[Pkg-ia32-libs-maintainers] A security bug in Debian Squeeze libtiff (+ non-updated ia32-libs??)
Mikulas Patocka
mikulas at artax.karlin.mff.cuni.cz
Sat Apr 7 20:22:26 UTC 2012
On Sat, 7 Apr 2012, Mikulas Patocka wrote:
> Hi
>
> There is a security bug in Debian Squeeze libtiff 3.9.4-5+sq.
>
> When loading corrupted images and with ElectricFence memory debugging
> enabled, programs using libtiff crash.
>
> How to reproduce: Download corrupted images from here:
> http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/
>
> These tiff images were created by running fsfuzzer
> (http://people.redhat.com/sgrubb/files/fsfuzzer-0.7.tar.gz) over normal
> valid tiff images.
>
> Install electric-fence package from Debian.
>
> Run programs that use libtiff with electric fence, for example:
>
> LD_PRELOAD=/usr/lib/libefence.so links2 -g tiff1.tif
>
> LD_PRELOAD=/usr/lib/libefence.so xloadimage tiff1.tif
>
> LD_PRELOAD=/usr/lib/libefence.so xpaint tiff1.tif
>
> All the programs crash in TIFFReadDirectory (I tested it on amd64) --- so
> it is a bug in libtiff.
>
>
> I reproduced this bug on upstream libtiff 3.9.4, but couldn't reproduce it
> on 3.9.5, 3.9.6 or 4.0.1 --- so the bug was fixed upstream and Debian
> didn't backport it.
After further fuzzing and testing with Electric Fence, I found out an
image that crashes even upstream libtiff-3.9.6. So I'm sending the report
to the upstream maintainers too.
I placed the crashing image here:
http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/libtiff-3.9.6-crash.tif
The crash happens here:
#0 TIFFReadDirectory (tif=0x7f6f92434bc8) at tif_dirread.c:223
223 fip = tif->tif_fieldinfo[++fix];
The apparent problem in the code:
fip = tif->tif_fieldinfo[fix];
while (dp->tdir_type != (unsigned short) fip->field_type
&& fix < tif->tif_nfields) {
^^^^^^^^^^ check that fix is smaller than tif->tif_nfields
if (fip->field_type == TIFF_ANY) /*
wildcard */
break;
fip = tif->tif_fieldinfo[++fix];
^^^^^^^^^^ increment fix by one and dereference tif->tif_fieldinfo[fix]
!!! so we may be dereferencing one field after tif->tif_fieldinfo end
if (fix >= tif->tif_nfields ||
^^^^^^^^^^ this check fix >= tif->tif_nfields comes too late, we already
accessed the array beyond its end :-(
fip->field_tag != dp->tdir_tag) {
TIFFWarningExt(tif->tif_clientdata, module,
"%s: wrong data type %d for \"%s\"; tag ignored",
tif->tif_name, dp->tdir_type,
tif->tif_fieldinfo[fix-1]->field_name);
goto ignore;
}
}
libtiff-4.0.1 doesn't crash and the above code seems to be rewritten
there.
Mikulas
More information about the Pkg-ia32-libs-maintainers
mailing list