← Back to team overview

touch-packages team mailing list archive

[Bug 1299533] Re: Reproducible crash in tiff2png (libtiff-tools), illegal free

 

** Information type changed from Private Security to Public Security

** Changed in: tiff (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tiff in Ubuntu.
https://bugs.launchpad.net/bugs/1299533

Title:
  Reproducible crash in tiff2png (libtiff-tools), illegal free

Status in tiff package in Ubuntu:
  Confirmed

Bug description:
  I'm on Linux Mint Petra (which is essentially saucy without the Ubuntu
  bullshit like Unity) on x86_64. Since they use your apt repo and this
  might possibly warrant even a CVE, I report this bug here, since
  you're upstream (for the packaging at least).

  When trying to convert a tiff file to a png using tiff2png I can
  reproducibly get a crash at file generation (i.e. some output is
  generated but it's not a valid PDF since the footer xref table is
  missing). The crash always occurs because of a invalid free. Addresses
  vary obviously (ASLR):

  *** Error in `tiff2pdf': free(): invalid size: 0x00007faa5cabfc20 ***
  ======= Backtrace: =========
  /lib/x86_64-linux-gnu/libc.so.6(+0x80996)[0x7faa5b005996]
  tiff2pdf(+0x5d76)[0x7faa5b7e9d76]
  tiff2pdf(+0xc0ef)[0x7faa5b7f00ef]
  tiff2pdf(main+0x156)[0x7faa5b7e6586]
  /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7faa5afa6de5]
  tiff2pdf(+0x2a4d)[0x7faa5b7e6a4d]
  ======= Memory map: ========
  7faa59fc9000-7faa59fde000 r-xp 00000000 08:11 262157                     /lib/x86_64-linux-gnu/libgcc_s.so.1
  7faa59fde000-7faa5a1dd000 ---p 00015000 08:11 262157                     /lib/x86_64-linux-gnu/libgcc_s.so.1
  7faa5a1dd000-7faa5a1de000 r--p 00014000 08:11 262157                     /lib/x86_64-linux-gnu/libgcc_s.so.1
  7faa5a1de000-7faa5a1df000 rw-p 00015000 08:11 262157                     /lib/x86_64-linux-gnu/libgcc_s.so.1
  7faa5a1df000-7faa5a1e2000 r-xp 00000000 08:11 266169                     /lib/x86_64-linux-gnu/libdl-2.17.so
  7faa5a1e2000-7faa5a3e1000 ---p 00003000 08:11 266169                     /lib/x86_64-linux-gnu/libdl-2.17.so
  7faa5a3e1000-7faa5a3e2000 r--p 00002000 08:11 266169                     /lib/x86_64-linux-gnu/libdl-2.17.so
  7faa5a3e2000-7faa5a3e3000 rw-p 00003000 08:11 266169                     /lib/x86_64-linux-gnu/libdl-2.17.so
  7faa5a3e3000-7faa5a4e6000 r-xp 00000000 08:11 266205                     /lib/x86_64-linux-gnu/libm-2.17.so
  7faa5a4e6000-7faa5a6e5000 ---p 00103000 08:11 266205                     /lib/x86_64-linux-gnu/libm-2.17.so
  7faa5a6e5000-7faa5a6e6000 r--p 00102000 08:11 266205                     /lib/x86_64-linux-gnu/libm-2.17.so
  7faa5a6e6000-7faa5a6e7000 rw-p 00103000 08:11 266205                     /lib/x86_64-linux-gnu/libm-2.17.so
  7faa5a6e7000-7faa5a6ff000 r-xp 00000000 08:11 266310                     /lib/x86_64-linux-gnu/libz.so.1.2.8
  7faa5a6ff000-7faa5a8fe000 ---p 00018000 08:11 266310                     /lib/x86_64-linux-gnu/libz.so.1.2.8
  7faa5a8fe000-7faa5a8ff000 r--p 00017000 08:11 266310                     /lib/x86_64-linux-gnu/libz.so.1.2.8
  7faa5a8ff000-7faa5a900000 rw-p 00018000 08:11 266310                     /lib/x86_64-linux-gnu/libz.so.1.2.8
  7faa5a900000-7faa5a943000 r-xp 00000000 08:11 1446551                    /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
  7faa5a943000-7faa5ab43000 ---p 00043000 08:11 1446551                    /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
  7faa5ab43000-7faa5ab44000 r--p 00043000 08:11 1446551                    /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
  7faa5ab44000-7faa5ab45000 rw-p 00044000 08:11 1446551                    /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
  7faa5ab45000-7faa5ab55000 rw-p 00000000 00:00 0 
  7faa5ab55000-7faa5ab60000 r-xp 00000000 08:11 1451362                    /usr/lib/x86_64-linux-gnu/libjbig.so.0.0.0
  7faa5ab60000-7faa5ad5f000 ---p 0000b000 08:11 1451362                    /usr/lib/x86_64-linux-gnu/libjbig.so.0.0.0
  7faa5ad5f000-7faa5ad60000 r--p 0000a000 08:11 1451362                    /usr/lib/x86_64-linux-gnu/libjbig.so.0.0.0
  7faa5ad60000-7faa5ad63000 rw-p 0000b000 08:11 1451362                    /usr/lib/x86_64-linux-gnu/libjbig.so.0.0.0
  7faa5ad63000-7faa5ad84000 r-xp 00000000 08:11 266202                     /lib/x86_64-linux-gnu/liblzma.so.5.0.0
  7faa5ad84000-7faa5af83000 ---p 00021000 08:11 266202                     /lib/x86_64-linux-gnu/liblzma.so.5.0.0
  7faa5af83000-7faa5af84000 r--p 00020000 08:11 266202                     /lib/x86_64-linux-gnu/liblzma.so.5.0.0
  7faa5af84000-7faa5af85000 rw-p 00021000 08:11 266202                     /lib/x86_64-linux-gnu/liblzma.so.5.0.0
  7faa5af85000-7faa5b142000 r-xp 00000000 08:11 266154                     /lib/x86_64-linux-gnu/libc-2.17.so
  7faa5b142000-7faa5b342000 ---p 001bd000 08:11 266154                     /lib/x86_64-linux-gnu/libc-2.17.so
  7faa5b342000-7faa5b346000 r--p 001bd000 08:11 266154                     /lib/x86_64-linux-gnu/libc-2.17.so
  7faa5b346000-7faa5b348000 rw-p 001c1000 08:11 266154                     /lib/x86_64-linux-gnu/libc-2.17.so
  7faa5b348000-7faa5b34d000 rw-p 00000000 00:00 0 
  7faa5b34d000-7faa5b3bb000 r-xp 00000000 08:11 1451707                    /usr/lib/x86_64-linux-gnu/libtiff.so.5.1.0
  7faa5b3bb000-7faa5b5bb000 ---p 0006e000 08:11 1451707                    /usr/lib/x86_64-linux-gnu/libtiff.so.5.1.0
  7faa5b5bb000-7faa5b5bc000 r--p 0006e000 08:11 1451707                    /usr/lib/x86_64-linux-gnu/libtiff.so.5.1.0
  7faa5b5bc000-7faa5b5bf000 rw-p 0006f000 08:11 1451707                    /usr/lib/x86_64-linux-gnu/libtiff.so.5.1.0
  7faa5b5bf000-7faa5b5e2000 r-xp 00000000 08:11 266130                     /lib/x86_64-linux-gnu/ld-2.17.so
  7faa5b6b5000-7faa5b7b3000 r--s 00000000 fc:00 43915789                   /home/joe/bugreport/in.tiff
  7faa5b7b3000-7faa5b7b8000 rw-p 00000000 00:00 0 
  7faa5b7dd000-7faa5b7e1000 rw-p 00000000 00:00 0 
  7faa5b7e1000-7faa5b7e2000 r--p 00022000 08:11 266130                     /lib/x86_64-linux-gnu/ld-2.17.so
  7faa5b7e2000-7faa5b7e4000 rw-p 00023000 08:11 266130                     /lib/x86_64-linux-gnu/ld-2.17.so
  7faa5b7e4000-7faa5b7f4000 r-xp 00000000 08:11 1463449                    /usr/bin/tiff2pdf
  7faa5b9f3000-7faa5b9f4000 r--p 0000f000 08:11 1463449                    /usr/bin/tiff2pdf
  7faa5b9f4000-7faa5b9f5000 rw-p 00010000 08:11 1463449                    /usr/bin/tiff2pdf
  7faa5cabe000-7faa5cadf000 rw-p 00000000 00:00 0                          [heap]
  7fff5e17a000-7fff5e19b000 rw-p 00000000 00:00 0                          [stack]
  7fff5e1fe000-7fff5e200000 r-xp 00000000 00:00 0                          [vdso]
  ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
  ./cmd: line 5:  8522 Aborted                 tiff2pdf -o out.pdf -j in.tiff

