Red Hat Bugzilla – Bug 554371
libtiff 3.9.x crashes if wrong data type supplied for codec-local tag
Last modified: 2013-07-02 23:26:19 EDT
abrt 1.0.3 detected a crash.
Attached file: backtrace
reason: Process was terminated by signal 11 (Segmentation fault)
Created attachment 382991 [details]
Looks like it might have security implications...
This can be reproduced by running the tiffinfo command over that file. I'm moving this bug to the libtiff component.
The testcase doesn't crash libtiff on RHEL5. I wonder if upstream missed a fix.
This appears to be a crash only. libtiff is calling:
_TIFFsetString(&sp->faxdcs, va_arg(ap, char*));
But the arg ap is a integer, so it gets confused and we end up with a bad char* pointer.
I'm happy to call this not security. Tom any thoughts?
It's hard to see how it could fail to crash. The root of the problem seems to be that the file contains a LONG (ie, integral) value for tag 34911 (FAXDCS) while the library is expecting a string. There is code in TIFFReadDirectory that checks for a type mismatch, but *it only works for tag numbers that are known to the core libtiff code*. In this case the tag is a codec-specific one, so it can't be checked by the core code, and the API for codecs appears to be misdesigned so that it's impossible for the codec to protect itself against this :-(.
I think we're going to have to punt this one upstream; it's not apparent to me what a reasonable fix would look like.
I dunno about calling it not-security. It certainly looks like crashing the library is trivial; I'm not sure whether there is scope for anything nastier. OTOH libtiff has a sufficiently bad track record that I hope nobody is using it in security-vulnerable situations anyway :-(
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210
libtiff-3.9.4-1.fc12 has been submitted as an update for Fedora 12.
libtiff-3.8.2-15.fc11 has been submitted as an update for Fedora 11.
libtiff-3.9.4-1.fc13 has been submitted as an update for Fedora 13.
libtiff-3.8.2-15.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
libtiff-3.9.4-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
libtiff-3.9.4-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.
More information and reason for this action is here: