2017.06.01 12:52 "Re: [Tiff] Remaining TIFF security issues", by Even Rouault
There are a half dozain of bug reports that are mostly around the same core issue, but triggered by various TIFF utilitites
I created http://bugzilla.maptools.org/show_bug.cgi?id=2580 some time ago as a main entry for this TIFFGetField() related issues.
I think this would deserve some brainstorming with other libtiff maitainers to see what is the best path to solve this issue. Not clear at all for me.
Something along the proposed http://bugzilla.maptools.org/attachment.cgi?id=751 in
http://bugzilla.maptools.org/show_bug.cgi?id=258, extended to take into account missing tags for LZMA, and also used when reading the TIFF directory on the read side (to reject setting TIFF tags corresponding to specific codecs when the codec is not enabled, so that TIFFGetField() returns a missing tag) coud be a workaround.
OK I finally pushed a fix along the above lines.
Fixed per
2017-06-01 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
to behave differently depending on whether the codec is enabled or not, and
thus can avoid stack based buffer overflows in a number of TIFF utilities
such as tiffsplit, tiffcmp, thumbnail, etc.
Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
Fixes:
http://bugzilla.maptools.org/show_bug.cgi?id=2580
http://bugzilla.maptools.org/show_bug.cgi?id=2693
http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
http://bugzilla.maptools.org/show_bug.cgi?id=2441
http://bugzilla.maptools.org/show_bug.cgi?id=2433
/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1244; previous revision: 1.1243 /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.h,v <-- libtiff/tif_dir.h new revision: 1.55; previous revision: 1.54 /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v <-- libtiff/tif_dirinfo.c new revision: 1.127; previous revision: 1.126 /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c new revision: 1.209; previous revision: 1.208
You can view it more easily in: https://trac.osgeo.org/gdal/changeset/38774
Even
--
Spatialys - Geospatial professional services
http://www.spatialys.com