Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in media-libs/tiff |
||||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: media-libs/tiff Package Version: [cpe:/a:libtiff:libtiff:4.0.6 cpe:/a:libtiff:libtiff:4.0.8 cpe:/a:libtiff_project:libtiff:4.0.6 cpe:/a:libtiff_project:libtiff:4.0.8] Advisory: CVE-2017-9935 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-9935 CVSS severity score: 6.8/10.0 Confidence: high Description: In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution. Advisory: CVE-2017-9936 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-9936 CVSS severity score: 4.3/10.0 Confidence: high Description: In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c. A crafted TIFF document can lead to a memory leak resulting in a remote denial of service attack. Advisory: CVE-2017-9937 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-9937 CVSS severity score: 4.3/10.0 Confidence: high Description: In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.
,
Jun 30 2017
This is not a kernel bug; libtiff is a library. Assigning to @vapier since he was previously involved in fixing similar problems.
,
Jul 4 2017
vapier@, please add labels to indicate Security_Impactand Security_Severity. Thanks!
,
Jul 11 2017
One of these is a buffer overflow so assigning high severity. Not sure which channels this effects if any but tentatively assigning stable. Feel free to adjust as required.
,
Jul 11 2017
,
Jul 14 2017
vapier: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 26 2017
,
Jul 28 2017
vapier: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 29 2017
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue? For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 6 2017
,
Sep 19 2017
vapier: Friendly ping. Could you please help triage this and decide what action is necessary? Also +oshima@ in case there is someone better to route this to.
,
Sep 20 2017
Mike landed 4.0.8 upgrade, although I'm not sure if he did it on someone else behalf. Adding a few folks who may have some idea. crbug.com/726299 https://chromium-review.googlesource.com/c/chromiumos/overlays/portage-stable/+/515982
,
Sep 25 2017
It looks like 2 of those bugs are not yet fixed upstream. I can upgrade de PDFium version of LibTIFF but this is not used on any branch of Chrome, so the only time-sensitive one is on Chrome OS. CCing chirantan@chromium.org, reviewer of the upgrade patch.
,
Sep 25 2017
For the heap buffer overflow it looks like it happens in the tiff2pdf tool. Is this actually used anywhere? If not, a short-term solution would be to just not install that tool (this can be done via an INSTALL_MASK). For CVE-2017-9936, it looks like this is the upstream fix: https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 . I think we can just apply the patch in our tree. I'm not really sure what to do about the last one but at least it's _just_ a denial of service.
,
Sep 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/c16624d3b9264f2891a9090544810013fc1545e3 commit c16624d3b9264f2891a9090544810013fc1545e3 Author: Chirantan Ekbote <chirantan@chromium.org> Date: Wed Sep 27 08:47:52 2017 tiff: Don't install tiff2pdf tiff2pdf has an unpatched heap buffer overflow (CVE-2017-9935). Since we don't actually use this tool anywhere, just remove it from the package. BUG= chromium:738401 TEST='emerge-samus tiff' and see that /usr/bin/tiff2pdf no longer exists Change-Id: I1e1e2a6ca67ccee0f4656667feef916d68ef0edb Signed-off-by: Chirantan Ekbote <chirantan@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/681074 Reviewed-by: Mitsuru Oshima <oshima@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [add] https://crrev.com/c16624d3b9264f2891a9090544810013fc1545e3/chromeos/config/env/media-libs/tiff
,
Oct 13 2017
,
Oct 13 2017
We mitigated the actual security bug and we don't track denial of service as a security bug. Still it would be good to update lib-tiff.
,
Oct 13 2017
Err, do we need to merge this into m-61?
,
Oct 18 2017
,
Nov 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/2d0bbfe61b0892e38d9383fea5254674308fbd87 commit 2d0bbfe61b0892e38d9383fea5254674308fbd87 Author: Chirantan Ekbote <chirantan@chromium.org> Date: Wed Nov 08 23:10:14 2017 tiff: Add patch for CVE-2017-9936 Add a patch from upstream to fix CVE-2017-9936. Modified the patch to remove the changes to the Changelog file since they were causing a conflict. The upstream patch is https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 BUG= chromium:738401 TEST='emerge-$BOARD tiff' completes successfully Change-Id: I9a2eca642b80a6f64c1e254521a13794ccb59a66 Signed-off-by: Chirantan Ekbote <chirantan@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/683677 Reviewed-by: Nicolás Peña Moreno <npm@chromium.org> [add] https://crrev.com/2d0bbfe61b0892e38d9383fea5254674308fbd87/media-libs/tiff/files/tiff-4.0.8-CVE-2017-9936.patch [add] https://crrev.com/2d0bbfe61b0892e38d9383fea5254674308fbd87/media-libs/tiff/tiff-4.0.8-r1.ebuild [modify] https://crrev.com/2d0bbfe61b0892e38d9383fea5254674308fbd87/media-libs/tiff/tiff-4.0.8.ebuild
,
Dec 7 2017
,
Dec 11 2017
Marking fixed since the merging didn't happen and M62 is already on stable.
,
Dec 13 2017
,
Dec 15 2017
,
Dec 15 2017
This bug requires manual review: M64 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 20 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by xzhou@chromium.org
, Jun 30 2017Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)