Bug 1475530 (CVE-2017-11613) - CVE-2017-11613 libtiff: Memory leak via corrupt td_imagelength in TIFFOpen function
Summary: CVE-2017-11613 libtiff: Memory leak via corrupt td_imagelength in TIFFOpen fu...
Alias: CVE-2017-11613
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1475531 1475532
Blocks: 1475533
TreeView+ depends on / blocked
Reported: 2017-07-26 20:47 UTC by Pedro Sampaio
Modified: 2021-02-17 01:48 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-30 08:25:27 UTC

Attachments (Terms of Use)

Description Pedro Sampaio 2017-07-26 20:47:58 UTC
In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer. 



Comment 1 Pedro Sampaio 2017-07-26 20:48:24 UTC
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1475531]

Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1475532]

Comment 2 Stefan Cornelius 2017-08-24 10:26:58 UTC
LibTIFF simply tries to allocate the memory based on the information in the image. If there's not enough RAM, the OOM killer steps in and terminates the process. If you have enough RAM, all is fine.

Although one could implement mechanisms to catch this corner case early in order to handle it in a more graceful manner, I'm not sure if the library itself is the right place for that - I'll leave that to upstream.

Comment 3 Doran Moppert 2020-02-11 00:29:59 UTC

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.

Note You need to log in before you can comment on or make changes to this bug.