2017.05.31 08:49 "Re: [Tiff] Remaining TIFF security issues", by Even Rouault

On mercredi 31 mai 2017 09:23:30 CEST Havard Eidnes wrote:

first let me express great gratitude for the release of tiff 4.0.8, it allowed me to remove quite a few patches from our package, and solves many security issues and bugs.

We try to keep tabs on unsolved reported security issues in packages, and there appears to be a pair which remain unsolved even after the update to 4.0.8, so I thought I would nudge you guys to take a closer look:

 * https://nvd.nist.gov/vuln/detail/CVE-2015-7554

   The segmentation fault reported with the test image is
   still reproducible, something I've verified. Not sure if
   there is a bugid open for this one.

--> http://bugzilla.maptools.org/show_bug.cgi?id=2564

  * https://nvd.nist.gov/vuln/detail/CVE-2016-10095

   The test case on github still produces a SEGV, so this one
   appears to still be unfixed. Also bugid 2625.

There are a half dozain of bug reports that are mostly around the same core issue, but triggered by various TIFF utilitites

I created http://bugzilla.maptools.org/show_bug.cgi?id=2580 some time ago as a main entry for this TIFFGetField() related issues.

I think this would deserve some brainstorming with other libtiff maitainers to see what is the best path to solve this issue. Not clear at all for me.

Something along the proposed http://bugzilla.maptools.org/attachment.cgi?id=751 in

http://bugzilla.maptools.org/show_bug.cgi?id=258, extended to take into account missing tags for LZMA, and also used when reading the TIFF directory on the read side (to reject setting TIFF tags corresponding to specific codecs when the codec is not enabled, so that TIFFGetField() returns a missing tag) coud be a workaround.

Even

--
Spatialys - Geospatial professional services
http://www.spatialys.com