Sign in / up

back to article Three LibTIFF bugs found, only two patched

LibTIFF has three bugs that let booby-trapped files pwn a target - and only two of them have been patched. Described by Cisco Talos' Tyler Bohan, the bugs are a heap buffer overflow in compression tables (CVE-2016-5652), a parsing error (CVE-2016-8331), and a heap buffer overflow (CVE-2016-5875). The Talos post says the …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Tom Chiverton 1
    WTF?

    FAX ?!?!

    0 0 Reply
    1. Philip Storry
      Reply Icon

      Still used by international banks to confirm some types of business. Lawyers like faxes.

      You can try to take an email to court, but a lot of jurisdictions don't have any guarantee it's binding. Whereas the 60's/70's/80's were full of court cases around the world that settled, definitively, that a fax or photocopy of a contract was still a contract - you don't get to ignore it because it's a copy.

      (Yes, people really tried that scam.)

      Also, email can be traced, but fax usually means that there's a phone call and that gives you another level of evidence should you need it in court. Although personally I never really bought that argument, and fax systems seem to be going to the cloud and fax over IP (FoIP) these days.

      The last few fax systems will probably be all electronic, never putting out paper unless the recipient wants it. The input (probably an account summary or trade confirmation) is generated by an application and picked up from a file share or some kind of message queue, converted into a set of images, and then sent via either fax over IP or a real phone line, to a system which does pretty much the same in reverse and delivers the images (and maybe OCR'd text) to an application.

      But the legal aspects will keep people on that system for a decade or so, until someone realises that the expense of the infrastructure outweighs the potential cost savings in court...

      (And it can be expensive. I know of a couple of banks whose license estate for faxing infrastructure is in the seven figure range on software alone, let alone the licenses for the platform below that software. At standard software maintenance rates, that's a pretty nice amount of coin for software which is mostly in maintenance mode these days...)

      2 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Yep... TIFF is just a container format that supports dozens of compression methods, including the ones used for FAX. Still (probably) the highest compression for monochrome images in a widely supported format. I've used it heavily for B&W maps and engineering drawings when size/bandwidth was more important than image quality.

      Or to look at it another way, dozens of obscure serialization algorithms full of potential vulns. LibTIFF is a lot like ImageMagick in that regard.

      4 0 Reply
      1. Joe Drunk
        Reply Icon
        Windows

        Yes FAX still widely used by Legal, Banks and Medical for sending copies of documents. Walk around any office and you will always find at least one FAX machine.

        I surmise that this is still the case because punters haven't a clue how to scan/email copies of documents but good 'ole FAX you just load in your docs, punch in destination number, hit send and walk away.

        1 0 Reply
        1. John Gamble
          Reply Icon

          In fact I would have sent a FAX out a couple of months ago (first time since 2007) if the connection hadn't failed. After calling the person who was getting the document, I finally went with an encrypted PDF sent by e-mail, with the recipient calling me for the password when she was ready to read it.

          I didn't ask if they printed these things out, or just read them electronically.

          1 0 Reply
  2. Richard Lloyd

    It's about time there was a new official release...

    "Released in September" forgot "2015" on the end - it's been over a year now since the latest release came out, during which there's been dozens of commits (including the two security fixes). It is bizarre that there hasn't been an official release for so long, especially considering it's still being actively developed (last commit was less than 2 weeks ago).

    1 0 Reply
    1. Anonymous Coward
      Reply Icon
      Mushroom

      YIKES

      Indeed. I'm digging a little deeper... good info & links in the article, but it doesn't quite convey the existential horror of the situation.

      http://libtiff.org/ - LAST UPDATED IN 2007

      http://www.remotesensing.org/libtiff/ - looks like libtiff got kicked off

      http://www.simplesystems.org/libtiff/ and http://libtiff.maptools.org/ - CURRENT, but the latest release is 4.0.6 (dated 2015-09-12), with info needed to access the CVS source code repository (https://github.com/vadz/libtiff as mentioned in the article) which contains many unreleased patches.

      So, all the information needed to exploit these vulns is available, but no updates. Debian's libtiff5 package hasn't been patched since January.

      And it's a dependency of.... EVERYTHING. ImageMagick, GD, PHP, Python's PIL, GIMP, Tracker, WINE, Links2 browser, SDL 1 and 2, SANE... and much much more. One does not simply uninstall LibTIFF....

      2 0 Reply
      1. Anonymous Coward
        Reply Icon
        Facepalm

        Re: YIKES

        Oh. Out of these 3 bugs, it's the unpatched one that's enabled by the default build options, and readily remotely exploitable. Nice touch.

        </sarcasm> GOOD NEWS: looks like it was fixed Tuesday (in CVS) and those fixes showed up at https://github.com/vadz/libtiff today. FWIW; probably needs more work.

        1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon