Bug 984813 (CVE-2016-5321) - VUL-1: tiff: CVE-2016-5321: Out-of-bounds read in tiffcrop / DumpModeDecode() function
Summary: VUL-1: tiff: CVE-2016-5321: Out-of-bounds read in tiffcrop / DumpModeDecode(...
Status: RESOLVED FIXED
Alias: CVE-2016-5321
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170093/
Whiteboard: CVSSv2:SUSE:CVE-2016-5321:4.3:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-15 09:59 UTC by Marcus Meissner
Modified: 2019-04-25 14:45 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-15 09:59:16 UTC 
http://seclists.org/oss-sec/2016/q2/549

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: illegel read
Vendor URL: http://www.remotesensing.org/libtiff/
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360
CVE ID: CVE-2016-5321
Tested system version:
       fedora23 32bit
       fedora23 64bit
       CentOS Linux release 7.1.1503 64bit


Introduction
=======

It was always corrupted when I use tiffcrop command followed by a crafted TIFF image.The vulnerbility exists in fuction 
DumpModeDecode() whitout checking the value of output parameters, Attackers could exploit this issue to cause 
denial-of-service.


Here is the stack info:
gdb –args ./tiffcrop DumpModeDecode.tif tmpout.tif
--- ---
__memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2709
2709                   movdqu    %xmm0, 36(%rdi)
Program received signal SIGSEGV, Segmentation fault.
__memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2709
2709                   movdqu    %xmm0, 36(%rdi)
(gdb) bt
#0  __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2709
#1  0x00007ffff7ad6a79 in DumpModeDecode (tif=0x662010, buf=<optimized out>, cc=52, s=<optimized out>) at 
tif_dumpmode.c:103
#2  0x00007ffff7ba3739 in TIFFReadEncodedTile (tif=tif@entry=0x662010, tile=8, buf=0x0, size=52, size@entry=-1) at 
tif_read.c:668
#3  0x00007ffff7ba3a01 in TIFFReadTile (tif=tif@entry=0x662010, buf=<optimized out>, x=x@entry=0, y=y@entry=0, 
z=z@entry=0, s=s@entry=8) at tif_read.c:641
#4  0x0000000000443e41 in readSeparateTilesIntoBuffer (bps=208, spp=9, tl=1, tw=2, imagewidth=2, imagelength=1, 
obuf=0x662ce0 "\200\177\335\367\377\177", in=0x662010) at tiffcrop.c:994
#5  loadImage (in=in@entry=0x662010, image=image@entry=0x7fffffff7960, dump=dump@entry=0x7fffffffc270, 
read_ptr=read_ptr@entry=0x7fffffff7920) at tiffcrop.c:6079
#6  0x0000000000403209 in main (argc=<optimized out>, argv=<optimized out>) at tiffcrop.c:2278
(gdb) p buf
$6 = 0x0
Comment 1 Swamp Workflow Management 2016-06-15 22:01:30 UTC 
bugbot adjusting priority
Comment 3 Marcus Meissner 2016-10-13 13:40:09 UTC 
AFL has not created this kind of backtrace after several days on tiff 4.0.3.
Comment 4 Swamp Workflow Management 2016-12-07 14:10:39 UTC 
openSUSE-SU-2016:3035-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2015-7554,CVE-2015-8665,CVE-2015-8683,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE 13.2 (src):    tiff-4.0.7-10.35.1
Comment 5 Swamp Workflow Management 2016-12-29 23:17:23 UTC 
SUSE-SU-2016:3301-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.7-35.1
Comment 6 Swamp Workflow Management 2017-01-08 00:18:32 UTC 
openSUSE-SU-2017:0074-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE Leap 42.2 (src):    tiff-4.0.7-12.1
openSUSE Leap 42.1 (src):    tiff-4.0.7-12.1
Comment 7 Michael Vetter 2018-01-22 14:43:51 UTC 
Is this one already fixed?
Comment 8 Petr Gajdos 2018-04-25 13:36:30 UTC 
It seems so. tiffcrop is only in 12/ImageMagick and there is 4.0.9 already. Please close.
Comment 9 Marcus Meissner 2018-10-19 15:38:10 UTC 
released