Bug 974618 (CVE-2016-3623)

Summary: VUL-1: CVE-2016-3623: tiff: Divide By Zero in the rgb2ycbcr tool
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Fridrich Strba <fstrba>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: abergmann, astieger, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/166799/
Whiteboard: CVSSv2:SUSE:CVE-2016-3623:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-3623:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) maint:running:63129:moderate CVSSv2:NVD:CVE-2016-3623:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2016-3623:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: not_kitty.tiff

Description Johannes Segitz 2016-04-08 08:18:41 UTC 
Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Divide By Zero
Vendor URL: http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-3623
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Introduction
============

Division by zero occurs in rgb2ycbcr in libtiff-4.0.6 allows attackers to cause a denial of service when the param v or param h was set to 0.


libtiff-master/libtiff/rgb2ycbcr.c:256-257

250 cvtRaster(TIFF* tif, uint32* raster, uint32 width, uint32 height)
251 {
252         uint32 y;
253         tstrip_t strip = 0;
254         tsize_t cc, acc;
255         unsigned char* buf;
256         uint32 rwidth = roundup(width, horizSubSampling);
257         uint32 rheight = roundup(height, vertSubSampling);
258         uint32 nrows = (rowsperstrip > rheight ? rheight : rowsperstrip);


gdb rgb2ycbcr

(gdb)r -c zip  -r 0  -h 2  -v 0 ./sample/rgb2ycbcr_cvtRaster.tif 1.tif

Program received signal SIGFPE, Arithmetic exception.
0x00000000004017cd in cvtRaster (tif=0x604010, raster=0x7ffff4cab010, width=65312, height=152) at rgb2ycbcr.c:257
257             uint32 rheight = roundup(height, vertSubSampling);
(gdb) p height
$1 = 152
(gdb) p vertSubSampling
$2 = 0

(gdb) r -c zip  -r 0  -h 0  -v 2 ./sample/rgb2ycbcr_cvtRaster.tif 1.tif

Program received signal SIGFPE, Arithmetic exception.
0x0000000000401798 in cvtRaster (tif=0x604010, raster=0x7ffff4cab010, width=65312, height=152) at rgb2ycbcr.c:256
256             uint32 rwidth = roundup(width, horizSubSampling);
(gdb) p width
$3 = 65312
(gdb) p horizSubSampling
$4 = 0


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3623
http://seclists.org/oss-sec/2016/q2/27
Comment 1 Swamp Workflow Management 2016-04-08 22:00:54 UTC 
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2016-09-09 12:10:25 UTC 
openSUSE-SU-2016:2275-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 974614,974618,975069,975070
CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
openSUSE 13.2 (src):    tiff-4.0.6-10.29.1
Comment 3 Swamp Workflow Management 2016-09-25 10:09:10 UTC 
openSUSE-SU-2016:2375-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974614,974618,975069,975070,984808,984831,984837,984842,987351
CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
openSUSE 13.1 (src):    tiff-4.0.6-8.25.1
Comment 4 Marcus Meissner 2016-10-06 12:03:21 UTC 
Created attachment 696168 [details]
not_kitty.tiff

QA REPRODUCER:

(tiff can be any tiff file actually. The argument handling is buggy.)


rgb2ycbcr -c zip  -r 0  -h 2  -v 0 not_kitty.tiff 1.tif

TIFFScanlineSize64: Invalid YCbCr subsampling.

BAD:
Gleitkomma-Ausnahme
(Floating Ppoint Exception)

GOOD: 
no floating point exception
Comment 5 Swamp Workflow Management 2016-10-12 13:15:22 UTC 
SUSE-SU-2016:2508-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974449,974614,974618,975069,975070
CVE References: CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.6-31.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.6-31.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.6-31.1
Comment 7 Swamp Workflow Management 2016-10-13 15:09:41 UTC 
openSUSE-SU-2016:2525-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974449,974614,974618,975069,975070
CVE References: CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
openSUSE Leap 42.1 (src):    tiff-4.0.6-9.1
Comment 8 Swamp Workflow Management 2016-10-13 15:11:40 UTC 
SUSE-SU-2016:2527-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 973340,974449,974614,974618,975069,984808,984831,984837,984842,987351
CVE References: CVE-2016-3186,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.168.1