Bugzilla – Bug 974614
VUL-1: CVE-2016-3945: tiff: Out-of-bounds Write in the tiff2rgba tool
Last modified: 2017-05-11 00:59:08 UTC
Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Out-of-bounds Write Vendor URL: http://www.remotesensing.org/libtiff/ CVE ID: CVE-2016-3945 Credit: Mei Wang of the Cloud Security Team, Qihoo 360 Introduction ============ When libtiff 4.0.6 tiff2rgba handle malicious tif file(width= 8388640, height=31) and set param -b will cause illegal write. The vulnerability exist in function cvt_by_strip (also exist in cvt_by_tile ) without checking the buffer allocate result. An attacker may control the write address and/or value to result in denial-of-service or command execution. gdb tiff2rgba (gdb) r -b sample/test.tif 1.tif Starting program: /usr/local/bin/tiff2rgba -b sample/test.tif 1.tif TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored. LZWDecode: Not enough data at scanline 0 (short 67108864 bytes). Breakpoint 2, gtStripContig (img=0x7fffffffdd90, raster=0x7ffff7fce010, w=8388640, h=32) at tif_getimage.c:946 946 (*put)(img, raster+y*w, 0, y, w, nrow, fromskew, toskew, buf + pos); (gdb) p *put $5 = {void (TIFFRGBAImage *, uint32 *, uint32, uint32, uint32, uint32, int32, int32, unsigned char *)} 0x7ffff7b98a5e <put2bitcmaptile> (gdb) p *(raster+y*w) Cannot access memory at address 0x800035fcef90 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7b98ae7 in put2bitcmaptile (img=0x7fffffffdd90, cp=0x800035fcef94, x=0, y=31, w=8388640, h=31, fromskew=0, toskew=-16777280, pp=0x7ffff1288011 '\377' <repeats 11 times>, "\303\300\377\377\377\377\377\377\024?\377\377\377\360\003") at tif_getimage.c:1233 1233 UNROLL4(w, bw = PALmap[*pp++], *cp++ = *bw++); (gdb) bt #0 0x00007ffff7b98ae7 in put2bitcmaptile (img=0x7fffffffdd90, cp=0x800035fcef94, x=0, y=31, w=8388640, h=31, fromskew=0, toskew=-16777280, pp=0x7ffff1288011 '\377' <repeats 11 times>, "\303\300\377\377\377\377\377\377\024?\377\377\377\360\003") at tif_getimage.c:1233 #1 0x00007ffff7b98055 in gtStripContig (img=0x7fffffffdd90, raster=0x7ffff7fce010, w=8388640, h=32) at tif_getimage.c:946 #2 0x00007ffff7b96ce7 in TIFFRGBAImageGet (img=0x7fffffffdd90, raster=0x7ffff7fce010, w=8388640, h=32) at tif_getimage.c:500 #3 0x00007ffff7ba11da in TIFFReadRGBAStrip (tif=0x604930, row=0, raster=0x7ffff7fce010) at tif_getimage.c:2816 #4 0x0000000000401693 in cvt_by_strip (in=0x604930, out=0x604010) at tiff2rgba.c:290 #5 0x0000000000401e58 in tiffcvt (in=0x604930, out=0x604010) at tiff2rgba.c:502 #6 0x00000000004011b5 in main (argc=4, argv=0x7fffffffe408) at tiff2rgba.c:126 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3945 http://seclists.org/oss-sec/2016/q2/30
bugbot adjusting priority
openSUSE-SU-2016:2275-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 974614,974618,975069,975070 CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991 Sources used: openSUSE 13.2 (src): tiff-4.0.6-10.29.1
openSUSE-SU-2016:2375-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 974614,974618,975069,975070,984808,984831,984837,984842,987351 CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875 Sources used: openSUSE 13.1 (src): tiff-4.0.6-8.25.1
Created attachment 696438 [details] crash1.tif I found one by AFL ... differentb backtrace, but it is probably the same issue. QA REPRODUCER: tiff2rgba crash1.tif output.tiff
4.0.6 currently iun QA seems happier: $ tiff2rgba -b crash1.tif foo.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 65407 (0xff7f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 26988 (0x696c) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "PhotometricInterpretation"; tag ignored. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFFetchNormalTag: Warning, Incompatible type for "ResolutionUnit"; tag ignored. crash1.tif: Integer overflow when calculating raster buffer. $
SUSE-SU-2016:2508-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 974449,974614,974618,975069,975070 CVE References: CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): tiff-4.0.6-31.1 SUSE Linux Enterprise Server 12-SP1 (src): tiff-4.0.6-31.1 SUSE Linux Enterprise Desktop 12-SP1 (src): tiff-4.0.6-31.1
openSUSE-SU-2016:2525-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 974449,974614,974618,975069,975070 CVE References: CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991 Sources used: openSUSE Leap 42.1 (src): tiff-4.0.6-9.1
SUSE-SU-2016:2527-1: An update that fixes 10 vulnerabilities is now available. Category: security (moderate) Bug References: 973340,974449,974614,974618,975069,984808,984831,984837,984842,987351 CVE References: CVE-2016-3186,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.168.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.168.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.168.1