Bugzilla – Bug 983440
VUL-0: CVE-2016-5319: tiff: heap buffer overflow in PackBitsEncode
Last modified: 2018-11-24 15:42:57 UTC
CVE-2016-5319 #################################### 3) heap buffer overflow in bmp2tiff #################################### Memory corruption bugs can be triggered when bmp2tiff handling maliciously crafted bmp file, it will cause the target application to crash. PackBitsEncode.c:line 85 does not check the length of bp passed through buf. (the filename is actually tif_packbits.c not PackBitsEncode.c) AddressSanitizer: heap-buffer-overflow ... READ of size 1 ... #0 0x48709f in PackBitsEncode /root/Desktop/AFL/tiff-4.0.6/libtiff/tif_packbits.c:85 #1 0x458563 in TIFFWriteScanline /root/Desktop/AFL/tiff-4.0.6/libtiff/tif_write.c:173 #2 0x403f83 in main /root/Desktop/AFL/tiff-4.0.6/tools/bmp2tiff.c:775 Use CVE-2016-5319 for this PackBitsEncode issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5319 http://seclists.org/oss-sec/2016/q2/486
#################################### 3) heap buffer overflow in bmp2tiff #################################### Memory corruption bugs can be triggered when bmp2tiff handling maliciously crafted bmp file, it will cause the target application to crash. overview: alloc workflow: --> bmp2tiff.c:line 678 , uncomprbuf = (unsigned char *)_TIFFmalloc(uncompr_size) //allocate space for uncompressed scanline buffer --> allocate space for compressed scanline buffer --> _TIFFmalloc in libtiff/tif_unix.c:line 316 read workflow : from bmp2tiff.c:line 775 to line 752 --> bmp2tiff.c:775 // if (TIFFWriteScanline(out, uncomprbuf + (length - row - 1) * width, row, 0) < 0) --> tif_write.c:173 // status = (*tif->tif_encoderow)(tif, (uint8*) buf, tif->tif_scanlinesize, sample); --> tif_packbits.c:85 // PackBitsEncode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) --> for (; cc > 0 && b == *bp; cc--, bp++) PackBitsEncode.c:line 85 does not check the length of bp passed through buf. memory error can be detected by asan and log as follows: root@debug:~/Desktop/AFL/tiff-4.0.6/tools# ./bmp2tiff ./crashes/poc_775.bmp 1.tiff================================================================= ==2525==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310000107fd at pc 0x4870a0 bp 0x7fff3553b750 sp 0x7fff3553b748 READ of size 1 at 0x6310000107fd thread T0 #0 0x48709f in PackBitsEncode /root/Desktop/AFL/tiff-4.0.6/libtiff/tif_packbits.c:85 #1 0x458563 in TIFFWriteScanline /root/Desktop/AFL/tiff-4.0.6/libtiff/tif_write.c:173 #2 0x403f83 in main /root/Desktop/AFL/tiff-4.0.6/tools/bmp2tiff.c:775 #3 0x7f8f61e1aec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #4 0x4019f8 (/root/Desktop/AFL/tiff-4.0.6/tools/bmp2tiff+0x4019f8) 0x6310000107fd is located 0 bytes to the right of 65533-byte region [0x631000000800,0x6310000107fd) allocated by thread T0 here: #0 0x7f8f625187ef in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547ef) #1 0x45d76e in _TIFFmalloc /root/Desktop/AFL/tiff-4.0.6/libtiff/tif_unix.c:316 #2 0x4032b4 in main /root/Desktop/AFL/tiff-4.0.6/tools/bmp2tiff.c:678 #3 0x7f8f61e1aec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Desktop/AFL/tiff-4.0.6/libtiff/tif_packbits.c:85 PackBitsEncode Shadow bytes around the buggy address: 0x0c627fffa0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c627fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[05] 0x0c627fffa100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==2525==ABORTING
Created attachment 679826 [details] poc_775.bmp QA REPRODUCER: bmp2tiff bmp2tiff_745/poc/poc_745.bmp foo.tiff should not crash
bugbot adjusting priority
(Not fixed in current candidate).
The problem is still reproducible under SLE-11 and SLE-12.
Upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2562 Has been closed as wontfix, since bmp2tiff has been dropped. Not possible for us (without bureaucracy).
This looks very similar to bug 1074186.
See the bug 1074186 for findings. Will submit for 12/tiff, 11/tiff and 10sp3/tiff.
SUSE-SU-2018:2676-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1074186,1092480,960589,983440 CVE References: CVE-2015-8668,CVE-2016-5319,CVE-2017-17942,CVE-2018-10779 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.16.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.16.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.16.1
SUSE-SU-2018:2836-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1074186,1092480,983440 CVE References: CVE-2016-5319,CVE-2017-17942,CVE-2018-10779 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): tiff-4.0.9-44.21.1 SUSE Linux Enterprise Server 12-SP3 (src): tiff-4.0.9-44.21.1 SUSE Linux Enterprise Desktop 12-SP3 (src): tiff-4.0.9-44.21.1
openSUSE-SU-2018:2880-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1074186,1092480,983440 CVE References: CVE-2016-5319,CVE-2017-17942,CVE-2018-10779 Sources used: openSUSE Leap 42.3 (src): tiff-4.0.9-34.1
released
SUSE-SU-2018:3879-1: An update that fixes 11 vulnerabilities is now available. Category: security (moderate) Bug References: 1010163,1014461,1040080,1040322,1074186,1099257,1113672,974446,974447,974448,983440 CVE References: CVE-2015-8870,CVE-2016-3619,CVE-2016-3620,CVE-2016-3621,CVE-2016-5319,CVE-2016-9273,CVE-2017-17942,CVE-2017-9117,CVE-2017-9147,CVE-2018-12900,CVE-2018-18661 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.22.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.22.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.22.1