Bug 1010161 (CVE-2016-9297)

Summary: VUL-0: CVE-2016-9297: tiff: tif_dirread.c read outside buffer in _TIFFPrintField()
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Fridrich Strba <fstrba>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, astieger, meissner, mikhail.kasimov, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/176326/
Whiteboard: CVSSv2:RedHat:CVE-2016-9297:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2016-9297:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-9448:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Reproducer

Description Alexander Bergmann 2016-11-15 10:18:27 UTC
CVE-2016-9297

http://bugzilla.maptools.org/show_bug.cgi?id=2590

AddressSanitizer: SEGV on unknown address 0x7faf9b2d2000

* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
  values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
  access are null terminated, to avoid potential read outside buffer
  in _TIFFPrintField().

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9297
http://seclists.org/oss-sec/2016/q4/421
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9297.html
Comment 1 Alexander Bergmann 2016-11-15 10:21:58 UTC
Created attachment 702019 [details]
Reproducer

Copied from: http://bugzilla.maptools.org/show_bug.cgi?id=2590

Triggered in libtiff 4.0.6 with AFL and ASAN. Only crashes if I LD_PRELOAD
AFL's libdislocator (more info: https://github.com/mirrorer/afl/tree/master/libdislocator).

LD_PRELOAD=/root/afl-2.35b/libdislocator/libdislocator.so ./tiffinfo -i test000
Comment 2 Swamp Workflow Management 2016-11-15 23:00:22 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2016-11-17 09:48:33 UTC
assuming sle11 and older not affected (does not have the tags),
sle12 affected.
Comment 4 Mikhail Kasimov 2016-11-19 00:30:20 UTC
Updated info about CVE-2016-9297: http://seclists.org/oss-sec/2016/q4/460

See https://bugzilla.opensuse.org/show_bug.cgi?id=1011103 report (CVE-2016-9448).
Comment 5 Swamp Workflow Management 2016-12-07 14:09:11 UTC
openSUSE-SU-2016:3035-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2015-7554,CVE-2015-8665,CVE-2015-8683,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE 13.2 (src):    tiff-4.0.7-10.35.1
Comment 6 Swamp Workflow Management 2016-12-29 23:15:55 UTC
SUSE-SU-2016:3301-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.7-35.1
Comment 7 Andreas Stieger 2017-01-07 20:35:03 UTC
release openSUSE, all done
Comment 8 Swamp Workflow Management 2017-01-08 00:17:07 UTC
openSUSE-SU-2017:0074-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE Leap 42.2 (src):    tiff-4.0.7-12.1
openSUSE Leap 42.1 (src):    tiff-4.0.7-12.1