Drew Yao of Apple Product Security reported a flaw in the LZW decoder used by libtiff to handle LZW-encoded images. Translation table used by decoding algorithm is not properly re-initialized after "code clear" code is read from the stream being decoded. When reading that code, decoder should discard previous translation table and start filling it again.
Later during the processing, no longer valid table entries may be indexed by the input stream, causing libtiff to follow no longer valid pointer. This can result in crash, memory corruption and possibly allow code execution.
Red Hat would like to thank Drew Yao of the Apple Product Security team for
reporting this issue.
Created attachment 313969 [details]
Patch proposed by Drew Yao
Makes sure all invalid translation table entries are re-seeded with zeros whenever CODE_CLEAR is read, not only during the decoder initialization phase.
Another flaws in LZW decoder used by libtiff was reported by Clay Wood in the upstream bugzilla:
This problem may occur when 2 subsequent CODE_CLEAR codes are read, as CODE_CLEAR translation table entry does not have any valid pointer to previous code.
The kdegraphics / kfax as shipped in Red Hat Enterprise Linux 2.1 and 3 contain embedded copy of libtiff library. It contains affected LZW decoder code, however, it is not used by kfax.
kfax (in versions shipped in Red Hat Enterprise Linux 2.1 and 3) only uses libtiff when printing faxes. However, kfax will refuse to open any tiff file that does not use one of CCITT-based compressions (compression types 2, 3, or 4, ), all files using any other compression methods are rejected (see notetiff() in faxinput.cpp). LZW compression id is 5.
Public now via:
libtiff-3.8.2-11.fc9 has been submitted as an update for Fedora 9.
libtiff-3.8.2-11.fc8 has been submitted as an update for Fedora 8.
libtiff-3.8.2-11.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
libtiff-3.8.2-11.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: