2017.05.31 07:23 "[Tiff] Remaining TIFF security issues", by Havard Eidnes

2017.06.01 12:52 "Re: [Tiff] Remaining TIFF security issues", by Even Rouault

There are a half dozain of bug reports that are mostly around the same core issue, but triggered by various TIFF utilitites

I created http://bugzilla.maptools.org/show_bug.cgi?id=2580 some time ago as a main entry for this TIFFGetField() related issues.

I think this would deserve some brainstorming with other libtiff maitainers to see what is the best path to solve this issue. Not clear at all for me.

Something along the proposed http://bugzilla.maptools.org/attachment.cgi?id=751 in

http://bugzilla.maptools.org/show_bug.cgi?id=258, extended to take into account missing tags for LZMA, and also used when reading the TIFF directory on the read side (to reject setting TIFF tags corresponding to specific codecs when the codec is not enabled, so that TIFFGetField() returns a missing tag) coud be a workaround.

OK I finally pushed a fix along the above lines.

Fixed per

2017-06-01 Even Rouault <even.rouault at spatialys.com>

        * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),

        and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
        codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
        to behave differently depending on whether the codec is enabled or not, and
        thus can avoid stack based buffer overflows in a number of TIFF utilities
        such as tiffsplit, tiffcmp, thumbnail, etc.
        Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
        (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
        Fixes:

        http://bugzilla.maptools.org/show_bug.cgi?id=2580
        http://bugzilla.maptools.org/show_bug.cgi?id=2693
        http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
        http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
        http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
        http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
        http://bugzilla.maptools.org/show_bug.cgi?id=2441
        http://bugzilla.maptools.org/show_bug.cgi?id=2433

/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog

new revision: 1.1244; previous revision: 1.1243 /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.h,v <-- libtiff/tif_dir.h new revision: 1.55; previous revision: 1.54 /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v <-- libtiff/tif_dirinfo.c new revision: 1.127; previous revision: 1.126 /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c new revision: 1.209; previous revision: 1.208

You can view it more easily in: https://trac.osgeo.org/gdal/changeset/38774

Even

--
Spatialys - Geospatial professional services
http://www.spatialys.com