Bugzilla – Bug 960589
VUL-0: CVE-2015-8668: tiff: Heap-based buffer overflow in bmp2tiff / PackBitsEncode (default packing)
Last modified: 2024-05-07 14:37:16 UTC
rh#1294425 A heap-buffer oveflow was found in bmp2tiff. An attacker could provide a specially-crafted BMP format file, which when converted to TIFF format, using the bmp2tiff tool, could lead to bmp2tiff executable to crash or potentially, arbitrary code execution with the privileges of the user running the bmp2tiff binary. References: https://bugzilla.redhat.com/show_bug.cgi?id=1294425 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8668 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8668.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8668
An update workflow for this issue was started. This issue was rated as "moderate". Please submit fixed packages until "Jan. 6, 2016". When done, reassign the bug to "security-team@suse.de". /update/121220/.
An update workflow for this issue was started. This issue was rated as "moderate". Please submit fixed packages until "Jan. 11, 2016". When done, reassign the bug to "security-team@suse.de". /update/62403/.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-01-11. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62403
bugbot adjusting priority
http://seclists.org/bugtraq/2015/Dec/138 From: riusksk () qq com Date: Mon, 28 Dec 2015 02:40:36 GMT Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Heap Overflow Security Risk: High Vendor URL: http://www.libtiff.org/ CVE ID: CVE-2015-8668 Credit: riusksk of Tencent Security Platform Department Introduction ============ libtiff v4.0.6 bmp2tiff function PackBitsPreEncode() (./libtiff/tif_packbits.c ) handle malicious bmp file (Width = 65663) to cause memory corruption. An attacker could exploit this issue to execute arbitrary code in the context of the application using the library. Failed exploit attempts may result in denial-of-service conditions. ╭─riusksk@MacBook ~/Downloads ╰─➤$ ./tiff-4.0.6/tools/bmp2tiff ./libtiff-poc.bmp out.tif 255 ↵ ================================================================= ==54340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63100001087f at pc 0x00010cdc0532 bp 0x7fff52f459b0 sp 0x7fff52f459a8 READ of size 1 at 0x63100001087f thread T0 #0 0x10cdc0531 in PackBitsEncode (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100108531) #1 0x10cdfaa18 in TIFFWriteScanline (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100142a18) #2 0x10ccbde7b in main (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100005e7b) #3 0x7fff8dcbc5ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #4 0x2 (<unknown module>) 0x63100001087f is located 0 bytes to the right of 65663-byte region [0x631000000800,0x63100001087f) allocated by thread T0 here: #0 0x10cefdf60 in wrap_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x42f60) #1 0x10ce073bf in _TIFFmalloc (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x10014f3bf) #2 0x10ccbc9d5 in main (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x1000049d5) #3 0x7fff8dcbc5ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #4 0x2 (<unknown module>) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 PackBitsEncode Shadow bytes around the buggy address: 0x1c62000020b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c62000020c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c62000020d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c62000020e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c62000020f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1c6200002100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07] 0x1c6200002110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c6200002120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c6200002130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c6200002140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c6200002150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==54340==ABORTING [1] 54340 abort ./tiff-4.0.6/tools/bmp2tiff ./libtiff-poc.bmp out.tif
Created attachment 696770 [details] crash1.tif (found by own afl run) QA REPRODCUCER: bmp2tiff crash1.tif output.tif
Created attachment 703712 [details] libtiff-poc.bmp For me on Leap 42.1 the reproducer from comment 7 did not work. I've contacted the reporter of this issue <riusksk () qq com> and attached the original reproducer to this bug report that is working for me. $ bmp2tiff libtiff-poc.bmp out.tif Segmentation fault
please submit to SUSE:SLE-11:Update
Created attachment 764764 [details] Patch from upstream tracker
Comment on attachment 764764 [details] Patch from upstream tracker Caution: it seems that the int overflow in the bits == 8 case has been lost by this patch
The patch has been dropped upstream and the patch is probably incomplete: http://bugzilla.maptools.org/show_bug.cgi?id=2563 > I'd note the proposed patch is incorrect in the bits == 8 case where the > following check has now been removed > > {{{ > - uncompr_size = width * length; > - /* Detect int overflow */ > - if( uncompr_size / width != length ) > - { > - TIFFError(infilename, > - "Invalid dimensions of BMP file" ); > - close(fd); > - return -1; > - } > }}}
Based the patch on the one that is attached to this bugzilla (coming from RH). But adjusted the else case. It should now be a complete patch. Before patch: # bmp2tiff crash1.tif output.tif Segmentation fault # bmp2tiff crash2.bmp output.tif Segmentation fault After patch: # bmp2tiff crash1.tif output.tif # # bmp2tiff crash2.bmp output.tif # SR#169235 to SUSE_SLE-11_Update
SUSE-SU-2018:2676-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1074186,1092480,960589,983440 CVE References: CVE-2015-8668,CVE-2016-5319,CVE-2017-17942,CVE-2018-10779 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.16.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.16.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.16.1
done I think.
SLE12 SR#323967. In SLE15 we don't have bmp2tiff-comeback.patch applied.
https://build.suse.de/request/show/323967 accepted
SUSE-SU-2024:0915-1: An update that solves four vulnerabilities and has one security fix can now be installed. Category: security (moderate) Bug References: 1213590, 1214686, 1214687, 1221187, 960589 CVE References: CVE-2015-8668, CVE-2023-38288, CVE-2023-40745, CVE-2023-41175 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): tiff-4.0.9-44.80.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): tiff-4.0.9-44.80.1 SUSE Linux Enterprise Server 12 SP5 (src): tiff-4.0.9-44.80.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): tiff-4.0.9-44.80.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.