Ubuntu
tiff package

Reproducible crash in tiff2png (libtiff-tools), illegal free

Bug #1299533 reported by Johannes Bauer on 2014-03-29

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tiff (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

I'm on Linux Mint Petra (which is essentially saucy without the Ubuntu bullshit like Unity) on x86_64. Since they use your apt repo and this might possibly warrant even a CVE, I report this bug here, since you're upstream (for the packaging at least).

When trying to convert a tiff file to a png using tiff2png I can reproducibly get a crash at file generation (i.e. some output is generated but it's not a valid PDF since the footer xref table is missing). The crash always occurs because of a invalid free. Addresses vary obviously (ASLR):

*** Error in `tiff2pdf': free(): invalid size: ======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x80996)+0x5d76)[0x7faa5b7e9d76+0xc0ef)[0x7faa5b7f00efmain+0x156)[0x7faa5b7e658664-linux-gnu/libc.so.6(__+0x2a4d)[0x7faa5b7e6a4d 7faa59fc9000-7faa59fde000 r-xp 00000000 08:11 262157 7faa59fde000-7faa5a1dd000 ---p 00015000 08:11 262157 7faa5a1dd000-7faa5a1de000 r--p 00014000 08:11 262157 7faa5a1de000-7faa5a1df000 rw-p 00015000 08:11 262157 7faa5a1df000-7faa5a1e2000 r-xp 00000000 08:11 266169 7faa5a1e2000-7faa5a3e1000 ---p 00003000 08:11 266169 7faa5a3e1000-7faa5a3e2000 r--p 00002000 08:11 266169 7faa5a3e2000-7faa5a3e3000 rw-p 00003000 08:11 266169 7faa5a3e3000-7faa5a4e6000 r-xp 00000000 08:11 266205 7faa5a4e6000-7faa5a6e5000 ---p 00103000 08:11 266205 7faa5a6e5000-7faa5a6e6000 r--p 00102000 08:11 266205 7faa5a6e6000-7faa5a6e7000 rw-p 00103000 08:11 266205 7faa5a6e7000-7faa5a6ff000 r-xp 00000000 08:11 266310 7faa5a6ff000-7faa5a8fe000 ---p 00018000 08:11 266310 7faa5a8fe000-7faa5a8ff000 r--p 00017000 08:11 266310 7faa5a8ff000-7faa5a900000 rw-p 00018000 08:11 266310 7faa5a900000-7faa5a943000 r-xp 00000000 08:11 1446551 7faa5a943000-7faa5ab43000 ---p 00043000 08:11 1446551 7faa5ab43000-7faa5ab44000 r--p 00043000 08:11 1446551 7faa5ab44000-7faa5ab45000 rw-p 00044000 08:11 1446551 7faa5ab45000-7faa5ab55000 rw-p 00000000 00:00 7faa5ab55000-7faa5ab60000 r-xp 00000000 08:11 1451362 7faa5ab60000-7faa5ad5f000 ---p 0000b000 08:11 1451362 7faa5ad5f000-7faa5ad60000 r--p 0000a000 08:11 1451362 7faa5ad60000-7faa5ad63000 rw-p 0000b000 08:11 1451362 7faa5ad63000-7faa5ad84000 r-xp 00000000 08:11 266202 7faa5ad84000-7faa5af83000 ---p 00021000 08:11 266202 7faa5af83000-7faa5af84000 r--p 00020000 08:11 266202 7faa5af84000-7faa5af85000 rw-p 00021000 08:11 266202 7faa5af85000-7faa5b142000 r-xp 00000000 08:11 266154 7faa5b142000-7faa5b342000 ---p 001bd000 08:11 266154 7faa5b342000-7faa5b346000 r--p 001bd000 08:11 266154 7faa5b346000-7faa5b348000 rw-p 001c1000 08:11 266154 7faa5b348000-7faa5b34d000 rw-p 00000000 00:00 7faa5b34d000-7faa5b3bb000 r-xp 00000000 08:11 1451707 7faa5b3bb000-7faa5b5bb000 ---p 0006e000 08:11 1451707 7faa5b5bb000-7faa5b5bc000 r--p 0006e000 08:11 1451707 7faa5b5bc000-7faa5b5bf000 rw-p 0006f000 08:11 1451707 7faa5b5bf000-7faa5b5e2000 r-xp 00000000 08:11 266130 7faa5b6b5000-7faa5b7b3000 r--s 00000000 fc:00 43915789 7faa5b7b3000-7faa5b7b8000 rw-p 00000000 00:00 7faa5b7dd000-7faa5b7e1000 rw-p 00000000 00:00 7faa5b7e1000-7faa5b7e2000 r--p 00022000 08:11 266130 7faa5b7e2000-7faa5b7e4000 rw-p 00023000 08:11 266130 7faa5b7e4000-7faa5b7f4000 r-xp 00000000 08:11 1463449 7faa5b9f3000-7faa5b9f4000 r--p 0000f000 08:11 1463449 7faa5b9f4000-7faa5b9f5000 rw-p 00010000 08:11 1463449 7faa5cabe000-7faa5cadf000 rw-p 00000000 00:00 0 7fff5e17a000-7fff5e19b000 rw-p 00000000 00:00 0 7fff5e1fe000-7fff5e200000 r-xp 00000000 00:00 0 ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 ./cmd: line 5: 8522 Aborted tiff2pdf 0x00007faa5cabfc20 ***
/>[0x7faa5b005996]
/>]
/>]
/>]
/>libc_start_main+0xf5)[0x7faa5afa6de5]
/>]
/lib/x86_64-linux-gnu/libgcc_s.so.1
/lib/x86_64-linux-gnu/libgcc_s.so.1
/lib/x86_64-linux-gnu/libgcc_s.so.1
/lib/x86_64-linux-gnu/libgcc_s.so.1
/lib/x86_64-linux-gnu/libdl-2.17.so
/lib/x86_64-linux-gnu/libdl-2.17.so
/lib/x86_64-linux-gnu/libdl-2.17.so
/lib/x86_64-linux-gnu/libdl-2.17.so
/lib/x86_64-linux-gnu/libm-2.17.so
/lib/x86_64-linux-gnu/libm-2.17.so
/lib/x86_64-linux-gnu/libm-2.17.so
/lib/x86_64-linux-gnu/libm-2.17.so
/lib/x86_64-linux-gnu/libz.so.1.2.8
/lib/x86_64-linux-gnu/libz.so.1.2.8
/lib/x86_64-linux-gnu/libz.so.1.2.8
/lib/x86_64-linux-gnu/libz.so.1.2.8
/usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
/usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
/usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
/usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
0
/usr/lib/x86_64-linux-gnu/libjbig.so.0.0.0
/usr/lib/x86_64-linux-gnu/libjbig.so.0.0.0
/usr/lib/x86_64-linux-gnu/libjbig.so.0.0.0
/usr/lib/x86_64-linux-gnu/libjbig.so.0.0.0
/lib/x86_64-linux-gnu/liblzma.so.5.0.0
/lib/x86_64-linux-gnu/liblzma.so.5.0.0
/lib/x86_64-linux-gnu/liblzma.so.5.0.0
/lib/x86_64-linux-gnu/liblzma.so.5.0.0
/lib/x86_64-linux-gnu/libc-2.17.so
/lib/x86_64-linux-gnu/libc-2.17.so
/lib/x86_64-linux-gnu/libc-2.17.so
/lib/x86_64-linux-gnu/libc-2.17.so
0
/usr/lib/x86_64-linux-gnu/libtiff.so.5.1.0
/usr/lib/x86_64-linux-gnu/libtiff.so.5.1.0
/usr/lib/x86_64-linux-gnu/libtiff.so.5.1.0
/usr/lib/x86_64-linux-gnu/libtiff.so.5.1.0
/lib/x86_64-linux-gnu/ld-2.17.so
/home/joe/bugreport/in.tiff
0
0
/lib/x86_64-linux-gnu/ld-2.17.so
/lib/x86_64-linux-gnu/ld-2.17.so
/usr/bin/tiff2pdf
/usr/bin/tiff2pdf
/usr/bin/tiff2pdf
[heap]
[stack]
[vdso]
[vsyscall]
-o out.pdf -j in.tiff

