Bug 1019611 (CVE-2017-5225)

Created attachment 709821 [details]
poc

The command:
./tiffcp -p contig poc.tiff output.tiff

Stacktrace(with ASAN):
=================================================================
==26086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4e00ef4 at pc 0x0804d69b bp 0xbfd49d68 sp 0xbfd49d58
READ of size 1 at 0xb4e00ef4 thread T0
    #0 0x804d69a in cpSeparate2ContigByRow /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:1144
    #1 0x804b31d in tiffcp /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:815
    #2 0x804b31d in main /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:304
    #3 0xb700e636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #4 0x804c81b  (/media/sf_AFL_Dyninst_ADV/tiff/tiffcp-asan+0x804c81b)

0xb4e00ef4 is located 0 bytes to the right of 36-byte region [0xb4e00ed0,0xb4e00ef4)
allocated by thread T0 here:
    #0 0xb72b2dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x804d47f in cpSeparate2ContigByRow /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:1125
    #2 0xb700e636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:1144 cpSeparate2ContigByRow


Analysis:
This is a heap based buffer overflow that happens in the function "cpSeparate2ContigByRow"(line:1114) in tools/tiffcp.c.
The issue is that in the for loop at line 1143 in tiffcp.c, the varialbe 'imagewidth' can be larger than 'scanlinesizeout', which can lead to out of bound read.



This poc may only trigger if the package is built using ASAN.
CLI only -> VUL-1

Created attachment 709825 [details]
poc2

The command:
./tiffcp -p contig poc.tiff output.tiff

Stacktrace(with ASAN):
=================================================================
==26086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4e00ef4 at pc 0x0804d69b bp 0xbfd49d68 sp 0xbfd49d58
READ of size 1 at 0xb4e00ef4 thread T0
    #0 0x804d69a in cpSeparate2ContigByRow /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:1144
    #1 0x804b31d in tiffcp /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:815
    #2 0x804b31d in main /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:304
    #3 0xb700e636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #4 0x804c81b  (/media/sf_AFL_Dyninst_ADV/tiff/tiffcp-asan+0x804c81b)

0xb4e00ef4 is located 0 bytes to the right of 36-byte region [0xb4e00ed0,0xb4e00ef4)
allocated by thread T0 here:
    #0 0xb72b2dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x804d47f in cpSeparate2ContigByRow /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:1125
    #2 0xb700e636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:1144 cpSeparate2ContigByRow


Analysis:
This is a heap based buffer overflow that happens in the function "cpSeparate2ContigByRow"(line:1114) in tools/tiffcp.c.
The issue is that in the for loop at line 1143 in tiffcp.c, the varialbe 'imagewidth' can be larger than 'scanlinesizeout', which can lead to out of bound read.

bugbot adjusting priority

SUSE-SU-2017:0453-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1019611,1022103
CVE References: CVE-2017-5225
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    tiff-4.0.7-40.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.7-40.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tiff-4.0.7-40.1
SUSE Linux Enterprise Server 12-SP2 (src):    tiff-4.0.7-40.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.7-40.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    tiff-4.0.7-40.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.7-40.1

openSUSE-SU-2017:0512-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1019611,1022103
CVE References: CVE-2017-5225
Sources used:
openSUSE Leap 42.2 (src):    tiff-4.0.7-15.1
openSUSE Leap 42.1 (src):    tiff-4.0.7-15.1

BEFORE

12/tiff

$ valgrind -q tiffcp -p contig poc.tiff output.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 233 (0xe9) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 26996 (0x6974) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
poc.tiff: Error, can only handle BitsPerSample=8 in cpSeparate2ContigByRow.
$

$ valgrind -q tiffcp -p contig poc2.tiff output.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 233 (0xe9) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 26996 (0x6974) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
poc2.tiff: Error, can only handle BitsPerSample=8 in cpSeparate2ContigByRow.
$

