This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 554371 - libtiff 3.9.x crashes if wrong data type supplied for codec-local tag
libtiff 3.9.x crashes if wrong data type supplied for codec-local tag
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: libtiff (Show other bugs)
14
All Linux
low Severity medium
: ---
: ---
Assigned To: Tom Lane
Fedora Extras Quality Assurance
abrt_hash:55a0d4c67dd9bbf1daeff6cf2b1...
: Security
Depends On:
Blocks: 589034 CVE-2010-2630
  Show dependency treegraph
 
Reported: 2010-01-11 09:53 EST by Tim Waugh
Modified: 2013-07-02 23:26 EDT (History)
4 users (show)

See Also:
Fixed In Version: libtiff-3.9.4-1.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-24 17:39:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
File: backtrace (22.56 KB, text/plain)
2010-01-11 09:53 EST, Tim Waugh
no flags Details

  None (edit)
Description Tim Waugh 2010-01-11 09:53:22 EST
abrt 1.0.3 detected a crash.

Attached file: backtrace
cmdline: /usr/libexec/tracker-extract
component: tracker
executable: /usr/libexec/tracker-extract
kernel: 2.6.31.9-174.fc12.x86_64
package: tracker-0.6.95-3.fc12
rating: 4
reason: Process was terminated by signal 11 (Segmentation fault)
Comment 1 Tim Waugh 2010-01-11 09:53:25 EST
Created attachment 382991 [details]
File: backtrace
Comment 2 Tim Waugh 2010-01-11 09:55:00 EST
Looks like it might have security implications...
Comment 3 Josh Bressers 2010-01-11 13:44:25 EST
This can be reproduced by running the tiffinfo command over that file. I'm moving this bug to the libtiff component.
Comment 4 Josh Bressers 2010-01-11 13:51:43 EST
The testcase doesn't crash libtiff on RHEL5. I wonder if upstream missed a fix.
Comment 5 Josh Bressers 2010-01-11 14:33:18 EST
This appears to be a crash only.  libtiff is calling:

_TIFFsetString(&sp->faxdcs, va_arg(ap, char*));

But the arg ap is a integer, so it gets confused and we end up with a bad char* pointer.

I'm happy to call this not security. Tom any thoughts?

Thanks.
Comment 6 Tom Lane 2010-01-11 14:33:42 EST
It's hard to see how it could fail to crash.  The root of the problem seems to be that the file contains a LONG (ie, integral) value for tag 34911 (FAXDCS) while the library is expecting a string.  There is code in TIFFReadDirectory that checks for a type mismatch, but *it only works for tag numbers that are known to the core libtiff code*.  In this case the tag is a codec-specific one, so it can't be checked by the core code, and the API for codecs appears to be misdesigned so that it's impossible for the codec to protect itself against this :-(.

I think we're going to have to punt this one upstream; it's not apparent to me what a reasonable fix would look like.
Comment 7 Tom Lane 2010-01-11 14:35:33 EST
I dunno about calling it not-security.  It certainly looks like crashing the library is trivial; I'm not sure whether there is scope for anything nastier.  OTOH libtiff has a sufficiently bad track record that I hope nobody is using it in security-vulnerable situations anyway :-(
Comment 9 Tom Lane 2010-06-12 16:29:57 EDT
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210
Comment 10 Fedora Update System 2010-06-23 00:14:27 EDT
libtiff-3.9.4-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/libtiff-3.9.4-1.fc12
Comment 11 Fedora Update System 2010-06-23 00:14:47 EDT
libtiff-3.8.2-15.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/libtiff-3.8.2-15.fc11
Comment 12 Fedora Update System 2010-06-23 00:15:03 EDT
libtiff-3.9.4-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/libtiff-3.9.4-1.fc13
Comment 13 Fedora Update System 2010-06-24 12:29:47 EDT
libtiff-3.8.2-15.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2010-07-01 14:42:59 EDT
libtiff-3.9.4-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2010-07-05 18:00:37 EDT
libtiff-3.9.4-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Bug Zapper 2010-07-30 06:49:21 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.