New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 726299 link

Starred by 1 user
Status: Fixed
Owner:
vapier@chromium.org
Closed: May 2017
Cc:
gkihumba@chromium.org
npm@chromium.org
tsepez@chromium.org
dsinclair@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security

Blocking:
issue 62400



Sign in to add a comment

CrOS: Vulnerability reported in media-libs/tiff

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, May 25 2017 
Automated analysis has detected that the following third party packages have had vulnerabilities publicly reported. 

NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package.

Package Name: media-libs/tiff
Package Version: [cpe:/a:libtiff:libtiff:4.0.6 cpe:/a:libtiff:libtiff:4.0.7 cpe:/a:libtiff_project:libtiff:4.0.6 cpe:/a:libtiff_project:libtiff:4.0.7]

Advisory: CVE-2017-9117
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-9117
  CVSS severity score: 7.5/10.0
  Confidence: high
  Description:

In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.
Advisory: CVE-2017-9147
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-9147
  CVSS severity score: 4.3/10.0
  Confidence: high
  Description:

LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service (crash) via a crafted TIFF file.

Comment 1 by kenrb@chromium.org, May 25 2017

Cc: tsepez@chromium.org dsinclair@chromium.org
Components: Internals>Plugins>PDF
Labels: M-60 Security_Severity-Medium Security_Impact-Stable
Owner: npm@chromium.org
Status: Assigned (was: Untriaged)
It looks like there aren't fixes available for these yet. npm@, are you okay to own this?

Comment 2 by npm@chromium.org, May 25 2017

Cc: npm@chromium.org
Components: OS>Packages
Owner: vapier@chromium.org
PDFium's libtiff usage is restricted to XFA, which is currently disabled. But ChromeOS does. vapier@ could you take at look at this?

Comment 3 by npm@chromium.org, May 25 2017

Blocking: 62400
Project Member

Comment 4 by bugdroid1@chromium.org, May 26 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/51fa0efa4c00cfb740760c9bf5c3fe0514548eaf

commit 51fa0efa4c00cfb740760c9bf5c3fe0514548eaf
Author: Mike Frysinger <vapier@chromium.org>
Date: Fri May 26 09:46:05 2017

tiff: upgrade to 4.0.8

BUG= chromium:726299 
TEST=precq passes

Change-Id: I4b7717630f48cb9496bbc01ba8545983cee7dba8
Reviewed-on: https://chromium-review.googlesource.com/515982
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>

[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2659.patch
[modify] https://crrev.com/51fa0efa4c00cfb740760c9bf5c3fe0514548eaf/media-libs/tiff/Manifest
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2130.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2659-2.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2665.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2608.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2620.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2658.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-hylafax-hack.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2635.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2535.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2638.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2607.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2651.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-fax2tiff.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2605.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2648.patch
[rename] https://crrev.com/51fa0efa4c00cfb740760c9bf5c3fe0514548eaf/media-libs/tiff/tiff-4.0.8.ebuild
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2610.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2642-bug2643-bug2646-bug2647.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2631.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2633-bug2634.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2604.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2621.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-CVE-2017-5225.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2619.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2597.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10267.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2639.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2640.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10266.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2599.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2653.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2627.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2594.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2644.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2650.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2650-2.patch
[delete] https://crrev.com/a7df8bba259e918940cb11e1aa1fadcec32a3181/media-libs/tiff/files/tiff-4.0.7-bug2598.patch

Comment 5 by vapier@chromium.org, May 26 2017

Labels: -OS-Chrome Merge-Request-59
this is fixed for M60+.  a backport to M59 would be easy, but if the impact is "only" crashing a process via reading image data beyond buffer limits, i don't think it's that worrisome impact-wise.

let's see what the TPMs think.
Project Member

Comment 6 by sheriffbot@chromium.org, May 26 2017

Labels: -Merge-Request-59 Merge-Review-59 Hotlist-Merge-Review
This bug requires manual review: We are only 10 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by sheriffbot@chromium.org, May 26 2017

Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by abdulsyed@chromium.org, May 26 2017 

Is this affecting all platforms (desktop, android, ios, chromeos)? Please mark which OS this is impacting.

Comment 9 by kenrb@chromium.org, May 26 2017

Labels: OS-Chrome
According to comment #2 this doesn't affect PDFium, so no impact on desktop. ChromeOS would be the only affected platform.
Project Member

Comment 10 by sheriffbot@chromium.org, May 27 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 11 by josa...@chromium.org, Jun 6 2017

Cc: gkihumba@chromium.org
Labels: M-59

Comment 12 by gkihumba@google.com, Jun 6 2017 

#5: Have we verified that this is the only impact? Also, how severe are the crashes i.e. frequency? Guess that would depend on the processes reading the data but is there a ballpark?

Comment 13 by gkihumba@google.com, Jun 9 2017

Labels: Merge-Rejected-59
If there's no urgent need for this in 59 (which is now stable), please target 60.

Comment 14 by gkihumba@google.com, Jun 16 2017

Labels: -M-59 -Merge-Review-59
Project Member

Comment 15 by sheriffbot@chromium.org, Sep 2 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 16 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Comment 17 by vapier@chromium.org, Jun 21 2018

Status: Fixed (was: Archived)

Sign in to add a comment