Ubuntu
tiff package

tiff2ps crashed with SIGSEGV in TIFFReadScanline()

Bug #380149 reported by Dekar on 2009-05-25

This bug affects 3 people

	Status	Importance	Assigned to
tiff (Debian)	Fix Released	Unknown	debbugs #534137
tiff (Ubuntu)	Fix Released	Medium	Kees Cook
Dapper	Fix Released	Medium	Jamie Strandboge
Hardy	Fix Released	Medium	Jamie Strandboge
Intrepid	Fix Released	Medium	Jamie Strandboge
Jaunty	Fix Released	Medium	Jamie Strandboge
Karmic	Fix Released	Medium	Kees Cook

Bug Description

dekar@dekar-laptop:~$ lsb_release -rd
Description: Ubuntu 8.10
Release: 8.10
dekar@dekar-laptop:~$ apt-cache policy libtiff4
libtiff4:
  Installed: 3.8.2-11
  Candidate: 3.8.2-11
  Version table:
*** 3.8.2-11 0
        500 http://ftp.hosteurope.de intrepid/main Packages
        100 /var/lib/dpkg/status

It crashes my Jaunty and my Lenny system as well!
The file has recently been used by hackers to run unsigned code on the Sony PSP console (it also uses libtiff) so it is likely to allow code execution on Ubuntu as well. The PSP has a MIPS CPU so the file I uploaded shouldn't do any harm to a normal x86er system (except the crash) - though I don't guarantee anything ;)

To try the exploit simply extract it to a folder and wait till Nautilus tries to generate a thumbnail. It even crashed my Firefox when I tried to upload it uncompressed.

Related branches

lp:ubuntu/dapper-updates/tiff

lp:ubuntu/hardy-security/tiff

lp:ubuntu/jaunty-security/tiff

lp:ubuntu/intrepid-updates/tiff

CVE References

Revision history for this message

Dekar (dekar-wc3edit) wrote on 2009-05-25:

Be careful, if extracted on the Desktop it will keep crashing Nautilus! Edit (195.9 KiB, application/zip)

visibility:

private → public

Revision history for this message

vhahn (victor-tirm) wrote on 2009-05-26:

also crashes Konqueror

Changed in tiff (Ubuntu):
status:	New → Confirmed

Dekar (dekar-wc3edit) on 2009-05-26

Changed in debian:
status:	New → Confirmed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-06-01:

I can confirm this as well. Simply using tiff2ps (from libtiff-tools) on the file causes a segmentation fault.

Changed in tiff (Ubuntu):
assignee:	nobody → Jamie Strandboge (jdstrand)
importance:	Undecided → Medium

Jamie Strandboge (jdstrand) on 2009-06-01

summary:

- Tiff exploit crashes libtiff and applications using it. Code execution
- is most likely possible!
+ PSP tiff exploit crashes libtiff4

Jamie Strandboge (jdstrand) on 2009-06-01

Changed in tiff (Ubuntu Dapper):
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → Jamie Strandboge (jdstrand)
Changed in tiff (Ubuntu Hardy):
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → Jamie Strandboge (jdstrand)
Changed in tiff (Ubuntu Intrepid):
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → Jamie Strandboge (jdstrand)
Changed in tiff (Ubuntu Jaunty):
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → Jamie Strandboge (jdstrand)

Revision history for this message

Dekar (dekar-wc3edit) wrote on 2009-06-01: Re: PSP tiff exploit crashes libtiff4

Why did you remove the code execution part? If this libtiff exploit is able to execute code on a MIPS CPU it is really likely it could do the same on x86er using exactly the same library! And since code execution is likely it should be critical and not medium!

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-06-02:

The summary was cleaned up because it was too long, however the description is left intact. The bug was initially set to medium as per https://wiki.ubuntu.com/SecurityTeam/BugTriage#Priority. This may change after further evaluation of the bug.

Revision history for this message

Dekar (dekar-wc3edit) wrote on 2009-06-18:

So when will this critical bug be fixed? Do you wait till there is abuse first - and thousands of users are infected with trojans?

Revision history for this message

Kees Cook (kees) wrote on 2009-06-21:

I've attached the reproduction of the crash in a duplicate bug. At first glance, this appears to be a NULL-offset, but since it's so large, it's unclear if there is arbitrary control over the destination of the %al byte being written.

