Bug 1649385 (CVE-2018-19210) - CVE-2018-19210 libtiff: NULL pointer dereference in TIFFWriteDirectorySec function in tif_dirwrite.c
Summary: CVE-2018-19210 libtiff: NULL pointer dereference in TIFFWriteDirectorySec fun...
Alias: CVE-2018-19210
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1649387 1649388 1649389 1649391 1649392
Blocks: 1649390
TreeView+ depends on / blocked
Reported: 2018-11-13 14:41 UTC by Laura Pardo
Modified: 2020-12-17 10:01 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-11-16 09:45:50 UTC

Attachments (Terms of Use)

Description Laura Pardo 2018-11-13 14:41:15 UTC
In LibTIFF 4.0.9, there is a NULL pointer dereference in the TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a denial of service attack, as demonstrated by tiffset. 


Comment 1 Laura Pardo 2018-11-13 14:42:30 UTC
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 1649387]

Created mingw-libtiff tracking bugs for this issue:

Affects: epel-7 [bug 1649388]
Affects: fedora-all [bug 1649389]

Comment 3 Huzaifa S. Sidhpurwala 2018-11-16 09:45:50 UTC
This is reproduce-able without ASAN builds as well. valgrind shows Null pointer deref with the following errors:

poc0: Failed to allocate memory for to read TIFF directory (0 elements of 12 bytes each).
TIFFReadDirectory: Failed to read directory at offset 5356.

Running without valgrind yeilds segfault.

There is no upstream patch yet.

Note You need to log in before you can comment on or make changes to this bug.