Bugzilla – Bug 984809
VUL-1: CVE-2016-5315: tiff: Out-of-bounds read in setByteArray() function in rgb2ycbcr / tif_dir.c
Last modified: 2019-11-14 15:38:44 UTC
http://seclists.org/oss-sec/2016/q2/544 Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: illegel read Vendor URL: http://www.remotesensing.org/libtiff/ CVE ID: CVE-2016-5315 Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360 Introduction ======= Read access violation occurred in function setByteArray in tif_dir.c, which allows attackers to result in DoS via a crafted TIFF image. Here is the stack info: gdb --args $tool/rgb2ycbcr id31.tif tmpout.tif --- --- (gdb) bt #0 _int_malloc (av=av@entry=0xb7d91780 <main_arena>, bytes=bytes@entry=29) at malloc.c:3728 #1 0xb7c3f44f in __GI___libc_malloc (bytes=29) at malloc.c:2914 #2 0xb7faa875 in _TIFFmalloc (s=29) at tif_unix.c:316 #3 0xb7e88d2d in setByteArray (elem_size=1, nmemb=<optimized out>, vp=0xbfffeab0, vpp=<optimized out>) at tif_dir.c:51 #4 _TIFFVSetField (tif=0x804e008, tag=270, ap=<optimized out>) at tif_dir.c:539 #5 0xb7e89fab in TIFFVSetField (tif=0x804e008, tag=270, ap=0xbfffea48 "\260\352\377\277\370\363\004\b") at tif_dir.c:820 #6 0xb7e8a094 in TIFFSetField (tif=0x804e008, tag=270) at tif_dir.c:764 #7 0x0804aa04 in tiffcvt (in=in@entry=0x804f148, out=out@entry=0x804e008) at rgb2ycbcr.c:339 (gdb) i r $ebx ebx 0x86868686 -2038004090
tag = 270 is TIFFTAG_IMAGEDESCRIPTION
void _TIFFsetString(char** cpp, char* cp) { setByteArray((void**) cpp, (void*) cp, strlen(cp)+1, 1); } newer tiff versions if (fip->field_type == TIFF_ASCII) { uint32 ma; char* mb; if (fip->field_passcount) { assert(fip->field_writecount==TIFF_VARIABLE2); ma=(uint32)va_arg(ap,uint32); mb=(char*)va_arg(ap,char*); } else { mb=(char*)va_arg(ap,char*); ma=(uint32)(strlen(mb)+1); } tv->count=ma; setByteArray(&tv->value,mb,ma,1); } I am not sure where it overflows, likely corrupted memory before.
bugbot adjusting priority
http://bugzilla.maptools.org/show_bug.cgi?id=2555 BEFORE 12/tiff $ valgrind -q rgb2ycbcr CVE-2016-5315.tif out.tif TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 464 (0x1d0) encountered. TIFFReadDirectory: Warning, Unknown field with tag 642 (0x282) encountered. TIFFFetchNormalTag: Warning, Incompatible type for "DocumentName"; tag ignored. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. $ 11/tiff $ valgrind -q rgb2ycbcr CVE-2016-5315.tif out.tif TIFFReadDirectory: Warning, CVE-2016-5315.tif: unknown field with tag 464 (0x1d0) encountered. TIFFReadDirectory: Warning, CVE-2016-5315.tif: invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, CVE-2016-5315.tif: wrong data type 7427 for "DocumentName"; tag ignored. TIFFReadDirectory: Warning, CVE-2016-5315.tif: wrong data type 0 for "ImageWidth"; tag ignored. TIFFReadDirectory: Warning, CVE-2016-5315.tif: unknown field with tag 642 (0x282) encountered. TIFFReadDirectory: Warning, CVE-2016-5315.tif: wrong data type 38732 for "DocumentName"; tag ignored. CVE-2016-5315.tif: Error fetching data for field "DocumentName". CVE-2016-5315.tif: Warning, incorrect count for field "StripOffsets" (1, expecting 32); tag ignored. CVE-2016-5315.tif: Warning, incorrect count for field "StripByteCounts" (97, expecting 32); tag trimmed. MissingRequired: CVE-2016-5315.tif: TIFF directory is missing required "Colormap" field. $ [no issues observed] PATCH Upstream closed this bug as duplicate of bug #2554, which was fixed by a change with CVE-2016-5875: https://gitlab.com/libtiff/libtiff/commit/bf5b698868b0b16f14cc03d83d74cdcd9e98983e While I do not encounter any issues with the testcase and this commit is already part of 11/tiff/tiff-3.8.2-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch and 12/tiff has this fix already in trough version update, I consider this already fixed. I will adjust rpm changelog in this regard.
Will submit the rpm changelog adjustment for: 11/tiff and 10sp3/tiff
Packages submitted: 12/tiff: 165341 11/tiff: 165349 10sp3/tiff: 165350 @Michael, after you review these requests and after you accept and resubmit packages in case everything's ok, I think you can reassign this bug to security-team@.
SUSE-SU-2018:1472-1: An update that solves 14 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1017694,1031250,1031254,1033109,1033111,1033112,1033113,1033120,1033126,1033127,1033129,1074317,984808,984809,984831,987351 CVE References: CVE-2016-10267,CVE-2016-10269,CVE-2016-10270,CVE-2016-5314,CVE-2016-5315,CVE-2017-18013,CVE-2017-7593,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.6.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.6.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.6.1
I think this can be closed.