Bug 975070 (CVE-2016-3991)

Summary: VUL-0: CVE-2016-3991: tiff: out-of-bounds write in loadImage() in tiffcrop tool
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Fridrich Strba <fstrba>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: abergmann, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2016-3991:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-3991:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-3991:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: CVE-2016-3991.tiff

Description Johannes Segitz 2016-04-12 08:37:08 UTC 
Details
============

Product: libtiff
Affected Versions: <= 4.0.6
CVE ID: CVE-2016-3991
Tested system: CentOS Linux release 7.1.1503 64bit
Vulnerability Type: out-of-bounds write
Vendor URL: http://www.remotesensing.org/libtiff/
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360

Introduction
============

An Out-of-bounds write caused by heap overflow when using tiffcrop tool, the vuln is in loadImage() function in tiffcrop.c. loadImage() will read the numbers of tiles by calling
TIFFNumberOfTiles().

However, if the numbers of tiles is 0, loadImage() will still read tile data by calling readContigTilesIntoBuffer() from the image, regardless of the numbers. In that case, loadImage() will
allocate 3 bytes heap to store a tile data, heap overflow occurs if a tile data beyond 3 bytes, and the coverd memory could be controled. It will cause denial-of-service or may command excution when freeing the coverd heap memory..


Source info
============
5941    readunit = TILE;
5942    tlsize = TIFFTileSize(in);
5943    ntiles = TIFFNumberOfTiles(in);
5944    TIFFGetField(in, TIFFTAG_TILEWIDTH, &tw);
5945    TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
5947    tile_rowsize  = TIFFTileRowSize(in);
5948       buffsize = tlsize * ntiles;
… …
6015       if (!read_buff)
6016              read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
… …
6071       if (!(readContigTilesIntoBuffer(in, read_buff, length, width, tw, tl, spp, bps)))
6072       {
6073              TIFFError("loadImage", "Unable to read contiguous tiles into buffer");
6074              return (-1);
6075       }

Debug info
============
gdb  --args  tiffcrop  _TIFFfree.tif  src1.tif tmpout.tif
……
(gdb) b tif_dirread.c:4758
(gdb) c

Breakpoint 1, TIFFFetchNormalTag (tif=tif@entry=0x80aa008, dp=dp@entry=0x80aa42c, recover=recover@entry=1) at tif_dirread.c:4758
4758                                                                           o=_TIFFmalloc((uint32)dp->tdir_count+1);
(gdb) n
4759                                                                 if (o==NULL)
(gdb) p o
$9 = (uint8 *) 0x80aa7e0 ""
(gdb)b tif_dirread.c:1917
(gdb) c
Continuing.

Breakpoint 2, TIFFReadDirEntryLong8Array (tif=tif@entry=0x80aa008, direntry=0x80aa454, value=value@entry=0xbfff984c) at tif_dirread.c:1917
1917                   data=(uint64*)_TIFFmalloc(count*8);
(gdb) n
1918                   if (data==0)
(gdb) p data
$13 = (uint64 *) 0x80aa800
(gdb) b tif_unix.c:340
(gdb) c

Breakpoint 3, _TIFFmemcpy (d=0x80aa7e0, s=0x80aa800, c=1088) at tif_unix.c:340
340            memcpy(d, s, (size_t) c);
(gdb) x/16xw d
0x80aa7e0:      0x00000000     0xb7d917b8     0x00000010     0x00000011
0x80aa7f0:       0x00000001     0x00000000     0x00000000     0x00000449
0x80aa800:      0x00000000     0xb7d918f0      0x00000010     0x00000138
0x80aa810:      0xa0002a49     0x80000000     0x3850e03f      0x20860924
(gdb) finish
(gdb) x/16xw 0x80aa7e0
0x80aa7e0:      0x00000000     0xb7d918f0      0x00000010     0x00000138
0x80aa7f0:       0xa0002a49     0x80000000     0x3850e03f      0x20860924
0x80aa800:      0x83d0bf00      0x000207e1     0xe1bf2a00      0xfd9bf78f
0x80aa810:      0x440050f8      0x89c2afe2      0x8d029f44      0x488063c7

(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xb7c3f6d7 in __GI___libc_free (mem=0x80aa800) at malloc.c:2968
2968           ar_ptr = arena_for_chunk (p);
(gdb) bt
#0  0xb7c3f6d7 in __GI___libc_free (mem=0x80aa800) at malloc.c:2968
#1  0xb7faa8f8 in _TIFFfree (p=0x80aa800) at tif_unix.c:322
#2  0x0807d54c in readContigTilesIntoBuffer (in=in@entry=0x80aa008, buf=buf@entry=0x80aa7e0 "", imagelength=65536, imagewidth=544, tw=544, tl=1, spp=1, bps=16) at tiffcrop.c:830
#3  0x0804fe00 in loadImage (read_ptr=0xbfff9ab8, dump=0xbfffd2b4, image=0xbfff9aec, in=<optimized out>) at tiffcrop.c:6071
#4  main (argc=4, argv=0xbffff394) at tiffcrop.c:2278
Comment 1 Swamp Workflow Management 2016-04-12 22:00:28 UTC 
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2016-09-09 12:10:43 UTC 
openSUSE-SU-2016:2275-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 974614,974618,975069,975070
CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
openSUSE 13.2 (src):    tiff-4.0.6-10.29.1
Comment 3 Swamp Workflow Management 2016-09-25 10:09:30 UTC 
openSUSE-SU-2016:2375-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974614,974618,975069,975070,984808,984831,984837,984842,987351
CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
openSUSE 13.1 (src):    tiff-4.0.6-8.25.1
Comment 4 Swamp Workflow Management 2016-10-12 13:15:44 UTC 
SUSE-SU-2016:2508-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974449,974614,974618,975069,975070
CVE References: CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.6-31.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.6-31.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.6-31.1
Comment 5 Marcus Meissner 2016-10-13 13:18:22 UTC 
Created attachment 697211 [details]
CVE-2016-3991.tiff

QA REPRODUCER: 

tiffcrop CVE-2016-3991.tiff output.tiff

should not report free errors or backtraces
Comment 6 Swamp Workflow Management 2016-10-13 15:10:08 UTC 
openSUSE-SU-2016:2525-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974449,974614,974618,975069,975070
CVE References: CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
openSUSE Leap 42.1 (src):    tiff-4.0.6-9.1
Comment 7 Alexander Bergmann 2016-11-23 16:10:54 UTC 
The loadImage function only exists on SLE-12 and current openSUSE systems.
Comment 8 Alexander Bergmann 2016-11-23 16:11:17 UTC 
Closing as fixed.