SegvAnalysis:
Segfault happened at: 0x7f2131398308: mov %al,(%rcx)
PC (0x7f2131398308) ok
source "%al" ok
destination "(%rcx)" (0x008effff) not located in a known VMA region (needed writable region)!

summary:

- PSP tiff exploit crashes libtiff4
+ tiff2ps crashed with SIGSEGV in TIFFReadScanline()

Revision history for this message

Kees Cook (kees) wrote on 2009-06-21:

To speak to your MIPS vs x86 issue, they are different architectures, so it is not immediately obvious if x86 (or Ubuntu, given its ASLR, stack/heap protections, etc) is vulnerable. Regardless, it needs fixing.

Revision history for this message

Kees Cook (kees) wrote on 2009-06-21:

Rather, it's walking backwards off the heap. 0x8effff is just before the heap allocation at 0x8f0000. wololo's discussion of the issue is here:
http://www.lan.st/showthread.php?t=1856&page=3

Revision history for this message

Kees Cook (kees) wrote on 2009-06-22:

#10

lzw_underflow.patch Edit (680 bytes, text/plain)

Upstream bug opened:
http://bugzilla.maptools.org/show_bug.cgi?id=2065

Developed possible patch.

Kees Cook (kees) on 2009-06-22

affects:	debian → tiff (Debian)
Changed in tiff (Debian):
importance:	Undecided → Unknown
status:	Confirmed → Unknown
Changed in tiff (Ubuntu Karmic):
assignee:	Jamie Strandboge (jdstrand) → Kees Cook (kees)
status:	Confirmed → Fix Committed

Bug Watch Updater (bug-watch-updater) on 2009-06-22

Changed in tiff (Debian):
status:	Unknown → New

Kees Cook (kees) on 2009-06-29

security vulnerability:

yes → no

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-07-06:

#11

This bug was fixed in the package tiff - 3.8.2-7ubuntu3.2

---------------
tiff (3.8.2-7ubuntu3.2) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service via buffer underflow in the
    LZWDecodeCompat function (LP: #380149)
    - debian/patches/CVE-2009-2285.patch: abort if code is bigger than
      CODE_CLEAR in libtiff/tif_lzw.c.
    - CVE-2009-2285

-- Marc Deslauriers <email address hidden> Fri, 03 Jul 2009 14:54:05 -0400

Changed in tiff (Ubuntu Hardy):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-07-06:

#12

This bug was fixed in the package tiff - 3.8.2-11ubuntu0.8.10.1

---------------
tiff (3.8.2-11ubuntu0.8.10.1) intrepid-security; urgency=low

-- Marc Deslauriers <email address hidden> Fri, 03 Jul 2009 14:38:08 -0400

Changed in tiff (Ubuntu Intrepid):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-07-06:

#13

This bug was fixed in the package tiff - 3.8.2-11ubuntu0.9.04.1

---------------
tiff (3.8.2-11ubuntu0.9.04.1) jaunty-security; urgency=low

-- Marc Deslauriers <email address hidden> Fri, 03 Jul 2009 14:38:08 -0400

Changed in tiff (Ubuntu Jaunty):
status:	Confirmed → Fix Released

Marc Deslauriers (mdeslaur) on 2009-07-06

Changed in tiff (Ubuntu Dapper):
status:	Confirmed → Fix Released

Revision history for this message

Kees Cook (kees) wrote on 2009-08-13:

#14

tiff (3.8.2-13) unstable; urgency=high

  * Apply patches to fix CVE-2009-2347, which covers two integer overflow
    conditions.
  * LZW patch from last update addressed CVE-2009-2285. Renamed the patch
    to make this clearer.

-- Jay Berkenbilt <email address hidden> Sun, 12 Jul 2009 18:03:33 -0400

tiff (3.8.2-12) unstable; urgency=low

  * Apply patch to fix crash in lzw decoder that can be caused by certain
    invalid image files. (Closes: #534137)
  * No longer ignore errors in preinst
  * Fixed new lintian warnings; updated standards version to 3.8.2.

-- Jay Berkenbilt <email address hidden> Sun, 28 Jun 2009 13:17:44 -0400