11/tiff

$ valgrind -q tiffcp -p contig poc.tiff output.tiff
TIFFReadDirectory: Warning, poc.tiff: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 233 (0xe9) encountered.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, poc.tiff: wrong data type 59650 for "Orientation"; tag ignored.
TIFFReadDirectory: Warning, poc.tiff: wrong data type 3 for "Group3Options"; tag ignored.
TIFFReadDirectory: Warning, poc.tiff: wrong data type 261 for "XResolution"; tag ignored.
poc.tiff: Warning, incorrect count for field "XResolution" (4294045185, expecting 1); tag trimmed.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 26996 (0x6974) encountered.
poc.tiff: Error fetching data for field "DocumentName".
poc.tiff: No space to fetch tag value.
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x4027B3: tiffcp (tiffcp.c:579)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x402AB2: tiffcp (tiffcp.c:659)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x405139: pickCopyFunc (tiffcp.c:1659)
==25684==    by 0x402EEF: tiffcp (tiffcp.c:731)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x405140: pickCopyFunc (tiffcp.c:1659)
==25684==    by 0x402EEF: tiffcp (tiffcp.c:731)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x403A50: cpSeparate2ContigByRow (tiffcp.c:1023)
==25684==    by 0x402F19: tiffcp (tiffcp.c:732)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x4E480DA: find0span (tif_fax3.c:822)
==25684==    by 0x4E47E14: Fax3Encode1DRow (tif_fax3.c:934)
==25684==    by 0x4E48854: Fax3Encode (tif_fax3.c:1044)
==25684==    by 0x4E6FA4C: TIFFWriteScanline (tif_write.c:167)
==25684==    by 0x403A6A: cpSeparate2ContigByRow (tiffcp.c:1038)
==25684==    by 0x402F19: tiffcp (tiffcp.c:732)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x4E480EF: find0span (tif_fax3.c:832)
==25684==    by 0x4E47E14: Fax3Encode1DRow (tif_fax3.c:934)
==25684==    by 0x4E48854: Fax3Encode (tif_fax3.c:1044)
==25684==    by 0x4E6FA4C: TIFFWriteScanline (tif_write.c:167)
==25684==    by 0x403A6A: cpSeparate2ContigByRow (tiffcp.c:1038)
==25684==    by 0x402F19: tiffcp (tiffcp.c:732)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Use of uninitialised value of size 8
==25684==    at 0x4E48143: find0span (tif_fax3.c:841)
==25684==    by 0x4E47E14: Fax3Encode1DRow (tif_fax3.c:934)
==25684==    by 0x4E48854: Fax3Encode (tif_fax3.c:1044)
==25684==    by 0x4E6FA4C: TIFFWriteScanline (tif_write.c:167)
==25684==    by 0x403A6A: cpSeparate2ContigByRow (tiffcp.c:1038)
==25684==    by 0x402F19: tiffcp (tiffcp.c:732)
==25684==    by 0x401DED: main (tiffcp.c:285)
TIFFReadDirectory: poc.tiff: Can not read TIFF directory count.
$

$ valgrind -q tiffcp -p contig poc2.tiff output.tiff
TIFFReadDirectory: Warning, poc2.tiff: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 233 (0xe9) encountered.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, poc2.tiff: wrong data type 59650 for "Orientation"; tag ignored.
TIFFReadDirectory: Warning, poc2.tiff: wrong data type 3 for "Group3Options"; tag ignored.
TIFFReadDirectory: Warning, poc2.tiff: wrong data type 261 for "XResolution"; tag ignored.
poc2.tiff: Warning, incorrect count for field "XResolution" (4294045185, expecting 1); tag trimmed.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 26996 (0x6974) encountered.
poc2.tiff: Error fetching data for field "DocumentName".
poc2.tiff: No space to fetch tag value.
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x4027B3: tiffcp (tiffcp.c:579)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x402AB2: tiffcp (tiffcp.c:659)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x405139: pickCopyFunc (tiffcp.c:1659)
==25688==    by 0x402EEF: tiffcp (tiffcp.c:731)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x405140: pickCopyFunc (tiffcp.c:1659)
==25688==    by 0x402EEF: tiffcp (tiffcp.c:731)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x403A50: cpSeparate2ContigByRow (tiffcp.c:1023)
==25688==    by 0x402F19: tiffcp (tiffcp.c:732)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x4E480DA: find0span (tif_fax3.c:822)
==25688==    by 0x4E47E14: Fax3Encode1DRow (tif_fax3.c:934)
==25688==    by 0x4E48854: Fax3Encode (tif_fax3.c:1044)
==25688==    by 0x4E6FA4C: TIFFWriteScanline (tif_write.c:167)
==25688==    by 0x403A6A: cpSeparate2ContigByRow (tiffcp.c:1038)
==25688==    by 0x402F19: tiffcp (tiffcp.c:732)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x4E480EF: find0span (tif_fax3.c:832)
==25688==    by 0x4E47E14: Fax3Encode1DRow (tif_fax3.c:934)
==25688==    by 0x4E48854: Fax3Encode (tif_fax3.c:1044)
==25688==    by 0x4E6FA4C: TIFFWriteScanline (tif_write.c:167)
==25688==    by 0x403A6A: cpSeparate2ContigByRow (tiffcp.c:1038)
==25688==    by 0x402F19: tiffcp (tiffcp.c:732)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Use of uninitialised value of size 8
==25688==    at 0x4E48143: find0span (tif_fax3.c:841)
==25688==    by 0x4E47E14: Fax3Encode1DRow (tif_fax3.c:934)
==25688==    by 0x4E48854: Fax3Encode (tif_fax3.c:1044)
==25688==    by 0x4E6FA4C: TIFFWriteScanline (tif_write.c:167)
==25688==    by 0x403A6A: cpSeparate2ContigByRow (tiffcp.c:1038)
==25688==    by 0x402F19: tiffcp (tiffcp.c:732)
==25688==    by 0x401DED: main (tiffcp.c:285)
TIFFReadDirectory: poc2.tiff: Can not read TIFF directory count.
$

