thr3ads.net - Secure testing team - [Secure-testing-team] Bug#668087: libtiff4: libtiff crashes with corrupted images [Apr 2012]

If this information is useful, please help other people find it:
Share via:

Mikulas Patocka

2012-Apr-08 18:32 UTC

[Secure-testing-team] Bug#668087: libtiff4: libtiff crashes with corrupted images

Package: libtiff4
Version: 3.9.4-5+squeeze4
Severity: grave
Tags: security
Justification: user security hole

libtiff crashes on corrupted images when using electric fence memory debugger.

Install electric-fence package

Run:
LD_PRELOAD=/usr/lib/libefence.so links2 -g
http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/
and try to view the images.

Instead of links2, you can use xloadimage or xpaint or other programs, they
crash too.

The images crash in Debian libtiff. There is even one that crashes in upstream
libtiff-3.9.6 (the code that crashes was removed in upstream 4.0.1).

There is another image that exploits a different bug and crashes upstream
libtiff 4.0.1 (the buggy code is also present in libtiff-3, but libtiff-3
doesn''t crash on this image). For this bug to show up, you muse use
EF_ALIGNEMENT=0, for example:
EF_ALIGNMENT=0 LD_PRELOAD=/usr/lib/libefence.so links2 -g
http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-
bug/libtiff-4.0.1-crash.tif



-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, ''stable'')
Architecture: amd64 (x86_64)

Kernel: Linux 3.3.0 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=cs_CZ, LC_CTYPE=cs_CZ (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/dash

Versions of packages libtiff4 depends on:
ii  libc6                   2.11.3-2         Embedded GNU C Library: Shared lib
ii  libjpeg62               6b1-1            The Independent JPEG
Group''s JPEG
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

libtiff4 recommends no packages.

libtiff4 suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file.tif
Type: image/tiff
Size: 67677 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120408/eb54e36f/attachment-0003.tif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file.tif
Type: image/tiff
Size: 154496 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120408/eb54e36f/attachment-0004.tif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file.tif
Type: image/tiff
Size: 94101 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120408/eb54e36f/attachment-0005.tif>

Secure testing team - Apr 2012 - Bug#668087: libtiff4: libtiff crashes with corrupted images

[Secure-testing-team] Bug#668087: libtiff4: libtiff crashes with corrupted images