Bugzilla – Bug 984837
VUL-0: tiff: CVE-2016-5316: Out-of-bounds read in PixarLogCleanup() function in tif_pixarlog.c
Last modified: 2016-10-13 15:12:21 UTC
http://seclists.org/oss-sec/2016/q2/545 Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: illegel read Vendor URL: http://www.remotesensing.org/libtiff/ CVE ID: CVE-2016-5316 Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360 Introduction ======= Segmentation fault ocurrs in PixarLogCleanup() in tif_pixarlog.c when using rgb2ycbcr tool followed a crafted TIFF image. Attackers cound exploit this issue to cause denial-of-service. Here is the stack info: gdb –args ./rgb2ycbcr PixarLogCleanup.tif tmpout.tif --- --- Program received signal SIGSEGV, Segmentation fault. __GI___libc_free (mem=0x75757575) at malloc.c:2952 2952 if (chunk_is_mmapped (p)) /* release mmapped memory. */ Missing separate debuginfos, use: dnf debuginfo-install libjpeg-turbo-1.4.1-2.fc23.i686 zlib-1.2.8-9.fc23.i686 (gdb) bt #0 __GI___libc_free (mem=0x75757575) at malloc.c:2952 #1 0xb7df0a4c in zcfree () from /usr/lib/libz.so.1 #2 0xb7dedd3e in inflateEnd () from /usr/lib/libz.so.1 #3 0xb7f72044 in PixarLogCleanup (tif=0x804f148) at tif_pixarlog.c:1264 #4 0xb7ec29ae in TIFFReadDirectory (tif=0x804f148) at tif_dirread.c:3412 #5 0x0804942d in main (argc=3, argv=0xbffff3a4) at rgb2ycbcr.c:132
(looks like memory corruption ... not just overread)
bugbot adjusting priority
Created attachment 683846 [details] rep
openSUSE-SU-2016:1889-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 964225,984808,984831,984837,984842,987351 CVE References: CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875 Sources used: openSUSE 13.2 (src): tiff-4.0.6-10.26.1
Closing as fixed. Reopen if you think you need to.
SUSE-SU-2016:2271-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 964225,973340,984808,984831,984837,984842,987351 CVE References: CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): tiff-4.0.6-26.3 SUSE Linux Enterprise Server 12-SP1 (src): tiff-4.0.6-26.3 SUSE Linux Enterprise Desktop 12-SP1 (src): tiff-4.0.6-26.3
openSUSE-SU-2016:2321-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 964225,973340,984808,984831,984837,984842,987351 CVE References: CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875 Sources used: openSUSE Leap 42.1 (src): tiff-4.0.6-6.1
openSUSE-SU-2016:2375-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 974614,974618,975069,975070,984808,984831,984837,984842,987351 CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875 Sources used: openSUSE 13.1 (src): tiff-4.0.6-8.25.1
SUSE-SU-2016:2527-1: An update that fixes 10 vulnerabilities is now available. Category: security (moderate) Bug References: 973340,974449,974614,974618,975069,984808,984831,984837,984842,987351 CVE References: CVE-2016-3186,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.168.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.168.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.168.1