Bug 974446 (CVE-2016-3619)

Summary: VUL-1: CVE-2016-3619: tiff: Out-of-bounds Read in the bmp2tiff tool (none packing)
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: abergmann, mvetter, pgajdos, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/166618/
Whiteboard: CVSSv2:SUSE:CVE-2016-3619:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-3619:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2016-3619:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2016-3619:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) maint:released:sle10-sp3:64181
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2016-04-07 09:09:21 UTC 
Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Out-of-bounds Read
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2016-3619
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Introduction
============

 When bmp2tiff function DumpModeEncode handle malicious bmp file with param -c none will cause Out-of-bounds Read. An attacker could exploit this issue to cause a denial of service.


 libtiff-master/libtiff/tif_dumpmode.c:62

59                  * data buffer to avoid extra copy.
 60                  */
 61                 if (tif->tif_rawcp != pp)
 62                         _TIFFmemcpy(tif->tif_rawcp, pp, n);
 63                 tif->tif_rawcp += n;
 64                 tif->tif_rawcc += n;
 65                 pp += n;
 66                 cc -= n;
 67                 if (tif->tif_rawcc >= tif->tif_rawdatasize &&
 68                     !TIFFFlushData1(tif))
 69                         return (0);

./bmp2tiff  -c none  ./sample/bmp2tiff_none.bmp 1.tif

=================================================================
==16644== ERROR: AddressSanitizer: unknown-crash on address 0x7f6f7dbde800 at pc 0x7f6f7ab77b3f bp 0x7ffc82264d60 sp 0x7ffc82264508
READ of size 3342336 at 0x7f6f7dbde800 thread T0
    #0 0x7f6f7ab77b3e (/lib64/libasan.so.0+0xeb3e)
    #1 0x45b96c in _TIFFmemcpy /home/dazhuang/asan/libtiff-master/libtiff/tif_unix.c:340
    #2 0x4614c1 in DumpModeEncode /home/dazhuang/asan/libtiff-master/libtiff/tif_dumpmode.c:62
    #3 0x45665e in TIFFWriteScanline /home/dazhuang/asan/libtiff-master/libtiff/tif_write.c:173
    #4 0x40450f in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:775
    #5 0x7f6f7a2aeaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
    #6 0x4019a8 in _start (/home/dazhuang/asan/libtiff-master/tools/bmp2tiff+0x4019a8)
0x7f6f7dcee800 is located 0 bytes to the right of 1114112-byte region [0x7f6f7dbde800,0x7f6f7dcee800)
allocated by thread T0 here:
    #0 0x7f6f7ab7f129 (/lib64/libasan.so.0+0x16129)
    #1 0x45b761 in _TIFFmalloc /home/dazhuang/asan/libtiff-master/libtiff/tif_unix.c:316
    #2 0x4037c3 in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:678
    #3 0x7f6f7a2aeaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
SUMMARY: AddressSanitizer: unknown-crash ??:0 ??
Shadow bytes around the buggy address:
  0x0fee6fb73cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fee6fb73cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fee6fb73cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fee6fb73ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fee6fb73cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fee6fb73d00:[00]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee6fb73d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee6fb73d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee6fb73d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee6fb73d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee6fb73d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==16644== ABORTING



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3619
http://seclists.org/oss-sec/2016/q2/20
Comment 1 Swamp Workflow Management 2016-04-07 22:00:50 UTC 
bugbot adjusting priority
Comment 2 Alexander Bergmann 2016-11-23 17:14:48 UTC 
http://bugzilla.maptools.org/show_bug.cgi?id=2567#c1

Closing as wontfix since bmp2tiff has been removed from libtiff
Comment 4 Petr Gajdos 2018-11-13 14:15:38 UTC 
Look at the difference between 4.0.6/tools/bmp2tiff.c and 4.0.9/tools/bmp2tiff.c in 12 we maintain for backward compatibility:

--- tiff-4.0.6/tools/bmp2tiff.c	2015-08-29 00:17:08.133699639 +0200
+++ tiff-4.0.9/tools/bmp2tiff.c	2018-11-13 13:41:11.063154786 +0100
@@ -1,4 +1,4 @@
-/* $Id: bmp2tiff.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $
+/* $Id$
  *
  * Project:  libtiff tools
  * Purpose:  Convert Windows BMP files in TIFF.
@@ -693,7 +693,11 @@ main(int argc, char* argv[])
                         }
 			i = 0;
 			j = 0;
-			if (info_hdr.iBitCount == 8) {		/* RLE8 */
+                        if (info_hdr.iBitCount > 8) {
+                                TIFFError(infilename, "Handle of this type image is not implemented");
+                                goto bad;
+                        }
+			else if (info_hdr.iBitCount == 8) {		/* RLE8 */
                                 while(j < uncompr_size && i < compr_size) {
                                         if ( comprbuf[i] ) {
                                                 runlength = comprbuf[i++];
@@ -771,6 +775,14 @@ main(int argc, char* argv[])
 
 			_TIFFfree(comprbuf);
 
+			/* Check whether we are not going to read past the uncompressed data */
+			if ( length > j || width > j || length * width > j) {
+				TIFFError(infilename,
+                                          "Premature end of file");
+				_TIFFfree(uncomprbuf);
+				goto bad3;
+			}
+
 			for (row = 0; row < length; row++) {
 				if (TIFFWriteScanline(out,
                                                       uncomprbuf + (length - row - 1) * width,


For 3.8.2, without tiff-bmp2tiff.c-update.patch I get:

Breakpoint 3, main (argc=5, argv=0x7fffffffe918) at bmp2tiff.c:687
687				for (row = 0; row < length; row++) {
(gdb) p length
$5 = 1
(gdb) p j
$6 = 476
(gdb) p width
$7 = 1114112
(gdb) p length > j || width > j || length * width > j
$9 = 1
(gdb)                                                

Thus this issue is already fixed by tiff-bmp2tiff.c-update.patch in 11/tiff and 10sp3/tiff and it is not present in 12/tiff.
Comment 5 Petr Gajdos 2018-11-13 14:16:35 UTC 
Will amend rpm changelog for: 11,10sp3/tiff.
Comment 6 Petr Gajdos 2018-11-14 14:21:22 UTC 
I believe all fixed.
Comment 9 Swamp Workflow Management 2018-11-23 20:12:52 UTC 
SUSE-SU-2018:3879-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010163,1014461,1040080,1040322,1074186,1099257,1113672,974446,974447,974448,983440
CVE References: CVE-2015-8870,CVE-2016-3619,CVE-2016-3620,CVE-2016-3621,CVE-2016-5319,CVE-2016-9273,CVE-2017-17942,CVE-2017-9117,CVE-2017-9147,CVE-2018-12900,CVE-2018-18661
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.22.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.22.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.22.1
Comment 10 Swamp Workflow Management 2018-12-11 10:03:56 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-12-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64180
Comment 11 Marcus Meissner 2019-01-14 08:10:25 UTC 
released