Bug 974449 (CVE-2016-3622)

Summary: VUL-1: CVE-2016-3622: tiff: Divide By Zero in the tiff2rgba tool
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Fridrich Strba <fstrba>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: astieger, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/166615/
Whiteboard: CVSSv2:SUSE:CVE-2016-3622:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-3622:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) maint:running:63129:moderate CVSSv2:NVD:CVE-2016-3622:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2016-3622:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2016-04-07 09:11:43 UTC
Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Divide By Zero
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2016-3622
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Introduction
============

Division by zero occurs in the fpAcc function in tif_predict.c in tiff2rgba allows attackers to cause a denial of service via a crafted TIFF image.


libtiff-master/libtiff/tif_predict.c:381.

377 fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
378 {
379         tmsize_t stride = PredictorState(tif)->stride;
380         uint32 bps = tif->tif_dir.td_bitspersample / 8;
381         tmsize_t wc = cc / bps;
382         tmsize_t count = cc;
383         uint8 *cp = (uint8 *) cp0;
384         uint8 *tmp = (uint8 *)_TIFFmalloc(cc);


gdb tiff2rgba

(gdb) r sample/tiff2rgba_1.tif  1.tif
Starting program: /usr/local/bin/tiff2rgba sample/tiff2rgba_1.tif  1.tif
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
sample/tiff2rgba_1.tif: Warning, Nonstandard tile length 1, convert file.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.

Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7baffe0 in fpAcc (tif=0x604930, cp0=0x6056b0 "", cc=4) at tif_predict.c:381
381             tmsize_t wc = cc / bps;
(gdb) p bps
$1 = 0
(gdb) bt
#0  0x00007ffff7baffe0 in fpAcc (tif=0x604930, cp0=0x6056b0 "", cc=4) at tif_predict.c:381
#1  0x00007ffff7bb0457 in PredictorDecodeTile (tif=0x604930, op0=0x6056b0 "", occ0=4, s=0) at tif_predict.c:453
#2  0x00007ffff7bb4f9f in TIFFReadEncodedTile (tif=0x604930, tile=0, buf=0x6056b0, size=4) at tif_read.c:668
#3  0x00007ffff7bb4e87 in TIFFReadTile (tif=0x604930, buf=0x6056b0, x=0, y=0, z=0, s=0) at tif_read.c:641
#4  0x00007ffff7b972f1 in gtTileContig (img=0x7fffffffdd90, raster=0x605940, w=32, h=32) at tif_getimage.c:661
#5  0x00007ffff7b96ce7 in TIFFRGBAImageGet (img=0x7fffffffdd90, raster=0x605940, w=32, h=32) at tif_getimage.c:500
#6  0x00007ffff7b96ddd in TIFFReadRGBAImageOriented (tif=0x604930, rwidth=32, rheight=32, raster=0x605940, orientation=1, stop=0)
    at tif_getimage.c:519
#7  0x000000000040196c in cvt_whole_image (in=0x604930, out=0x604010) at tiff2rgba.c:386
#8  0x0000000000401e6d in tiffcvt (in=0x604930, out=0x604010) at tiff2rgba.c:504
#9  0x00000000004011b5 in main (argc=3, argv=0x7fffffffe418) at tiff2rgba.c:126

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622
http://seclists.org/oss-sec/2016/q2/23
http://bugzilla.maptools.org/buglist.cgi?product=libtiff
Comment 1 Swamp Workflow Management 2016-04-07 22:01:30 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2016-10-06 10:01:19 UTC
i am running an afl session, perhaps i can find it ;)
Comment 4 Swamp Workflow Management 2016-10-12 13:14:57 UTC
SUSE-SU-2016:2508-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974449,974614,974618,975069,975070
CVE References: CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.6-31.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.6-31.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.6-31.1
Comment 6 Swamp Workflow Management 2016-10-13 15:09:16 UTC
openSUSE-SU-2016:2525-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974449,974614,974618,975069,975070
CVE References: CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
openSUSE Leap 42.1 (src):    tiff-4.0.6-9.1
Comment 7 Swamp Workflow Management 2016-10-13 15:10:25 UTC
openSUSE-SU-2016:2526-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 974449
CVE References: CVE-2016-3622
Sources used:
openSUSE 13.2 (src):    tiff-4.0.6-10.32.1
Comment 8 Swamp Workflow Management 2016-10-13 15:11:19 UTC
SUSE-SU-2016:2527-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 973340,974449,974614,974618,975069,984808,984831,984837,984842,987351
CVE References: CVE-2016-3186,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.168.1
Comment 9 Swamp Workflow Management 2016-10-14 17:10:37 UTC
openSUSE-SU-2016:2544-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 974449
CVE References: CVE-2016-3622
Sources used:
openSUSE 13.1 (src):    tiff-4.0.6-8.28.1
Comment 10 Swamp Workflow Management 2016-12-07 14:10:15 UTC
openSUSE-SU-2016:3035-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2015-7554,CVE-2015-8665,CVE-2015-8683,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE 13.2 (src):    tiff-4.0.7-10.35.1
Comment 11 Swamp Workflow Management 2016-12-29 23:17:00 UTC
SUSE-SU-2016:3301-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.7-35.1
Comment 12 Swamp Workflow Management 2017-01-08 00:18:08 UTC
openSUSE-SU-2017:0074-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE Leap 42.2 (src):    tiff-4.0.7-12.1
openSUSE Leap 42.1 (src):    tiff-4.0.7-12.1