Headline
CVE-2019-11459: (CVE-2019-11459) Uninitialized memory read in tiff_document_render() (#1129) · Issues · GNOME / evince · GitLab
The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files.
Initial report:
Hi,
Hereby, I am reporting a small vulnerability that I have discovered in evince.
The vulnerability is that uninitialized heap memory is blit to display on an invalid tiff image.
This is due to missing error checking at [1].
A worst case scenario is that an attacker may use this to guess addresses on heap or see images that have previously been loaded to heap.
Attached is a script that produces a tiff file which has enough fields to get to this codepath.
To observe the effect of uninitialized memory, open the image in evince and press CTRL+R to reload the image.
For discovery credits, please use "Andy Nguyen of ETH Zurich".
Kindly let me know how I can help you.
Best regards, Andy Nguyen
[1] https://gitlab.gnome.org/GNOME/evince/blob/master/backend/tiff/tiff-document.c#L303
Follow-up:
Hi Michael and German,
We must abort and return error if TIFFReadRGBAImageOriented returns 0 (see [1]). There’s another call to TIFFReadRGBAImageOriented is at [2] which must be fixed too.
Furthermore, I have just noticed that certain PostScript files show the same behaviour. Open [3] with evince and zoom in/out to see how different images show up. I have not yet analyzed this one, and don’t know if it’s also due to missing error checking, or if it’s an error within libspectre.
Best regards, Andy Nguyen
[1] https://gitlab.com/libtiff/libtiff/blob/master/tools/tiff2pdf.c#L2663 [2] https://gitlab.gnome.org/GNOME/evince/blob/master/backend/tiff/tiff-document.c#L390 [3] https://www.tug.org/svn/texlive/trunk/Build/source/texk/dvipsk/special.lpro?revision=36880&view=markup
Edited Apr 23, 2019 by