  Here's the package sources I'm using and the versions of some
  libraries which are pulled in:

  ii  libtiff-tools                               4.0.2-4ubuntu3                             amd64        TIFF manipulation and conversion tools
  ii  libtiff4:amd64                              3.9.7-2ubuntu1                             amd64        Tag Image File Format (TIFF) library (old version)
  ii  libtiff5:amd64                              4.0.2-4ubuntu3                             amd64        Tag Image File Format (TIFF) library
  ii  libjpeg8:amd64                              8c-2ubuntu8                                amd64        Independent JPEG Group's JPEG runtime library (dependency package)
  ii  libjpeg8-dev:amd64                          8c-2ubuntu8                                amd64        Independent JPEG Group's JPEG runtime library (dependency package)
  ii  libjbig0:amd64                              2.0-2ubuntu1                               amd64        JBIGkit libraries
  ii  libjbig2dec0                                0.11+20120125-1ubuntu1                     amd64        JBIG2 decoder library - shared libraries

  I do not yet know if this bug is exploitable, but it might well be.
  I'll do some further digging. And I'll attach to this bug the file
  with which the bug can be reproduced. Since image to PDF conversion is
  something that is widely used in web interfaces (i.e. exposed
  software), this could be really worrying.

  Cheers,
  Johannes

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1299533/+subscriptions