Remaining TIFF security issues

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Remaining TIFF security issues

Havard Eidnes
Hi,

first let me express great gratitude for the release of tiff
4.0.8, it allowed me to remove quite a few patches from our
package, and solves many security issues and bugs.

We try to keep tabs on unsolved reported security issues in
packages, and there appears to be a pair which remain unsolved
even after the update to 4.0.8, so I thought I would nudge you
guys to take a closer look:

 * https://nvd.nist.gov/vuln/detail/CVE-2015-7554

   The segmentation fault reported with the test image is
   still reproducible, something I've verified.  Not sure if
   there is a bugid open for this one.

 * https://nvd.nist.gov/vuln/detail/CVE-2016-10095

   The test case on github still produces a SEGV, so this one
   appears to still be unfixed.  Also bugid 2625.

Best regards,

- Håvard
_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Remaining TIFF security issues

Even Rouault-2

On mercredi 31 mai 2017 09:23:30 CEST Havard Eidnes wrote:

> Hi,

>

> first let me express great gratitude for the release of tiff

> 4.0.8, it allowed me to remove quite a few patches from our

> package, and solves many security issues and bugs.

>

> We try to keep tabs on unsolved reported security issues in

> packages, and there appears to be a pair which remain unsolved

> even after the update to 4.0.8, so I thought I would nudge you

> guys to take a closer look:

>

> * https://nvd.nist.gov/vuln/detail/CVE-2015-7554

>

> The segmentation fault reported with the test image is

> still reproducible, something I've verified. Not sure if

> there is a bugid open for this one.

 

--> http://bugzilla.maptools.org/show_bug.cgi?id=2564

 

>

> * https://nvd.nist.gov/vuln/detail/CVE-2016-10095

>

> The test case on github still produces a SEGV, so this one

> appears to still be unfixed. Also bugid 2625.

 

There are a half dozain of bug reports that are mostly around the same core issue, but triggered by various TIFF utilitites

 

I created http://bugzilla.maptools.org/show_bug.cgi?id=2580 some time ago as a main entry for this TIFFGetField() related issues.

 

I think this would deserve some brainstorming with other libtiff maitainers to see what is the best path to solve this issue. Not clear at all for me.

 

Something along the proposed

http://bugzilla.maptools.org/attachment.cgi?id=751 in

http://bugzilla.maptools.org/show_bug.cgi?id=258 , extended to take into account missing tags for LZMA, and also used when reading the TIFF directory on the read side (to reject setting TIFF tags corresponding to specific codecs when the codec is not enabled, so that TIFFGetField() returns a missing tag) coud be a workaround.

 

Even

 

--

Spatialys - Geospatial professional services

http://www.spatialys.com


_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Remaining TIFF security issues

Even Rouault-2

 

> There are a half dozain of bug reports that are mostly around the same core

> issue, but triggered by various TIFF utilitites

>

> I created http://bugzilla.maptools.org/show_bug.cgi?id=2580 some time ago as

> a main entry for this TIFFGetField() related issues.

>

> I think this would deserve some brainstorming with other libtiff maitainers

> to see what is the best path to solve this issue. Not clear at all for me.

>

> Something along the proposed

> http://bugzilla.maptools.org/attachment.cgi?id=751 in

> http://bugzilla.maptools.org/show_bug.cgi?id=258 , extended to take into

> account missing tags for LZMA, and also used when reading the TIFF

> directory on the read side (to reject setting TIFF tags corresponding to

> specific codecs when the codec is not enabled, so that TIFFGetField()

> returns a missing tag) coud be a workaround.

 

OK I finally pushed a fix along the above lines.

 

Fixed per

 

2017-06-01 Even Rouault <even.rouault at spatialys.com>

 

* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),

and use it in TIFFReadDirectory() so as to ignore fields whose tag is a

codec-specified tag but this codec is not enabled. This avoids TIFFGetField()

to behave differently depending on whether the codec is enabled or not, and

thus can avoid stack based buffer overflows in a number of TIFF utilities

such as tiffsplit, tiffcmp, thumbnail, etc.

Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch

(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.

Fixes:

http://bugzilla.maptools.org/show_bug.cgi?id=2580

http://bugzilla.maptools.org/show_bug.cgi?id=2693

http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)

http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)

http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)

http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)

http://bugzilla.maptools.org/show_bug.cgi?id=2441

http://bugzilla.maptools.org/show_bug.cgi?id=2433

 

/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog

new revision: 1.1244; previous revision: 1.1243

/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.h,v <-- libtiff/tif_dir.h

new revision: 1.55; previous revision: 1.54

/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v <-- libtiff/tif_dirinfo.c

new revision: 1.127; previous revision: 1.126

/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c

new revision: 1.209; previous revision: 1.208

 

You can view it more easily in :

https://trac.osgeo.org/gdal/changeset/38774

 

Even

 

--

Spatialys - Geospatial professional services

http://www.spatialys.com


_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Loading...