PATCH

see comment 0
12/tiff: has the change already in
10sp3,11/tiff: patch is required

AFTER

11/tiff

$ valgrind -q tiffcp -p contig poc.tiff output.tiff
TIFFReadDirectory: Warning, poc.tiff: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 233 (0xe9) encountered.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, poc.tiff: wrong data type 59650 for "Orientation"; tag ignored.
TIFFReadDirectory: Warning, poc.tiff: wrong data type 3 for "Group3Options"; tag ignored.
TIFFReadDirectory: Warning, poc.tiff: wrong data type 261 for "XResolution"; tag ignored.
poc.tiff: Warning, incorrect count for field "XResolution" (4294045185, expecting 1); tag trimmed.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 26996 (0x6974) encountered.
poc.tiff: Error fetching data for field "DocumentName".
poc.tiff: No space to fetch tag value.
==17541== Conditional jump or move depends on uninitialised value(s)
==17541==    at 0x4027BF: tiffcp (tiffcp.c:579)
==17541==    by 0x401DED: main (tiffcp.c:285)
poc.tiff: Error, can only handle BitsPerSample=8 in cpSeparate2ContigByRow.
$

$ valgrind -q tiffcp -p contig poc2.tiff output.tiff
TIFFReadDirectory: Warning, poc2.tiff: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 233 (0xe9) encountered.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, poc2.tiff: wrong data type 59650 for "Orientation"; tag ignored.
TIFFReadDirectory: Warning, poc2.tiff: wrong data type 3 for "Group3Options"; tag ignored.
TIFFReadDirectory: Warning, poc2.tiff: wrong data type 261 for "XResolution"; tag ignored.
poc2.tiff: Warning, incorrect count for field "XResolution" (4294045185, expecting 1); tag trimmed.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 26996 (0x6974) encountered.
poc2.tiff: Error fetching data for field "DocumentName".
poc2.tiff: No space to fetch tag value.
==17546== Conditional jump or move depends on uninitialised value(s)
==17546==    at 0x4027BF: tiffcp (tiffcp.c:579)
==17546==    by 0x401DED: main (tiffcp.c:285)
poc2.tiff: Error, can only handle BitsPerSample=8 in cpSeparate2ContigByRow.
$

Will submit for 11/tiff and 10sp3/tiff.

Added also tiffcp.c's part of:
https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b

This bug should be fixed by current submission.

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-07-03.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64065

SUSE-SU-2018:1835-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1011839,1011846,1017689,1017690,1019611,1031263,1082332,1082825,1086408,974621
CVE References: CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-10266,CVE-2016-3632,CVE-2016-5318,CVE-2016-8331,CVE-2016-9535,CVE-2016-9540,CVE-2017-11613,CVE-2017-5225,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.9.1

released