Bug 974544 (CVE-2016-3631) - VUL-1: CVE-2016-3631: tiff: Illegal read in the cpStrips and cpTiles function
Summary: VUL-1: CVE-2016-3631: tiff: Illegal read in the cpStrips and cpTiles function
Status: RESOLVED WONTFIX
Alias: CVE-2016-3631
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Fridrich Strba
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/166665/
Whiteboard: CVSSv2:SUSE:CVE-2016-3631:4.3:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-07 15:15 UTC by Johannes Segitz
Modified: 2020-07-25 21:50 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
tiffcp-crash1.tiff (448 bytes, application/octet-stream)
2016-10-07 14:01 UTC, Marcus Meissner 		Details
good.tiff (448 bytes, application/octet-stream)
2016-10-07 14:03 UTC, Marcus Meissner 		Details
cpStrips_cve_20163631.tif (408 bytes, image/tiff)
2016-11-25 08:22 UTC, Alexander Bergmann 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-04-07 15:15:09 UTC 
Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Illegel read
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2016-3631
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360

Introduction
Illegal read occurs in the cpStrips and cpTiles function in thumbnail.c in thumbnail allows attackers to exploit this issue to cause denial-of-service.

libtiff/tools/thumbnail.c:314.
313  for (s = 0; s < ns; s++) {
314    if (bytecounts[s] > (uint64) bufsize) {
315         buf = (unsigned char *)_TIFFrealloc(buf, (tmsize_t)bytecounts[s]);
316         if (!buf)
317             goto bad;
318         bufsize = (tmsize_t)bytecounts[s];
319      }
320      if (TIFFReadRawStrip(in, s, buf, (tmsize_t)bytecounts[s]) < 0 ||
321         TIFFWriteRawStrip(out, s, buf, (tmsize_t)bytecounts[s]) < 0) {
322         _TIFFfree(buf);
323         return 0;
324      }
325  }

gdb  --args  thumbnail  cpStrips.tif  tmpout.tif
……
Program received signal SIGSEGV, Segmentation fault.
0x0804c7bf in cpStrips (out=<optimized out>, in=0x8164530) at thumbnail.c:314
314          if (bytecounts[s] > (uint64) bufsize) {
(gdb) bt
#0  0x0804c7bf in cpStrips (out=<optimized out>, in=0x8164530) at thumbnail.c:314
#1  cpIFD (out=<optimized out>, in=<optimized out>) at thumbnail.c:378
#2  main (argc=3, argv=0xbffff384) at thumbnail.c:124
(gdb) p *bytecounts

Cannot access memory at address 0x42900001

References:
http://seclists.org/oss-sec/2016/q2/24
https://bugzilla.redhat.com/show_bug.cgi?id=1316872
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3631
Comment 1 Swamp Workflow Management 2016-04-07 22:01:52 UTC 
bugbot adjusting priority
Comment 3 Marcus Meissner 2016-10-07 14:01:35 UTC 
Created attachment 696429 [details]
tiffcp-crash1.tiff

Found by afl locally, might not match this case.

out of bounds overwrite

QA REPRODUCER:
tiffcp tiffcp-crash1.tiff good.tiff output.tiff
Comment 4 Marcus Meissner 2016-10-07 14:03:07 UTC 
Created attachment 696430 [details]
good.tiff

QA REPRODUCER: good.tiff for above line (a working tiff)
Comment 6 Alexander Bergmann 2016-11-25 08:22:03 UTC 
Created attachment 703716 [details]
cpStrips_cve_20163631.tif

I've got the original reproducer from the reporter.
Comment 7 Alexander Bergmann 2017-12-13 14:11:19 UTC 
The thumbnail binary will not be available in SLE-15 which has tiff-4.0.8.

Closing this minor issue as WONTFIX as upstream simply removed the thumbnail tool from the project.