touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #72968
[Bug 1299533] Re: Reproducible crash in tiff2png (libtiff-tools), illegal free
** Information type changed from Private Security to Public Security
** Changed in: tiff (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tiff in Ubuntu.
https://bugs.launchpad.net/bugs/1299533
Title:
Reproducible crash in tiff2png (libtiff-tools), illegal free
Status in tiff package in Ubuntu:
Confirmed
Bug description:
I'm on Linux Mint Petra (which is essentially saucy without the Ubuntu
bullshit like Unity) on x86_64. Since they use your apt repo and this
might possibly warrant even a CVE, I report this bug here, since
you're upstream (for the packaging at least).
When trying to convert a tiff file to a png using tiff2png I can
reproducibly get a crash at file generation (i.e. some output is
generated but it's not a valid PDF since the footer xref table is
missing). The crash always occurs because of a invalid free. Addresses
vary obviously (ASLR):
*** Error in `tiff2pdf': free(): invalid size: 0x00007faa5cabfc20 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x80996)[0x7faa5b005996]
tiff2pdf(+0x5d76)[0x7faa5b7e9d76]
tiff2pdf(+0xc0ef)[0x7faa5b7f00ef]
tiff2pdf(main+0x156)[0x7faa5b7e6586]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7faa5afa6de5]
tiff2pdf(+0x2a4d)[0x7faa5b7e6a4d]
======= Memory map: ========
7faa59fc9000-7faa59fde000 r-xp 00000000 08:11 262157 /lib/x86_64-linux-gnu/libgcc_s.so.1
7faa59fde000-7faa5a1dd000 ---p 00015000 08:11 262157 /lib/x86_64-linux-gnu/libgcc_s.so.1
7faa5a1dd000-7faa5a1de000 r--p 00014000 08:11 262157 /lib/x86_64-linux-gnu/libgcc_s.so.1
7faa5a1de000-7faa5a1df000 rw-p 00015000 08:11 262157 /lib/x86_64-linux-gnu/libgcc_s.so.1
7faa5a1df000-7faa5a1e2000 r-xp 00000000 08:11 266169 /lib/x86_64-linux-gnu/libdl-2.17.so
7faa5a1e2000-7faa5a3e1000 ---p 00003000 08:11 266169 /lib/x86_64-linux-gnu/libdl-2.17.so
7faa5a3e1000-7faa5a3e2000 r--p 00002000 08:11 266169 /lib/x86_64-linux-gnu/libdl-2.17.so
7faa5a3e2000-7faa5a3e3000 rw-p 00003000 08:11 266169 /lib/x86_64-linux-gnu/libdl-2.17.so
7faa5a3e3000-7faa5a4e6000 r-xp 00000000 08:11 266205 /lib/x86_64-linux-gnu/libm-2.17.so
7faa5a4e6000-7faa5a6e5000 ---p 00103000 08:11 266205 /lib/x86_64-linux-gnu/libm-2.17.so
7faa5a6e5000-7faa5a6e6000 r--p 00102000 08:11 266205 /lib/x86_64-linux-gnu/libm-2.17.so
7faa5a6e6000-7faa5a6e7000 rw-p 00103000 08:11 266205 /lib/x86_64-linux-gnu/libm-2.17.so
7faa5a6e7000-7faa5a6ff000 r-xp 00000000 08:11 266310 /lib/x86_64-linux-gnu/libz.so.1.2.8
7faa5a6ff000-7faa5a8fe000 ---p 00018000 08:11 266310 /lib/x86_64-linux-gnu/libz.so.1.2.8
7faa5a8fe000-7faa5a8ff000 r--p 00017000 08:11 266310 /lib/x86_64-linux-gnu/libz.so.1.2.8
7faa5a8ff000-7faa5a900000 rw-p 00018000 08:11 266310 /lib/x86_64-linux-gnu/libz.so.1.2.8
7faa5a900000-7faa5a943000 r-xp 00000000 08:11 1446551 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
7faa5a943000-7faa5ab43000 ---p 00043000 08:11 1446551 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
7faa5ab43000-7faa5ab44000 r--p 00043000 08:11 1446551 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
7faa5ab44000-7faa5ab45000 rw-p 00044000 08:11 1446551 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
7faa5ab45000-7faa5ab55000 rw-p 00000000 00:00 0
7faa5ab55000-7faa5ab60000 r-xp 00000000 08:11 1451362 /usr/lib/x86_64-linux-gnu/libjbig.so.0.0.0
7faa5ab60000-7faa5ad5f000 ---p 0000b000 08:11 1451362 /usr/lib/x86_64-linux-gnu/libjbig.so.0.0.0
