Bugzilla – Bug 974446
VUL-1: CVE-2016-3619: tiff: Out-of-bounds Read in the bmp2tiff tool (none packing)
Last modified: 2019-01-14 08:10:25 UTC
Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Out-of-bounds Read Vendor URL: http://www.libtiff.org/ CVE ID: CVE-2016-3619 Credit: Mei Wang of the Cloud Security Team, Qihoo 360 Introduction ============ When bmp2tiff function DumpModeEncode handle malicious bmp file with param -c none will cause Out-of-bounds Read. An attacker could exploit this issue to cause a denial of service. libtiff-master/libtiff/tif_dumpmode.c:62 59 * data buffer to avoid extra copy. 60 */ 61 if (tif->tif_rawcp != pp) 62 _TIFFmemcpy(tif->tif_rawcp, pp, n); 63 tif->tif_rawcp += n; 64 tif->tif_rawcc += n; 65 pp += n; 66 cc -= n; 67 if (tif->tif_rawcc >= tif->tif_rawdatasize && 68 !TIFFFlushData1(tif)) 69 return (0); ./bmp2tiff -c none ./sample/bmp2tiff_none.bmp 1.tif ================================================================= ==16644== ERROR: AddressSanitizer: unknown-crash on address 0x7f6f7dbde800 at pc 0x7f6f7ab77b3f bp 0x7ffc82264d60 sp 0x7ffc82264508 READ of size 3342336 at 0x7f6f7dbde800 thread T0 #0 0x7f6f7ab77b3e (/lib64/libasan.so.0+0xeb3e) #1 0x45b96c in _TIFFmemcpy /home/dazhuang/asan/libtiff-master/libtiff/tif_unix.c:340 #2 0x4614c1 in DumpModeEncode /home/dazhuang/asan/libtiff-master/libtiff/tif_dumpmode.c:62 #3 0x45665e in TIFFWriteScanline /home/dazhuang/asan/libtiff-master/libtiff/tif_write.c:173 #4 0x40450f in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:775 #5 0x7f6f7a2aeaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4) #6 0x4019a8 in _start (/home/dazhuang/asan/libtiff-master/tools/bmp2tiff+0x4019a8) 0x7f6f7dcee800 is located 0 bytes to the right of 1114112-byte region [0x7f6f7dbde800,0x7f6f7dcee800) allocated by thread T0 here: #0 0x7f6f7ab7f129 (/lib64/libasan.so.0+0x16129) #1 0x45b761 in _TIFFmalloc /home/dazhuang/asan/libtiff-master/libtiff/tif_unix.c:316 #2 0x4037c3 in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:678 #3 0x7f6f7a2aeaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4) SUMMARY: AddressSanitizer: unknown-crash ??:0 ?? Shadow bytes around the buggy address: 0x0fee6fb73cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fee6fb73cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fee6fb73cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fee6fb73ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fee6fb73cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0fee6fb73d00:[00]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee6fb73d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee6fb73d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee6fb73d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee6fb73d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fee6fb73d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==16644== ABORTING References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3619 http://seclists.org/oss-sec/2016/q2/20
bugbot adjusting priority
http://bugzilla.maptools.org/show_bug.cgi?id=2567#c1 Closing as wontfix since bmp2tiff has been removed from libtiff
Look at the difference between 4.0.6/tools/bmp2tiff.c and 4.0.9/tools/bmp2tiff.c in 12 we maintain for backward compatibility: --- tiff-4.0.6/tools/bmp2tiff.c 2015-08-29 00:17:08.133699639 +0200 +++ tiff-4.0.9/tools/bmp2tiff.c 2018-11-13 13:41:11.063154786 +0100 @@ -1,4 +1,4 @@ -/* $Id: bmp2tiff.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $ +/* $Id$ * * Project: libtiff tools * Purpose: Convert Windows BMP files in TIFF. @@ -693,7 +693,11 @@ main(int argc, char* argv[]) } i = 0; j = 0; - if (info_hdr.iBitCount == 8) { /* RLE8 */ + if (info_hdr.iBitCount > 8) { + TIFFError(infilename, "Handle of this type image is not implemented"); + goto bad; + } + else if (info_hdr.iBitCount == 8) { /* RLE8 */ while(j < uncompr_size && i < compr_size) { if ( comprbuf[i] ) { runlength = comprbuf[i++]; @@ -771,6 +775,14 @@ main(int argc, char* argv[]) _TIFFfree(comprbuf); + /* Check whether we are not going to read past the uncompressed data */ + if ( length > j || width > j || length * width > j) { + TIFFError(infilename, + "Premature end of file"); + _TIFFfree(uncomprbuf); + goto bad3; + } + for (row = 0; row < length; row++) { if (TIFFWriteScanline(out, uncomprbuf + (length - row - 1) * width, For 3.8.2, without tiff-bmp2tiff.c-update.patch I get: Breakpoint 3, main (argc=5, argv=0x7fffffffe918) at bmp2tiff.c:687 687 for (row = 0; row < length; row++) { (gdb) p length $5 = 1 (gdb) p j $6 = 476 (gdb) p width $7 = 1114112 (gdb) p length > j || width > j || length * width > j $9 = 1 (gdb) Thus this issue is already fixed by tiff-bmp2tiff.c-update.patch in 11/tiff and 10sp3/tiff and it is not present in 12/tiff.
Will amend rpm changelog for: 11,10sp3/tiff.
I believe all fixed.
SUSE-SU-2018:3879-1: An update that fixes 11 vulnerabilities is now available. Category: security (moderate) Bug References: 1010163,1014461,1040080,1040322,1074186,1099257,1113672,974446,974447,974448,983440 CVE References: CVE-2015-8870,CVE-2016-3619,CVE-2016-3620,CVE-2016-3621,CVE-2016-5319,CVE-2016-9273,CVE-2017-17942,CVE-2017-9117,CVE-2017-9147,CVE-2018-12900,CVE-2018-18661 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.22.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.22.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.22.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-12-25. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64180
released