Bug 1475530 (CVE-2017-11613) - CVE-2017-11613 libtiff: Memory leak via corrupt td_imagelength in TIFFOpen function
Summary: CVE-2017-11613 libtiff: Memory leak via corrupt td_imagelength in TIFFOpen fu...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-11613
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1475532 1475531
Blocks: 1475533
TreeView+ depends on / blocked
 
Reported: 2017-07-26 20:47 UTC by Pedro Sampaio
Modified: 2020-02-11 00:29 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-30 08:25:27 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2017-07-26 20:47:58 UTC
In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer. 

References:

https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869823

Comment 1 Pedro Sampaio 2017-07-26 20:48:24 UTC
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1475531]


Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1475532]

Comment 2 Stefan Cornelius 2017-08-24 10:26:58 UTC
LibTIFF simply tries to allocate the memory based on the information in the image. If there's not enough RAM, the OOM killer steps in and terminates the process. If you have enough RAM, all is fine.

Although one could implement mechanisms to catch this corner case early in order to handle it in a more graceful manner, I'm not sure if the library itself is the right place for that - I'll leave that to upstream.

Comment 3 Doran Moppert 2020-02-11 00:29:59 UTC
Statement:

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.


Note You need to log in before you can comment on or make changes to this bug.