Bug 974621 (CVE-2016-3632) - VUL-1: CVE-2016-3632: tiff: Illegal write in thumbnail / _TIFFVGetField
Summary: VUL-1: CVE-2016-3632: tiff: Illegal write in thumbnail / _TIFFVGetField
Status: RESOLVED WONTFIX
Alias: CVE-2016-3632
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Fridrich Strba
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/166823/
Whiteboard: CVSSv2:RedHat:CVE-2016-3632:6.8:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-08 08:27 UTC by Johannes Segitz
Modified: 2018-06-28 14:48 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
CVE-2016-3632.tiff (352 bytes, application/octet-stream)
2016-10-13 15:13 UTC, Marcus Meissner 		Details
_TIFFVGetField_cve_20163632.tif (392 bytes, image/tiff)
2016-11-25 08:23 UTC, Alexander Bergmann 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-04-08 08:27:34 UTC 
Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Illegel write
Vendor URL:  http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-3632
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360

Introduction
Illegal write occurs in the _TIFFVGetField function in tif_dirinfo.c when using thumbnail command, which allows attackers to exploit this issue to cause denial-of-service or may command
excution.

libtiff/tif_dir.c:1073
1068                                          if (fip->field_type == TIFF_ASCII
1069                                              || fip->field_readcount == TIFF_VARIABLE
1070                                              || fip->field_readcount == TIFF_VARIABLE2
1071                                              || fip->field_readcount == TIFF_SPP
1072                                              || tv->count > 1) {
1073                                                 *va_arg(ap, void **) = tv->value;
1074                                                 ret_val = 1;

gdb  --args  thumbnail  _ TIFFVGetField.tif  tmpout.tif
……
Program received signal SIGSEGV, Segmentation fault.
_TIFFVGetField (tif=<optimized out>, tag=<optimized out>, ap=<optimized out>) at tif_dir.c:1073
1073                                                                           *va_arg(ap, void **) = tv->value;
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.22-10.fc23.x86_64 libjpeg-turbo-1.4.1-2.fc23.x86_64
(gdb) bt
#0  _TIFFVGetField (tif=<optimized out>, tag=<optimized out>, ap=<optimized out>) at tif_dir.c:1073
#1  0x00007ffff7a6b5e1 in TIFFGetField (tif=tif@entry=0x60a930, tag=tag@entry=326) at tif_dir.c:1158
#2  0x00000000004034a1 in cpTag (type=TIFF_LONG, count=<optimized out>, tag=<optimized out>, out=<optimized out>, in=<optimized out>) at thumbnail.c:167
#3  cpTags (out=<optimized out>, in=<optimized out>) at thumbnail.c:297
#4  cpIFD (out=<optimized out>, in=<optimized out>) at thumbnail.c:373
#5  main (argc=<optimized out>, argv=<optimized out>) at thumbnail.c:124
(gdb) x/xw ap-4
0xbffff2bc:        0x00000001

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3632
http://seclists.org/oss-sec/2016/q2/33
Comment 1 Swamp Workflow Management 2016-04-08 22:01:05 UTC 
bugbot adjusting priority
Comment 3 Marcus Meissner 2016-10-13 15:13:39 UTC 
Created attachment 697237 [details]
CVE-2016-3632.tiff

QA REPRODUCER:

thumbnail CVE-2016-3632.tiff output.tiff

should not crash
Comment 4 Alexander Bergmann 2016-11-23 16:52:30 UTC 
http://bugzilla.maptools.org/show_bug.cgi?id=2549#c1

The thumbnail utility is no longer installed by the libtiff package (as will
appear in 4.0.7).  It now only exists for internal testing.
Comment 5 Alexander Bergmann 2016-11-25 08:23:14 UTC 
Created attachment 703717 [details]
_TIFFVGetField_cve_20163632.tif

I've got the original reproducer from the reporter.
Comment 6 Alexander Bergmann 2017-12-13 14:41:28 UTC 
The thumbnail tool is not part of tiff anymore. It will not be present in major future SLE releases.

Closing bug as WONTFIX.
Comment 7 Petr Gajdos 2018-06-06 09:39:47 UTC 
We found this is fixed by tiff-CVE-2014-8128,CVE-2015-7554,CVE-2016-5318,10095,8331,3632.patch in 11 and 10sp3 and by version update to 4.0.8 in 12/tiff.
Comment 9 Swamp Workflow Management 2018-06-27 16:11:02 UTC 
SUSE-SU-2018:1826-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1074317,1082332,1082825,1086408,1092949,974621
CVE References: CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    tiff-4.0.9-44.15.2
SUSE Linux Enterprise Server 12-SP3 (src):    tiff-4.0.9-44.15.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    tiff-4.0.9-44.15.2
Comment 10 Swamp Workflow Management 2018-06-28 13:09:35 UTC 
openSUSE-SU-2018:1834-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1074317,1082332,1082825,1086408,1092949,974621
CVE References: CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Sources used:
openSUSE Leap 42.3 (src):    tiff-4.0.9-31.1
Comment 11 Swamp Workflow Management 2018-06-28 13:12:04 UTC 
SUSE-SU-2018:1835-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1011839,1011846,1017689,1017690,1019611,1031263,1082332,1082825,1086408,974621
CVE References: CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-10266,CVE-2016-3632,CVE-2016-5318,CVE-2016-8331,CVE-2016-9535,CVE-2016-9540,CVE-2017-11613,CVE-2017-5225,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.9.1