[Pkg-ia32-libs-maintainers] A security bug in Debian Squeeze libtiff (+ non-updated ia32-libs??)

Sat Apr 7 20:22:26 UTC 2012

On Sat, 7 Apr 2012, Mikulas Patocka wrote:

> Hi
> 
> There is a security bug in Debian Squeeze libtiff 3.9.4-5+sq.
> 
> When loading corrupted images and with ElectricFence memory debugging 
> enabled, programs using libtiff crash.
> 
> How to reproduce: Download corrupted images from here: 
> http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/
> 
> These tiff images were created by running fsfuzzer 
> (http://people.redhat.com/sgrubb/files/fsfuzzer-0.7.tar.gz) over normal 
> valid tiff images.
> 
> Install electric-fence package from Debian.
> 
> Run programs that use libtiff with electric fence, for example:
> 
> LD_PRELOAD=/usr/lib/libefence.so links2 -g tiff1.tif
> 
> LD_PRELOAD=/usr/lib/libefence.so xloadimage tiff1.tif
> 
> LD_PRELOAD=/usr/lib/libefence.so xpaint tiff1.tif
> 
> All the programs crash in TIFFReadDirectory (I tested it on amd64) --- so 
> it is a bug in libtiff.
> 
> 
> I reproduced this bug on upstream libtiff 3.9.4, but couldn't reproduce it 
> on 3.9.5, 3.9.6 or 4.0.1 --- so the bug was fixed upstream and Debian 
> didn't backport it.

After further fuzzing and testing with Electric Fence, I found out an 
image that crashes even upstream libtiff-3.9.6. So I'm sending the report 
to the upstream maintainers too.

I placed the crashing image here:

http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/libtiff-3.9.6-crash.tif

The crash happens here:
#0  TIFFReadDirectory (tif=0x7f6f92434bc8) at tif_dirread.c:223
223                             fip = tif->tif_fieldinfo[++fix];

The apparent problem in the code:

                fip = tif->tif_fieldinfo[fix];
                while (dp->tdir_type != (unsigned short) fip->field_type
                    && fix < tif->tif_nfields) {
^^^^^^^^^^ check that fix is smaller than tif->tif_nfields
                        if (fip->field_type == TIFF_ANY)        /* 
wildcard */
                                break;
                        fip = tif->tif_fieldinfo[++fix];
^^^^^^^^^^ increment fix by one and dereference tif->tif_fieldinfo[fix]
!!! so we may be dereferencing one field after tif->tif_fieldinfo end
                        if (fix >= tif->tif_nfields ||
^^^^^^^^^^ this check fix >= tif->tif_nfields comes too late, we already 
accessed the array beyond its end :-(
                            fip->field_tag != dp->tdir_tag) {
                                TIFFWarningExt(tif->tif_clientdata, module,
                        "%s: wrong data type %d for \"%s\"; tag ignored",
                                            tif->tif_name, dp->tdir_type, 
tif->tif_fieldinfo[fix-1]->field_name);
                                goto ignore;
                        }
                }

libtiff-4.0.1 doesn't crash and the above code seems to be rewritten 
there.

Mikulas