Bug 2795 - There is a reachable assertion abort in function TIFFWriteDirectorySec() of libtiff 4.0.9. A crafted input will lead to remote denial of attack. (CVE-2018-10963)
: There is a reachable assertion abort in function TIFFWriteDirectorySec() of l...
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P2 normal
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2018-05-09 14:30 by
Modified: 2018-05-12 07:24 (History)


Attachments
Triggered by ./tiffset POC (188 bytes, application/octet-stream)
2018-05-09 14:30, c1208828
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2018-05-09 14:30:11
Created an attachment (id=859) [details]
Triggered by ./tiffset POC

Triggered by ./tiffset POC

Version:4.0.9


The output information is as follows:

$ ./tiffset POC

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 36 (0x24) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 43433 (0xa9a9) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 36"; tag ignored.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per
sample.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct
SamplesPerPixel value of 3.
tiffset: tif_dirwrite.c:700: TIFFWriteDirectorySec: Assertion `0' failed.
Aborted (core dumped)

GDB debugging information is as follows:

(gdb) set args POC
(gdb) r

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 36 (0x24) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 43433 (0xa9a9) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 36"; tag ignored.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per
sample.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct
SamplesPerPixel value of 3.
tiffset: tif_dirwrite.c:700: TIFFWriteDirectorySec: Assertion `0' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff72c6428 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
54    ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff72c6428 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff72c802a in __GI_abort () at abort.c:89
#2  0x00007ffff72bebd7 in __assert_fail_base (fmt=<optimized out>,
assertion=assertion@entry=0x5743fd "0", 
    file=file@entry=0x574328 "tif_dirwrite.c", line=line@entry=700, 
    function=function@entry=0x574e90 <__PRETTY_FUNCTION__.4815>
"TIFFWriteDirectorySec") at assert.c:92
#3  0x00007ffff72bec82 in __GI___assert_fail
(assertion=assertion@entry=0x5743fd "0", 
    file=file@entry=0x574328 "tif_dirwrite.c", line=line@entry=700, 
    function=function@entry=0x574e90 <__PRETTY_FUNCTION__.4815>
"TIFFWriteDirectorySec") at assert.c:101
#4  0x000000000048ddc9 in TIFFWriteDirectorySec (tif=tif@entry=0x79d010,
isimage=isimage@entry=1, 
    imagedone=imagedone@entry=1, pdiroff=pdiroff@entry=0x0) at
tif_dirwrite.c:700
#5  0x000000000049766c in TIFFWriteDirectorySec (pdiroff=<optimized out>,
imagedone=<optimized out>, 
    isimage=<optimized out>, tif=<optimized out>) at tif_dirwrite.c:320
#6  TIFFWriteDirectory (tif=<optimized out>) at tif_dirwrite.c:184
#7  TIFFRewriteDirectory (tif=tif@entry=0x79d010) at tif_dirwrite.c:360
#8  0x0000000000403a75 in main (argc=2, argv=<optimized out>) at tiffset.c:344

Breakpoint 1 at 0x48ddb0: file tif_dirwrite.c, line 700.
(gdb) r
Starting program: /home/afl/parse/eval/tiffset/tiffset POC
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 36 (0x24) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 43433 (0xa9a9) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 36"; tag ignored.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per
sample.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct
SamplesPerPixel value of 3.

Breakpoint 1, TIFFWriteDirectorySec (tif=tif@entry=0x79d010,
isimage=isimage@entry=1, imagedone=imagedone@entry=1, 
    pdiroff=pdiroff@entry=0x0) at tif_dirwrite.c:700
700                                    assert(0);   /* we should never get here
*/
(gdb) l
695                                        if
(!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb))
696                                            goto bad;
697                                    }
698                                    break;
699                                default:
700                                    assert(0);   /* we should never get here
*/
701                                    break;
702                            }
703                        }
704                    }

(gdb) n
tiffset: tif_dirwrite.c:700: TIFFWriteDirectorySec: Assertion `0' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff72c6428 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
54    ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

Actual results:

crash

Expected results:

crash

Additional info:

The crash can be reproduced by the attached file.


Tiffset sets the value of a TIFF header to a specified value.It will
modify the raw POC file,so it's better to have a backup everytime before
testing.
------- Comment #1 From 2018-05-10 03:14:24 -------
This issue was assigned CVE-2018-10963