Bug 458674 - (CVE-2008-2327) CVE-2008-2327 libtiff: use of uninitialized memory in LZW decoder
CVE-2008-2327 libtiff: use of uninitialized memory in LZW decoder
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=vendor-sec,reported=20080805,p...
: Security
Depends On: 458809 458810 458812 458813 458814 458815 809174
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-11 10:24 EDT by Tomas Hoger
Modified: 2012-04-02 12:39 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-09 04:40:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch proposed by Drew Yao (672 bytes, patch)
2008-08-11 10:27 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-08-11 10:24:08 EDT
Drew Yao of Apple Product Security reported a flaw in the LZW decoder used by libtiff to handle LZW-encoded images.  Translation table used by decoding algorithm is not properly re-initialized after "code clear" code is read from the stream being decoded.  When reading that code, decoder should discard previous translation table and start filling it again.

Later during the processing, no longer valid table entries may be indexed by the input stream, causing libtiff to follow no longer valid pointer.  This can result in crash, memory corruption and possibly allow code execution.

References:
http://www.remotesensing.org/libtiff/
http://en.wikipedia.org/wiki/Lzw

Acknowledgements:

Red Hat would like to thank Drew Yao of the Apple Product Security team for
reporting this issue.
Comment 1 Tomas Hoger 2008-08-11 10:27:10 EDT
Created attachment 313969 [details]
Patch proposed by Drew Yao

Makes sure all invalid translation table entries are re-seeded with zeros whenever CODE_CLEAR is read, not only during the decoder initialization phase.
Comment 3 Tomas Hoger 2008-08-11 11:26:36 EDT
Another flaws in LZW decoder used by libtiff was reported by Clay Wood in the upstream bugzilla:

  http://bugzilla.maptools.org/show_bug.cgi?id=1929

This problem may occur when 2 subsequent CODE_CLEAR codes are read, as CODE_CLEAR translation table entry does not have any valid pointer to previous code.
Comment 14 Tomas Hoger 2008-08-18 10:42:01 EDT
The kdegraphics / kfax as shipped in Red Hat Enterprise Linux 2.1 and 3 contain embedded copy of libtiff library.  It contains affected LZW decoder code, however, it is not used by kfax.

kfax (in versions shipped in Red Hat Enterprise Linux 2.1 and 3) only uses libtiff when printing faxes.  However, kfax will refuse to open any tiff file that does not use one of CCITT-based compressions (compression types 2, 3, or 4, [1]), all files using any other compression methods are rejected (see notetiff() in faxinput.cpp).  LZW compression id is 5.

[1] http://www.awaresystems.be/imaging/tiff/tifftags/compression.html
Comment 15 Tomas Hoger 2008-08-26 08:41:17 EDT
Public now via:

http://secunia.com/advisories/31610/
http://security-tracker.debian.net/tracker/CVE-2008-2327

Lifting embargo.
Comment 18 Fedora Update System 2008-08-26 12:17:28 EDT
libtiff-3.8.2-11.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libtiff-3.8.2-11.fc9
Comment 19 Fedora Update System 2008-08-26 12:17:30 EDT
libtiff-3.8.2-11.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/libtiff-3.8.2-11.fc8
Comment 20 Fedora Update System 2008-09-10 02:37:20 EDT
libtiff-3.8.2-11.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2008-09-10 02:39:54 EDT
libtiff-3.8.2-11.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.