Bug 152815 - CAN-2004-0803,0804,0886,0929,1183,1308 libtiff remote code execution
CAN-2004-0803,0804,0886,0929,1183,1308 libtiff remote code execution
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: libtiff (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.debian.org/security/2004/d...
1, LEGACY, rh73, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-16 05:06 EDT by Marc Deslauriers
Modified: 2007-04-18 13:22 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-18 16:51:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:28:26 EST
CAN-2004-0803

    Chris Evans discovered several problems in the RLE (run length
    encoding) decoders that could lead to arbitrary code execution.

CAN-2004-0804

    Matthias Clasen discovered a division by zero through an integer
    overflow.

CAN-2004-0886

    Dmitry V. Levin discovered several integer overflows that caused
    malloc issues which can result to either plain crash or memory
    corruption.

References:
http://www.debian.org/security/2004/dsa-567
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134850
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134848
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134847



------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-16 05:07:41 ----

Also:

http://www.fedoranews.org/updates/FEDORA-2004-334.shtml



------- Additional Comments From michal@harddata.com 2004-10-16 08:51:30 ----

There is the same in principle libtiff library used in all distributions
from RH7.3 to FC2.  OTOH source for libtiff-3.5.7-20.2 from updates to FC2
has the following eight extra patches on the top what is in libtiff-3.5.7-2
which came with RH7.3:

libtiff-3.5.7-alt-bound.patch
libtiff-3.5.7-alt-bound2.patch
libtiff-3.5.7-chris-bound.patch
libtiff-3.5.7-up-ChopUpSingleUncompressedStrip.patch
libtiff-v3.5.7-exit.patch
libtiff-v3.5.7-largefile.patch
libtiff-v3.5.7-makeflags.patch
libtiff-v3.5.7-seek.patch

Still libtiff-3.5.7-20.2 recompiles without any changes, beyond a version
string and a note in specs %changelog, on RH7.3 and works too.  Listings
of what is provided by 'libtiff' and 'libtiff-devel' packages are also
basically the same.

Going through  my CD with a collection of TIFF images does not show any
troubles with a library updated as above.  It is my expectation that
recompiling libtiff-3.5.7-20.2 for all needed distribution will make for
an easy security upgrade everywhere.  At least FC1 most likely can even
use FC2 binaries "as is" but recompiling may be prudent. :-)



------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-19 12:59:51 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated libtiff packages to QA:

* Tue Oct 19 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 3.5.7-14.1.legacy
- - Added security patches for CAN-2004-0803 and CAN-2004-0886

b9c858a5aa158715b13600582e96f192fb7b9425  7.3/libtiff-3.5.7-2.1.legacy.i386.rpm
85b5cacbea043e768af82b0f9de3db5f85b5032d  7.3/libtiff-3.5.7-2.1.legacy.src.rpm
8353d85bd74257af560683e55819e7a195496e29  7.3/libtiff-devel-3.5.7-2.1.legacy.i38
6.rpm
9e45f19e893d4824e2f43be43bd06a8c01664d98  9/libtiff-3.5.7-11.1.legacy.i386.rpm
c7afa16ac2049398064d55a9d8ec503d2d3ec381  9/libtiff-3.5.7-11.1.legacy.src.rpm
5faa8c0f46896b1e6b14e0ee06bfe6fcc2cf2341  9/libtiff-devel-3.5.7-11.1.legacy.i386
.rpm
b8d3c2bb56414154bf55077aab61a7620f117740  1/libtiff-3.5.7-14.1.legacy.i386.rpm
ef2f26ec0151d0c2d8697187c27e76a7a56666db  1/libtiff-3.5.7-14.1.legacy.src.rpm
6eb1fa99c433ae988706cdc42c37761212ed93f2  1/libtiff-devel-3.5.7-14.1.legacy.i386
.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/libtiff-3.5.7-2.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/libtiff-3.5.7-2.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/libtiff-devel-3.5.7-2.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libtiff-3.5.7-11.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libtiff-3.5.7-11.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libtiff-devel-3.5.7-11.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/libtiff-3.5.7-14.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/libtiff-3.5.7-14.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/libtiff-devel-3.5.7-14.1.legacy.i386.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBdZx8LMAs/0C4zNoRAsguAKCK8Fe5fyS3+uN1LOvetNvvD3wiNQCfWLlO
hTMLPTF5HYcUe6HVUjRoXIw=
=68/q
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers@gtri.gatech.edu 2004-10-21 08:11:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on marc's FC1 package:
ef2f26ec0151d0c2d8697187c27e76a7a56666db libtiff-3.5.7-14.1.legacy.src.rpm
 
sha1sum ok
source files ok
spec file ok
patches ok (verified against libtiff-3.5.7-20.2)
builds ok
cra's rpm-build-compare script ok
installs ok
runs ok
 
+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBd/u4tU2XAt1OWnsRAs6FAKDSDA13LyKwHWKRJdkRgmJrJux5wwCfWt4W
OabvaS+0L/lGwNnI7h6O9Ao=
=7pAu
-----END PGP SIGNATURE-----




------- Additional Comments From fedora-legacy-bugzilla-2004@fumika.jp 2004-10-22 18:05:45 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on marc's RH9 package:
http://www.infostrategique.com/linuxrpms/legacy/9/libtiff-3.5.7-11.1.legacy.i386
.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libtiff-3.5.7-11.1.legacy.src.
rpm
http://www.infostrategique.com/linuxrpms/legacy/9/libtiff-devel-3.5.7-11.1.legac
y.i386.rpm

sha1sum matches
rpm signature ok
source files ok
spec file ok
patches ok (verified against FC2's libtiff-3.5.7-20.2)
src rebuilds ok
rpm-build-compare script ok
installs ok
runs ok
+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBedbhuZYb5AhVqVoRAqSKAJ48YUR7nbzOmZwydS4Qd+AZsuYb0QCgilcF
hBubmaXNpj0CPjpNCMMkHrM=
=uQUN
-----END PGP SIGNATURE-----




------- Additional Comments From bugzilla.fedora.us@beej.org 2004-12-02 14:29:08 ----

do we have to worry about CAN-2004-0929?



------- Additional Comments From pekkas@netcore.fi 2004-12-19 09:52:36 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I spent some time reviewing this situation, and SuSe's packages which had
old jpeg support.

Red Hat is not affected, because, even though it uses 3.5.x releases and not
3.6.1, it does not define 'OJPEG_SUPPORT' anywhere such as SuSe does in
their spec files.

I have not reviewed the packages in detail but if the two publish votes are
sufficient to go forward, go for it.  If not, I can provide additional QA
for them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBxdvWGHbTkzxSL7QRAkaHAKCWXDXRn88l3BwJ9WzvwG1zVW/9mACgv6A5
R4VXyOyj+bpdHX2t2FzIfJo=
=LFiO
-----END PGP SIGNATURE-----



------- Additional Comments From pekkas@netcore.fi 2004-12-21 20:27:44 ----

Uh-oh, these just hit bugtraq:

====
libtiff Directory Entry Count Integer Overflow Vulnerability
                                                                               
                
iDEFENSE Security Advisory 12.21.04
www.idefense.com/application/poi/display?id=174&type=vulnerabilities
====
libtiff STRIPOFFSETS Integer Overflow Vulnerability
                                                                               
                
iDEFENSE Security Advisory 12.21.04
www.idefense.com/application/poi/display?id=173&type=vulnerabilities
December 21, 2004
====

The patch is included in one of the above, and the second is fixed in 3.7.0.
I guess this requires repackaging...





------- Additional Comments From bugzilla.fedora.us@beej.org 2004-12-21 23:36:57 ----

the two new bugs have been lumped together un CAN-2004-1308



------- Additional Comments From pekkas@netcore.fi 2004-12-23 12:00:56 ----

The fix for CAN-2004-1308 (the first problem) can be found at:

http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/libtiff/FC-3/libtiff-3.5.5-nmemb.patch?rev=1.1

and it's also stated at:
http://www.idefense.com/application/poi/display?id=174&type=vulnerabilities&flashstatus=true

The second problem is the one that was already discovered earlier and fixed as well.



------- Additional Comments From fedora-legacy-bugzilla-2004@fumika.jp 2005-01-06 05:00:54 ----

A new integer overflow vulnerability has been reported in tiffdump.

The vulnerability potentially can be exploited by malicious people to compromise
a user's system.

http://secunia.com/advisories/13728/

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1183





------- Additional Comments From deisenst@gtw.net 2005-01-15 01:59:58 ----

See Red Hat Bugzilla # 143576...

RedHat released libtiff-3.5.7-22.fc2 in Fedora Update Notification
FEDORA-2005-597, which I believe fixes CAN-2004-1183, and may address
many others in our list of CVEs.

http://www.redhat.com/archives/fedora-announce-list/2005-January/msg00023.html

Perhaps we can use their SRPM as-is for FC1, and backport their fixes for
RH 7.3 and RH 9.0 (if backporting is even needed?)?

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/SRPMS/libtiff-3.5.7-22.fc2.src.rpm




------- Additional Comments From deisenst@gtw.net 2005-01-15 02:08:05 ----

Oh.  Also see:

http://rhn.redhat.com/errata/RHSA-2005-019.html



------- Additional Comments From michal@harddata.com 2005-02-07 12:33:22 ----

Sources for libtiff-3.5.7-22 are really the same from RHEL3 to FC2 and the
only thing needed is to edit release identification strings in spec,
add a changelog entry and recompile.

At least on RH7.3 this is done without any troubles at all and it is not likely
that any difficulties crop out anywhere else.



------- Additional Comments From pekkas@netcore.fi 2005-02-18 22:19:51 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for you to QA:
 - taking Marc's earlier packages as a bais
 - applying the two new patches as-is from RHEL3

http://www.netcore.fi/pekkkas/linux/libtiff-3.5.7-2.2.legacy.src.rpm (RHL73)
http://www.netcore.fi/pekkkas/linux/libtiff-3.5.7-11.2.legacy.src.rpm (RHL9)
http://www.netcore.fi/pekkkas/linux/libtiff-3.5.7-14.2.legacy.src.rpm (FC1)

3effb009fad8d1fac424929dd599cf4a883a0397  libtiff-3.5.7-11.2.legacy.src.rpm
e64c7f7f3ae678e6052c192d9eb62b024dd7b5a1  libtiff-3.5.7-14.2.legacy.src.rpm
57d80b508e112cad509090f3998aee0558ba09c9  libtiff-3.5.7-2.2.legacy.src.rpm

* Sat Feb 19 2005 Pekka Savola <pekkas@netcore.fi> 3.5.7-2.2.legacy
- - Added security patches for CAN-2004-{1183,1308} from RHEL (#2163)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCFvaMGHbTkzxSL7QRAspqAJ47PqVnnxqKLvqNMYkgSUfLY3t4UgCfdPKL
SwwFmevay1ts7iLOvp037RM=
=noSr
-----END PGP SIGNATURE-----




------- Additional Comments From michal@harddata.com 2005-02-19 06:28:05 ----

Ah, read the above

http://www.netcore.fi/pekkas/linux/libtiff-3.5.7-2.2.legacy.src.rpm (RHL73)
http://www.netcore.fi/pekkas/linux/libtiff-3.5.7-11.2.legacy.src.rpm (RHL9)
http://www.netcore.fi/pekkas/linux/libtiff-3.5.7-14.2.legacy.src.rpm (FC1)

We got three for a price of two. :-)



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-03 15:21:30 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the packages in comment 15:

3effb009fad8d1fac424929dd599cf4a883a0397  libtiff-3.5.7-11.2.legacy.src.rpm
e64c7f7f3ae678e6052c192d9eb62b024dd7b5a1  libtiff-3.5.7-14.2.legacy.src.rpm
57d80b508e112cad509090f3998aee0558ba09c9  libtiff-3.5.7-2.2.legacy.src.rpm

- - Source files match previous release
- - New patch files match RHEL3 libtiff
- - Spec file changes are good

+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCJ7gOLMAs/0C4zNoRAitlAJ97kA9wcLiJvL1RdIUQjDyjI+XURgCeNKZl
xC0yccjHXyFd/v5ZhS4CgOQ=
=NODd
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05 05:01:28 ----

These are ready to go.



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05 08:50:53 ----

packages were pushed to updates-testing



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:28 -------

This bug previously known as bug 2163 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2163
Originally filed under the Fedora Legacy product and Package request component.
Bug blocks bug(s) 2164.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Pekka Savola 2005-05-11 03:17:04 EDT
I tested this on RHL9; gpg signature was OK.

At first, xemacs wouldn't start because it couldn't find libtiff.so.3, but I
think this is because of our screwed up updates (we have a newer version of
libtiff installed locally, so I upgraded it with --oldpackage).

This started working after I removed libtiff, and installed the old original
version back, so I think this is enough for a VERIFY.

I'd suggest, however, that others verifying the other versions keep their eyes open.
Comment 2 mschout 2005-05-11 12:45:43 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

7.3 verify

sha1:
524fd6c80901dbd665cfbf0b4ba1eea276a95cca
libtiff-3.5.7-2.2.legacy.i386.rpm

3ced2ba5eac07c60515a41d73dbfb0df36cfc962
libtiff-devel-3.5.7-2.2.legacy.i386.rpm

signatures:
libtiff-3.5.7-2.2.legacy.i386.rpm: md5 gpg OK
libtiff-devel-3.5.7-2.2.legacy.i386.rpm: md5 gpg OK

packages install with out any errors or warnings.

I testbed by running tiffinfo and tiff2bw.  Everything seems to be working as
expected.

+VERIFY RHL7.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCgjXc+CqvSzp9LOwRAovFAJ0WlnzsXnqlAptsUFLv1tFLrl8T0wCdFLI0
B/1lu1/oKUSTvJmlqByeoE8=
=/WV3
-----END PGP SIGNATURE-----
Comment 3 mschout 2005-05-11 12:51:38 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FC1 verify

sha1:
8dd2d8035eaf4b0e41cc7ac68536b752387a1cc8  libtiff-3.5.7-14.2.legacy.i386.rpm
4475fb4f26ab358d1c9bf8b6e8da060eace1a8dd  libtiff-devel-3.5.7-14.2.legacy.i386.rpm

signatures:
libtiff-3.5.7-14.2.legacy.i386.rpm:
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (a3d0d141341815bd1b33750e449e358e050e78b5)
    MD5 digest: OK (304fd7d1008608ae590fec97a56abecf)
    V3 DSA signature: OK, key ID 731002fa
libtiff-devel-3.5.7-14.2.legacy.i386.rpm:
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (3e186676cd1c3589a6884fd9d11da5321cd9cf4b)
    MD5 digest: OK (d9d46810bb01003a985f8b0e240edf8d)
    V3 DSA signature: OK, key ID 731002fa

packages install with out any errors or warnings.

I testbed by running tiffinfo and tiff2bw (same tests as I did under 7.3
above).  Everything seems to be working as expected.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD4DBQFCgjgN+CqvSzp9LOwRAh+WAKCxKsDKIW5XuS01woN0PAHp+vztKACVHsir
srhQ3G5z+PHhbDrP1czNwA==
=RgnY
-----END PGP SIGNATURE-----
Comment 4 mschout 2005-05-11 15:14:51 EDT
I think the whiteboard is wrong on this one.  needsbuild should be needsrelease,
right?  The packages I verified were in updates-testing already.
Comment 5 Pekka Savola 2005-05-11 15:21:02 EDT
Oops, sorry, I must have been half-asleep ;-/
Comment 6 John Dalbec 2005-05-13 17:04:18 EDT
Bug 157698 Submitted: LibTIFF TIFFOpen Buffer Overflow Vulnerability
Comment 7 Marc Deslauriers 2005-05-18 16:51:23 EDT
These packages were officially released.

Note You need to log in before you can comment on or make changes to this bug.