Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • evince evince
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 748
    • Issues 748
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 53
    • Merge requests 53
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • evinceevince
  • Issues
  • #1129
Closed
Open
Issue created Apr 13, 2019 by Michael Catanzaro@mcatanzaroDeveloper

(CVE-2019-11459) Uninitialized memory read in tiff_document_render()

Initial report:

Hi,

Hereby, I am reporting a small vulnerability that I have discovered in evince.

The vulnerability is that uninitialized heap memory is blit to display on an invalid tiff image.

This is due to missing error checking at [1].

A worst case scenario is that an attacker may use this to guess addresses on heap or see images that have previously been loaded to heap.

Attached is a script that produces a tiff file which has enough fields to get to this codepath.

To observe the effect of uninitialized memory, open the image in evince and press CTRL+R to reload the image.

For discovery credits, please use "Andy Nguyen of ETH Zurich".

Kindly let me know how I can help you.

Best regards, Andy Nguyen

[1] https://gitlab.gnome.org/GNOME/evince/blob/master/backend/tiff/tiff-document.c#L303

Follow-up:

Hi Michael and German,

We must abort and return error if TIFFReadRGBAImageOriented returns 0 (see [1]). There's another call to TIFFReadRGBAImageOriented is at [2] which must be fixed too.

Furthermore, I have just noticed that certain PostScript files show the same behaviour. Open [3] with evince and zoom in/out to see how different images show up. I have not yet analyzed this one, and don't know if it's also due to missing error checking, or if it's an error within libspectre.

Best regards, Andy Nguyen

[1] https://gitlab.com/libtiff/libtiff/blob/master/tools/tiff2pdf.c#L2663 [2] https://gitlab.gnome.org/GNOME/evince/blob/master/backend/tiff/tiff-document.c#L390 [3] https://www.tug.org/svn/texlive/trunk/Build/source/texk/dvipsk/special.lpro?revision=36880&view=markup

Edited Apr 23, 2019 by Michael Catanzaro
Assignee
Assign to
Time tracking