Bug 554371 - libtiff 3.9.x crashes if wrong data type supplied for codec-local tag
Summary: libtiff 3.9.x crashes if wrong data type supplied for codec-local tag
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libtiff
Version: 14
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Tom Lane
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:55a0d4c67dd9bbf1daeff6cf2b1...
Depends On:
Blocks: 589034 CVE-2010-2630
TreeView+ depends on / blocked
 
Reported: 2010-01-11 14:53 UTC by Tim Waugh
Modified: 2013-07-03 03:26 UTC (History)
4 users (show)

Fixed In Version: libtiff-3.9.4-1.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-24 21:39:48 UTC


Attachments (Terms of Use)
File: backtrace (22.56 KB, text/plain)
2010-01-11 14:53 UTC, Tim Waugh
no flags Details

Description Tim Waugh 2010-01-11 14:53:22 UTC
abrt 1.0.3 detected a crash.

Attached file: backtrace
cmdline: /usr/libexec/tracker-extract
component: tracker
executable: /usr/libexec/tracker-extract
kernel: 2.6.31.9-174.fc12.x86_64
package: tracker-0.6.95-3.fc12
rating: 4
reason: Process was terminated by signal 11 (Segmentation fault)

Comment 1 Tim Waugh 2010-01-11 14:53:25 UTC
Created attachment 382991 [details]
File: backtrace

Comment 2 Tim Waugh 2010-01-11 14:55:00 UTC
Looks like it might have security implications...

Comment 3 Josh Bressers 2010-01-11 18:44:25 UTC
This can be reproduced by running the tiffinfo command over that file. I'm moving this bug to the libtiff component.

Comment 4 Josh Bressers 2010-01-11 18:51:43 UTC
The testcase doesn't crash libtiff on RHEL5. I wonder if upstream missed a fix.

Comment 5 Josh Bressers 2010-01-11 19:33:18 UTC
This appears to be a crash only.  libtiff is calling:

_TIFFsetString(&sp->faxdcs, va_arg(ap, char*));

But the arg ap is a integer, so it gets confused and we end up with a bad char* pointer.

I'm happy to call this not security. Tom any thoughts?

Thanks.

Comment 6 Tom Lane 2010-01-11 19:33:42 UTC
It's hard to see how it could fail to crash.  The root of the problem seems to be that the file contains a LONG (ie, integral) value for tag 34911 (FAXDCS) while the library is expecting a string.  There is code in TIFFReadDirectory that checks for a type mismatch, but *it only works for tag numbers that are known to the core libtiff code*.  In this case the tag is a codec-specific one, so it can't be checked by the core code, and the API for codecs appears to be misdesigned so that it's impossible for the codec to protect itself against this :-(.

I think we're going to have to punt this one upstream; it's not apparent to me what a reasonable fix would look like.

Comment 7 Tom Lane 2010-01-11 19:35:33 UTC
I dunno about calling it not-security.  It certainly looks like crashing the library is trivial; I'm not sure whether there is scope for anything nastier.  OTOH libtiff has a sufficiently bad track record that I hope nobody is using it in security-vulnerable situations anyway :-(

Comment 9 Tom Lane 2010-06-12 20:29:57 UTC
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210

Comment 10 Fedora Update System 2010-06-23 04:14:27 UTC
libtiff-3.9.4-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/libtiff-3.9.4-1.fc12

Comment 11 Fedora Update System 2010-06-23 04:14:47 UTC
libtiff-3.8.2-15.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/libtiff-3.8.2-15.fc11

Comment 12 Fedora Update System 2010-06-23 04:15:03 UTC
libtiff-3.9.4-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/libtiff-3.9.4-1.fc13

Comment 13 Fedora Update System 2010-06-24 16:29:47 UTC
libtiff-3.8.2-15.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2010-07-01 18:42:59 UTC
libtiff-3.9.4-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2010-07-05 22:00:37 UTC
libtiff-3.9.4-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Bug Zapper 2010-07-30 10:49:21 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping


Note You need to log in before you can comment on or make changes to this bug.