{"id":1554,"date":"2017-04-01T16:01:33","date_gmt":"2017-04-01T14:01:33","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1554"},"modified":"2017-05-24T12:04:22","modified_gmt":"2017-05-24T10:04:22","slug":"libtiff-multiple-ubsan-crashes","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/04\/01\/libtiff-multiple-ubsan-crashes\/","title":{"rendered":"libtiff: multiple UBSAN crashes"},"content":{"rendered":"

Description<\/strong>:
\nLibtiff<\/a> is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.<\/p>\n

A fuzz with the undefined behavior sanitizer revealed some crashes.<\/p>\n

# tiffcp -i $FILE \/tmp\/foo\r\nruntime error: value 5.84589e+199 is outside the range of representable values\r\nof type 'float'\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/3144e57770c1e4d26520d8abee750f8ac8b75490<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00113-libtiff-outside-float<\/a>
\nCVE:<\/strong>
\nCVE-2017-7596<\/p>\n
##################################################<\/p>\n
# tiffcp -i $FILE \/tmp\/foo\r\ntif_dirread.c:2409:12: runtime error: value -4.779e+161 is outside the range of\r\nrepresentable values of type 'float'\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/3144e57770c1e4d26520d8abee750f8ac8b75490<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00114-libtiff-outside-float-tif_dirread<\/a>
\nCVE:<\/strong>
\nCVE-2017-7597<\/p>\n
##################################################<\/p>\n
# tiffcp -i $FILE \/tmp\/foo\r\ntif_dirread.c:2878:24: runtime error: division by zero\r\ntif_dirread.c:2906:33: runtime error: division by zero\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00115-libtiff-fpe-tif_dirread<\/a>
\nCVE:<\/strong>
\nCVE-2017-7598<\/p>\n
##################################################<\/p>\n
# tiffcp -i $FILE \/tmp\/foo\r\nruntime error: value 65280 is outside the range of representable values of type 'short'\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/3144e57770c1e4d26520d8abee750f8ac8b75490<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00117-libtiff-outside-short-tif_dirwrite<\/a>
\nCVE:<\/strong>
\nCVE-2017-7599<\/p>\n
##################################################<\/p>\n
# tiffcp -i $FILE \/tmp\/foo\r\nruntime error: value -115 is outside the range of representable values of type 'unsigned char'\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/3144e57770c1e4d26520d8abee750f8ac8b75490<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00118-libtiff-outside-unsigned-char-tif_dirwrite<\/a>
\nCVE:<\/strong>
\nCVE-2017-7600<\/p>\n
##################################################<\/p>\n
# tiffcp -i $FILE \/tmp\/foo\r\nruntime error: shift exponent 136 is too large for 64-bit type 'long'\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/0a76a8c765c7b8327c59646284fa78c3c27e5490<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00119-libtiff-shift-long-tif_jpeg<\/a>
\nCVE:<\/strong>
\nCVE-2017-7601<\/p>\n
##################################################<\/p>\n
# tiffcp -i $FILE \/tmp\/foo\r\nruntime error: signed integer overflow: 9223372036452122640 + 85899345928\r\ncannot be represented in type 'long'\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/66e7bd59520996740e4df5495a830b42fae48bc4<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00121-libtiff-signintoverflow-tif_read<\/a>
\nCVE:<\/strong>
\nCVE-2017-7602<\/p>\n
##################################################<\/p>\n
Credit:<\/strong>
\nThese bugs were discovered by Agostino Sarubbo of Gentoo.<\/p>\n
Timeline:<\/strong>
\n2017-01-01: bugs discovered and reported to upstream
\n2017-01-11: upstream released a patch
\n2017-04-01: blog post about the issue
\n2017-04-09: CVE assigned<\/p>\n
Note:<\/strong>
\nThese bugs were found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
libtiff: multiple UBSAN crashes<\/a><\/p><\/blockquote>\n