Ubuntu
tiff package

eog crashed with SIGSEGV in __memset_sse2()

Bug #593067 reported by smpahlman on 2010-06-12

264

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tiff (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

Binary package hint: eog

eog crashes occasionally when opening the attached reproducer. The file probably makes some branch depend on some unitialized data since the segfault takes place only occasionally and the backtrace changes from time to time.

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: eog 2.30.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-22.36-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Sat Jun 12 17:50:04 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: eog /home/username/radamsa/tiffdst/flipr-12498.tif
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.utf8
SegvAnalysis:
Segfault happened at: 0x4f3f1b8 <__memset_sse2+712>: movntdq %xmm0,0x70(%edx)
PC (0x04f3f1b8) ok
source "%xmm0" ok
destination "0x70(%edx)" (0xb50dc000) not located in a known VMA region (needed writable region)!
SegvReason: writing unknown VMA
Signal: 11
SourcePackage: eog
StacktraceTop:
__memset_sse2 () at ../sysdeps/i386/i686/multiarch/memset-sse2.S:384
_TIFFmemset () from /usr/lib/libtiff.so.4
?? () from /usr/lib/libtiff.so.4
TIFFRGBAImageGet () from /usr/lib/libtiff.so.4
TIFFReadRGBAImageOriented () from /usr/lib/libtiff.so.4
Title: eog crashed with SIGSEGV in __memset_sse2()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
(polkit-gnome-authentication-agent-1:9303): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
(gnome-terminal:9409): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

Tags:

Related branches

lp://staging/ubuntu/natty/tiff

lp://staging/ubuntu/dapper-security/tiff

lp://staging/ubuntu/lucid-security/tiff

lp://staging/ubuntu/hardy-security/tiff

lp://staging/ubuntu/karmic-security/tiff

lp://staging/ubuntu/maverick-security/tiff

CVE References

Revision history for this message

smpahlman (sauli-pahlman) wrote on 2010-06-12:

Reproducer Edit (21.8 KiB, image/tiff)
Dependencies.txt Edit (4.6 KiB, text/plain; charset="utf-8")
Disassembly.txt Edit (923 bytes, text/plain; charset="utf-8")
ProcMaps.txt Edit (25.7 KiB, text/plain; charset="utf-8")
ProcStatus.txt Edit (777 bytes, text/plain; charset="utf-8")
Registers.txt Edit (484 bytes, text/plain; charset="utf-8")
Stacktrace.txt Edit (3.6 KiB, text/plain; charset="utf-8")
ThreadStacktrace.txt Edit (6.4 KiB, text/plain; charset="utf-8")

affects:

eog (Ubuntu) → tiff (Ubuntu)

Revision history for this message

Apport retracing service (apport) wrote on 2010-06-12:

StacktraceTop:
?? () from /lib/tls/i686/cmov/libc.so.6
_TIFFmemset (p=0xb11df008, v=0, c=82253054)
gtStripContig (img=0xb7724b88, raster=0x9a6eb68, w=512,
TIFFRGBAImageGet (img=0xb7724b88, raster=0x9a6eb68, w=512,
TIFFReadRGBAImageOriented (tif=0x9fa4f00, rwidth=512,

Revision history for this message

Apport retracing service (apport) wrote on 2010-06-12: Stacktrace.txt

Stacktrace.txt Edit (2.8 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2010-06-12: ThreadStacktrace.txt

ThreadStacktrace.txt Edit (4.2 KiB, text/plain)

Changed in tiff (Ubuntu):
importance:	Undecided → Medium
tags:	removed: need-i386-retrace

Revision history for this message

Tomas Hoger (thoger) wrote on 2010-06-24:

http://bugzilla.maptools.org/show_bug.cgi?id=2215

Kees Cook (kees) on 2010-06-24

visibility:

private → public

Tomas Hoger (thoger) on 2010-06-29

Changed in tiff (Ubuntu):
status:	New → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-03-04:

This bug was fixed in the package tiff - 3.9.4-5ubuntu2

---------------
tiff (3.9.4-5ubuntu2) natty; urgency=low

  * SECURITY UPDATE: denial of service via invalid td_stripbytecount field
    (LP: #597246)
    - debian/patches/CVE-2010-2482.patch: look for missing strip byte
      counts in libtiff/tif_ojpeg.c, tools/tiffsplit.c.
    - CVE-2010-2482
  * SECURITY UPDATE: denial of service via invalid ReferenceBlackWhite
    values
    - debian/patches/CVE-2010-2595.patch: validate values in
      libtiff/tif_color.c.
    - CVE-2010-2595
  * SECURITY UPDATE: denial of service via devide-by-zero (LP: #593067)
    - debian/patches/CVE-2010-2597.patch: properly initialize fields in
      libtiff/tif_strip.c.
    - CVE-2010-2597
    - CVE-2010-2598
  * SECURITY UPDATE: denial of service via out-of-order tags
    - debian/patches/CVE-2010-2630.patch: correctly handle order in
      libtiff/tif_dirread.c.
    - CVE-2010-2630
  * SECURITY UPDATE: denial of service and possible code execution via
    buffer overflow in Fax4Decode
    - debian/patches/CVE-2011-0192.patch: check length in
      libtiff/tif_fax3.h.
    - CVE-2011-0192
-- Marc Deslauriers <email address hidden> Thu, 03 Mar 2011 10:52:21 -0500

Changed in tiff (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-bugzilla.maptools.org #2215
[RESOLVED FIXED] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntutiff package

eog crashed with SIGSEGV in __memset_sse2()

Bug Description

Related branches

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
tiff package