7faa5ad5f000-7faa5ad60000 r--p 0000a000 08:11 1451362 /usr/lib/x86_64-linux-gnu/libjbig.so.0.0.0
7faa5ad60000-7faa5ad63000 rw-p 0000b000 08:11 1451362 /usr/lib/x86_64-linux-gnu/libjbig.so.0.0.0
7faa5ad63000-7faa5ad84000 r-xp 00000000 08:11 266202 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7faa5ad84000-7faa5af83000 ---p 00021000 08:11 266202 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7faa5af83000-7faa5af84000 r--p 00020000 08:11 266202 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7faa5af84000-7faa5af85000 rw-p 00021000 08:11 266202 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
7faa5af85000-7faa5b142000 r-xp 00000000 08:11 266154 /lib/x86_64-linux-gnu/libc-2.17.so
7faa5b142000-7faa5b342000 ---p 001bd000 08:11 266154 /lib/x86_64-linux-gnu/libc-2.17.so
7faa5b342000-7faa5b346000 r--p 001bd000 08:11 266154 /lib/x86_64-linux-gnu/libc-2.17.so
7faa5b346000-7faa5b348000 rw-p 001c1000 08:11 266154 /lib/x86_64-linux-gnu/libc-2.17.so
7faa5b348000-7faa5b34d000 rw-p 00000000 00:00 0
7faa5b34d000-7faa5b3bb000 r-xp 00000000 08:11 1451707 /usr/lib/x86_64-linux-gnu/libtiff.so.5.1.0
7faa5b3bb000-7faa5b5bb000 ---p 0006e000 08:11 1451707 /usr/lib/x86_64-linux-gnu/libtiff.so.5.1.0
7faa5b5bb000-7faa5b5bc000 r--p 0006e000 08:11 1451707 /usr/lib/x86_64-linux-gnu/libtiff.so.5.1.0
7faa5b5bc000-7faa5b5bf000 rw-p 0006f000 08:11 1451707 /usr/lib/x86_64-linux-gnu/libtiff.so.5.1.0
7faa5b5bf000-7faa5b5e2000 r-xp 00000000 08:11 266130 /lib/x86_64-linux-gnu/ld-2.17.so
7faa5b6b5000-7faa5b7b3000 r--s 00000000 fc:00 43915789 /home/joe/bugreport/in.tiff
7faa5b7b3000-7faa5b7b8000 rw-p 00000000 00:00 0
7faa5b7dd000-7faa5b7e1000 rw-p 00000000 00:00 0
7faa5b7e1000-7faa5b7e2000 r--p 00022000 08:11 266130 /lib/x86_64-linux-gnu/ld-2.17.so
7faa5b7e2000-7faa5b7e4000 rw-p 00023000 08:11 266130 /lib/x86_64-linux-gnu/ld-2.17.so
7faa5b7e4000-7faa5b7f4000 r-xp 00000000 08:11 1463449 /usr/bin/tiff2pdf
7faa5b9f3000-7faa5b9f4000 r--p 0000f000 08:11 1463449 /usr/bin/tiff2pdf
7faa5b9f4000-7faa5b9f5000 rw-p 00010000 08:11 1463449 /usr/bin/tiff2pdf
7faa5cabe000-7faa5cadf000 rw-p 00000000 00:00 0 [heap]
7fff5e17a000-7fff5e19b000 rw-p 00000000 00:00 0 [stack]
7fff5e1fe000-7fff5e200000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
./cmd: line 5: 8522 Aborted tiff2pdf -o out.pdf -j in.tiff
Here's the package sources I'm using and the versions of some
libraries which are pulled in:
ii libtiff-tools 4.0.2-4ubuntu3 amd64 TIFF manipulation and conversion tools
ii libtiff4:amd64 3.9.7-2ubuntu1 amd64 Tag Image File Format (TIFF) library (old version)
ii libtiff5:amd64 4.0.2-4ubuntu3 amd64 Tag Image File Format (TIFF) library
ii libjpeg8:amd64 8c-2ubuntu8 amd64 Independent JPEG Group's JPEG runtime library (dependency package)
ii libjpeg8-dev:amd64 8c-2ubuntu8 amd64 Independent JPEG Group's JPEG runtime library (dependency package)
ii libjbig0:amd64 2.0-2ubuntu1 amd64 JBIGkit libraries
ii libjbig2dec0 0.11+20120125-1ubuntu1 amd64 JBIG2 decoder library - shared libraries
I do not yet know if this bug is exploitable, but it might well be.
I'll do some further digging. And I'll attach to this bug the file
with which the bug can be reproduced. Since image to PDF conversion is
something that is widely used in web interfaces (i.e. exposed
software), this could be really worrying.
Cheers,
Johannes
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1299533/+subscriptions
