement mechanisms to catch this corner case early in order to handle it in a more graceful manner, I'm not sure if the library itself is the right place for that - I'll leave that to upstream.

Note You need to log in before you can comment on or make changes to this bug.