[Secure-testing-team] Bug#668087: libtiff4: libtiff crashes with corrupted images

Mikulas Patocka mikulas at artax.karlin.mff.cuni.cz
Sun Apr 8 18:32:44 UTC 2012 

Package: libtiff4
Version: 3.9.4-5+squeeze4
Severity: grave
Tags: security
Justification: user security hole

libtiff crashes on corrupted images when using electric fence memory debugger.

Install electric-fence package

Run:
LD_PRELOAD=/usr/lib/libefence.so links2 -g
http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/
and try to view the images.

Instead of links2, you can use xloadimage or xpaint or other programs, they
crash too.

The images crash in Debian libtiff. There is even one that crashes in upstream
libtiff-3.9.6 (the code that crashes was removed in upstream 4.0.1).

There is another image that exploits a different bug and crashes upstream
libtiff 4.0.1 (the buggy code is also present in libtiff-3, but libtiff-3
doesn't crash on this image). For this bug to show up, you muse use
EF_ALIGNEMENT=0, for example:
EF_ALIGNMENT=0 LD_PRELOAD=/usr/lib/libefence.so links2 -g
http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-
bug/libtiff-4.0.1-crash.tif



-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.3.0 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=cs_CZ, LC_CTYPE=cs_CZ (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/dash

Versions of packages libtiff4 depends on:
ii  libc6                   2.11.3-2         Embedded GNU C Library: Shared lib
ii  libjpeg62               6b1-1            The Independent JPEG Group's JPEG 
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

libtiff4 recommends no packages.

libtiff4 suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file.tif
Type: image/tiff
Size: 67677 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120408/eb54e36f/attachment-0003.tif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file.tif
Type: image/tiff
Size: 154496 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120408/eb54e36f/attachment-0004.tif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file.tif
Type: image/tiff
Size: 94101 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120408/eb54e36f/attachment-0005.tif>

More information about the Secure-testing-team mailing list