Here's the package sources I'm using and the versions of some libraries which are pulled in:

ii libtiff-tools 4.0.2-4ubuntu3 amd64 TIFF manipulation and conversion tools
ii libtiff4:amd64 3.9.7-2ubuntu1 amd64 Tag Image File Format (TIFF) library (old version)
ii libtiff5:amd64 4.0.2-4ubuntu3 amd64 Tag Image File Format (TIFF) library
ii libjpeg8:amd64 8c-2ubuntu8 amd64 Independent JPEG Group's JPEG runtime library (dependency package)
ii libjpeg8-dev:amd64 8c-2ubuntu8 amd64 Independent JPEG Group's JPEG runtime library (dependency package)
ii libjbig0:amd64 2.0-2ubuntu1 amd64 JBIGkit libraries
ii libjbig2dec0 0.11+20120125-1ubuntu1 amd64 JBIG2 decoder library - shared libraries

I do not yet know if this bug is exploitable, but it might well be. I'll do some further digging. And I'll attach to this bug the file with which the bug can be reproduced. Since image to PDF conversion is something that is widely used in web interfaces (i.e. exposed software), this could be really worrying.

Cheers,
Johannes

Tags:

Revision history for this message

Johannes Bauer (johannesbauer) wrote on 2014-03-29:

Files which show the command and input file that triggers the issue Edit (851.4 KiB, application/x-tar)

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-04-01:

Thanks, I have reported this upstream.

Marc Deslauriers (mdeslaur) on 2015-04-24

information type:	Private Security → Public Security
Changed in tiff (Ubuntu):
status:	New → Confirmed

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Files which show the command and input file that triggers the issue Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntutiff package