You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=868) [details] the poc on Ubuntu 16.04 32-bit, tiff4.0.9 How to reproduce: 1. compile: CC=clang CXX=clang++ ./configure && make && make install 2. ./tiff2pdf poc2 asan info: ================================================================= ==6699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb65006b7 at pc 0xb7ee1751 bp 0xbfdf0368 sp 0xbfdf035c WRITE of size 8 at 0xb65006b7 thread T0 #0 0xb7ee1750 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0x31750) #1 0xb7f63f89 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xb3f89) #2 0xb7f8398b (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd398b) #3 0x8134534 (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x8134534) #4 0xb7c5e636 (/lib/i386-linux-gnu/libc.so.6+0x18636) #5 0x805fb37 (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x805fb37) 0xb65006b7 is located 6 bytes to the right of 1-byte region [0xb65006b0,0xb65006b1) allocated by thread T0 here: #0 0x81041e4 (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x81041e4) #1 0xb7f83b53 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd3b53) #2 0xb7f63f89 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xb3f89) #3 0xb7f8398b (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd398b) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0x31750) Shadow bytes around the buggy address: 0x36ca0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36ca0090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36ca00a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36ca00b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36ca00c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x36ca00d0: fa fa 01 fa fa fa[01]fa fa fa 00 fa fa fa fd fa 0x36ca00e0: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa 0x36ca00f0: fa fa 00 fa fa fa fd fa fa fa fd fd fa fa 00 00 0x36ca0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36ca0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36ca0120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6699==ABORTING gdb info: Program received signal SIGSEGV, Segmentation fault. 0xb7f81302 in ChopUpSingleUncompressedStrip (tif=<optimized out>) at tif_dirread.c:5724 5724 newoffsets[strip] = stripbytes ? offset : 0; (gdb) bt #0 0xb7f81302 in ChopUpSingleUncompressedStrip (tif=<optimized out>) at tif_dirread.c:5724 #1 TIFFReadDirectory (tif=<optimized out>) at tif_dirread.c:4186 #2 0xb7fa55e0 in TIFFClientOpen (name=<optimized out>, mode=<optimized out>, clientdata=<optimized out>, readproc=<optimized out>, writeproc=<optimized out>, seekproc=<optimized out>, closeproc=<optimized out>, sizeproc=<optimized out>, mapproc=<optimized out>, unmapproc=<optimized out>) at tif_open.c:466 #3 0xb7faedbc in TIFFFdOpen (fd=3, name=<optimized out>, mode=0x805500a "r") at tif_unix.c:211 #4 TIFFOpen (name=<optimized out>, mode=0x805500a "r") at tif_unix.c:250 #5 0x080496ea in main (argc=<optimized out>, argv=<optimized out>) at tiff2pdf.c:751
This issue was assigned CVE-2018-16335
It looks like the fix for http://bugzilla.maptools.org/show_bug.cgi?id=2724, https://gitlab.com/libtiff/libtiff/commit/3719385a3fac5cfb20b487619a5f08abbf967cf8 and https://gitlab.com/libtiff/libtiff/commit/7a092f8af2568d61993a8cc2e7a35a998d7d37be as well would adress this issue. Can you confirm or will the issue be adressed separately and the issue only covered given the problematic part is not reached with the pocs?
I can confirm that fix for CVE-2017-11613 does fix the issue for me.
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.