Bug 974448 (CVE-2016-3621)

Summary: VUL-1: CVE-2016-3621: tiff: Out-of-bounds Read in the bmp2tiff tool (lzw packing)
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: abergmann, meissner, mvetter, pgajdos, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/166616/
Whiteboard: CVSSv2:SUSE:CVE-2016-3621:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-3621:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2016-3621:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2016-3621:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) maint:released:sle10-sp3:64181
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: crash1.tif

Description Johannes Segitz 2016-04-07 09:11:00 UTC
Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Out-of-bounds Read
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2016-3621
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Introduction
============

LZWEncode function in tif_lzw.c in bmp2tiff allows attackers to cause a denial of service (Out-of-bounds Read) via a crafted bmp image with param -c lzw.


libtiff-master/libtiff/tif_lzw.c:915

910  */
911 PutNextCode(op, CODE_CLEAR);
912 ent = *bp++; cc--; incount++;
913 }
914 while (cc > 0) {
915 c = *bp++; cc--; incount++;
916 fcode = ((long)c << BITS_MAX) + ent;
917 h = (c << HSHIFT) ^ ent; /* xor hashing */


./bmp2tiff  -c lzw  ./sample/bmp2tiff_lzw.bmp 1.tif

=================================================================
==10455== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fbcd06d1c00 at pc 0x4827aa bp 0x7ffef81741d0 sp 0x7ffef81741c0
READ of size 1 at 0x7fbcd06d1c00 thread T0
    #0 0x4827a9 in LZWEncode /home/dazhuang/asan/libtiff-master/libtiff/tif_lzw.c:915
    #1 0x45665e in TIFFWriteScanline /home/dazhuang/asan/libtiff-master/libtiff/tif_write.c:173
    #2 0x40450f in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:775
    #3 0x7fbcccc92af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
    #4 0x4019a8 in _start (/home/dazhuang/asan/libtiff-master/tools/bmp2tiff+0x4019a8)
0x7fbcd06d1c00 is located 0 bytes to the right of 1573888-byte region [0x7fbcd0551800,0x7fbcd06d1c00)
allocated by thread T0 here:
    #0 0x7fbccd563129 (/lib64/libasan.so.0+0x16129)
    #1 0x45b761 in _TIFFmalloc /home/dazhuang/asan/libtiff-master/libtiff/tif_unix.c:316
    #2 0x4037c3 in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:678
    #3 0x7fbcccc92af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/dazhuang/asan/libtiff-master/libtiff/tif_lzw.c:915 LZWEncode
Shadow bytes around the buggy address:
  0x0ff81a0d2330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff81a0d2340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff81a0d2350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff81a0d2360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff81a0d2370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff81a0d2380:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d2390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d23a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d23b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d23c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d23d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==10455== ABORTING

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3621
http://seclists.org/oss-sec/2016/q2/22
Comment 1 Swamp Workflow Management 2016-04-07 22:01:18 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2016-10-11 14:08:04 UTC
Created attachment 696789 [details]
crash1.tif

found by local afl run

QA REPRODUCER:

bmp2tiff  -c lzw crash1.tif output.tif
Comment 4 Alexander Bergmann 2016-11-23 17:17:30 UTC
http://bugzilla.maptools.org/show_bug.cgi?id=2565#c1

Closing as wontfix since bmp2tiff has been removed from libtiff
Comment 6 Petr Gajdos 2018-11-13 14:33:14 UTC
The same resolution as in bug 974446 comment 4:

(gdb) p length        
$1 = 32
(gdb) p j
$2 = 265
(gdb) p width 
$3 = 49184
(gdb) p length > j || width > j || length * width > j
$4 = 1
(gdb)

This is fixed by tiff-bmp2tiff.c-update.patch.
Comment 7 Petr Gajdos 2018-11-14 14:16:02 UTC
Will amend rpm changelog for: 11,10sp3/tiff.
Comment 8 Petr Gajdos 2018-11-14 14:21:30 UTC
I believe all fixed.
Comment 11 Swamp Workflow Management 2018-11-23 20:13:10 UTC
SUSE-SU-2018:3879-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010163,1014461,1040080,1040322,1074186,1099257,1113672,974446,974447,974448,983440
CVE References: CVE-2015-8870,CVE-2016-3619,CVE-2016-3620,CVE-2016-3621,CVE-2016-5319,CVE-2016-9273,CVE-2017-17942,CVE-2017-9117,CVE-2017-9147,CVE-2018-12900,CVE-2018-18661
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.22.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.22.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.22.1
Comment 12 Swamp Workflow Management 2018-12-11 10:03:42 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-12-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64180
Comment 13 Marcus Meissner 2019-01-14 08:11:50 UTC
released