Bugzilla – Bug 984815
VUL-1: tiff: CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function (null ptr dereference?)
Last modified: 2019-04-25 14:45:46 UTC
http://seclists.org/oss-sec/2016/q2/548 Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: divide by zero Vendor URL: http://www.remotesensing.org/libtiff/ Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360 CVE ID: CVE-2016-5323 Tested system version: fedora23 32bit fedora23 64bit CentOS Linux release 7.1.1503 64bit Introduction ======= t was always corrupted when I use tiffcrop command followed by a crafted TIFF image in function _TIFFFax3fillruns () without checking the value of divisor, it causes a divide by zero flaw. Attackers cound exploit this issue to cause denial-of-service. Here is the stack info: gdb –args ./tiffcrop _TIFFFax3fillruns.tif tmpout.tif --- --- Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7ad97f0 in _TIFFFax3fillruns (buf=0x0, runs=0x673500, erun=<optimized out>, lastx=64) at tif_fax3.c:407 407 ZERO(n, cp); (gdb) bt #0 0x00007ffff7ad97f0 in _TIFFFax3fillruns (buf=0x0, runs=0x673500, erun=<optimized out>, lastx=64) at tif_fax3.c:407 #1 0x00007ffff7ae087c in Fax3DecodeRLE (tif=0x662010, buf=0x0, occ=8192, s=<optimized out>) at tif_fax3.c:1527 #2 0x00007ffff7ba3739 in TIFFReadEncodedTile (tif=tif@entry=0x662010, tile=8, buf=0x0, size=8192, size@entry=-1) at tif_read.c:668 #3 0x00007ffff7ba3a01 in TIFFReadTile (tif=tif@entry=0x662010, buf=<optimized out>, x=x@entry=0, y=y@entry=0, z=z@entry=0, s=s@entry=8) at tif_read.c:641 #4 0x0000000000443e41 in readSeparateTilesIntoBuffer (bps=1, spp=129, tl=1024, tw=64, imagewidth=32, imagelength=32, obuf=0x7ffff7ee5010 "", in=0x662010) at tiffcrop.c:994 #5 loadImage (in=in@entry=0x662010, image=image@entry=0x7fffffff7960, dump=dump@entry=0x7fffffffc270, read_ptr=read_ptr@entry=0x7fffffff7920) at tiffcrop.c:6079 #6 0x0000000000403209 in main (argc=<optimized out>, argv=<optimized out>) at tiffcrop.c:2278 (gdb) p cp $2 = (unsigned char *) 0x0
NULL ptr dereference, not division by zero.
bugbot adjusting priority
Created attachment 697218 [details] CVE-2016-5323.tiff QA REPRODUCER: tiffcrop CVE-2016-5323.tiff output.tiff (should not crash)
openSUSE-SU-2016:3035-1: An update that fixes 14 vulnerabilities is now available. Category: security (important) Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351 CVE References: CVE-2014-8127,CVE-2015-7554,CVE-2015-8665,CVE-2015-8683,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453 Sources used: openSUSE 13.2 (src): tiff-4.0.7-10.35.1
SUSE-SU-2016:3301-1: An update that fixes 11 vulnerabilities is now available. Category: security (moderate) Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351 CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): tiff-4.0.7-35.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): tiff-4.0.7-35.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): tiff-4.0.7-35.1 SUSE Linux Enterprise Server 12-SP2 (src): tiff-4.0.7-35.1 SUSE Linux Enterprise Server 12-SP1 (src): tiff-4.0.7-35.1 SUSE Linux Enterprise Desktop 12-SP2 (src): tiff-4.0.7-35.1 SUSE Linux Enterprise Desktop 12-SP1 (src): tiff-4.0.7-35.1
openSUSE-SU-2017:0074-1: An update that fixes 11 vulnerabilities is now available. Category: security (moderate) Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351 CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453 Sources used: openSUSE Leap 42.2 (src): tiff-4.0.7-12.1 openSUSE Leap 42.1 (src): tiff-4.0.7-12.1
Upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2559 Commit: https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31 BEFORE 12/tiff $ tiffcrop CVE-2016-5323.tiff out.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 295 (0x127) encountered. TIFFReadDirectory: Warning, Unknown field with tag 27 (0x1b) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored. _TIFFVSetField: CVE-2016-5323.tiff: Null count for "Tag 27" (type 1, writecount -3, passcount 1). TIFFReadDirectory: Warning, Ignoring ColorMap since BitsPerSample tag not found. TIFFAdvanceDirectory: Error fetching directory count. loadImage: Image lacks Photometric interpreation tag. loadImage: Integer overflow detected.. $ 10sp3,11/tiff Does not have tiffcrop, the fix is not applicable.