Bug 1019611 - (CVE-2017-5225) VUL-1: CVE-2017-5225: tiff: heap buffer overflow in tools/tiffcp via a crafted BitsPerSample value
(CVE-2017-5225)
VUL-1: CVE-2017-5225: tiff: heap buffer overflow in tools/tiffcp via a crafte...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/178484/
CVSSv2:SUSE:CVE-2017-5225:4.4:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-12 14:34 UTC by Andreas Stieger
Modified: 2019-08-16 15:20 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
poc (1.24 KB, application/zip)
2017-01-12 14:38 UTC, Andreas Stieger
Details
poc2 (1.24 KB, application/zip)
2017-01-12 14:43 UTC, Andreas Stieger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-01-12 14:34:42 UTC
LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the
tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample
value.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5225
https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7
http://bugzilla.maptools.org/show_bug.cgi?id=2657
http://bugzilla.maptools.org/show_bug.cgi?id=2656
Comment 1 Andreas Stieger 2017-01-12 14:38:22 UTC
Created attachment 709821 [details]
poc
Comment 2 Andreas Stieger 2017-01-12 14:41:35 UTC
The command:
./tiffcp -p contig poc.tiff output.tiff

Stacktrace(with ASAN):
=================================================================
==26086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4e00ef4 at pc 0x0804d69b bp 0xbfd49d68 sp 0xbfd49d58
READ of size 1 at 0xb4e00ef4 thread T0
    #0 0x804d69a in cpSeparate2ContigByRow /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:1144
    #1 0x804b31d in tiffcp /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:815
    #2 0x804b31d in main /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:304
    #3 0xb700e636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #4 0x804c81b  (/media/sf_AFL_Dyninst_ADV/tiff/tiffcp-asan+0x804c81b)

0xb4e00ef4 is located 0 bytes to the right of 36-byte region [0xb4e00ed0,0xb4e00ef4)
allocated by thread T0 here:
    #0 0xb72b2dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x804d47f in cpSeparate2ContigByRow /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:1125
    #2 0xb700e636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:1144 cpSeparate2ContigByRow


Analysis:
This is a heap based buffer overflow that happens in the function "cpSeparate2ContigByRow"(line:1114) in tools/tiffcp.c.
The issue is that in the for loop at line 1143 in tiffcp.c, the varialbe 'imagewidth' can be larger than 'scanlinesizeout', which can lead to out of bound read.



This poc may only trigger if the package is built using ASAN.
CLI only -> VUL-1
Comment 3 Andreas Stieger 2017-01-12 14:43:13 UTC
Created attachment 709825 [details]
poc2

The command:
./tiffcp -p contig poc.tiff output.tiff

Stacktrace(with ASAN):
=================================================================
==26086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4e00ef4 at pc 0x0804d69b bp 0xbfd49d68 sp 0xbfd49d58
READ of size 1 at 0xb4e00ef4 thread T0
    #0 0x804d69a in cpSeparate2ContigByRow /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:1144
    #1 0x804b31d in tiffcp /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:815
    #2 0x804b31d in main /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:304
    #3 0xb700e636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #4 0x804c81b  (/media/sf_AFL_Dyninst_ADV/tiff/tiffcp-asan+0x804c81b)

0xb4e00ef4 is located 0 bytes to the right of 36-byte region [0xb4e00ed0,0xb4e00ef4)
allocated by thread T0 here:
    #0 0xb72b2dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x804d47f in cpSeparate2ContigByRow /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:1125
    #2 0xb700e636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:1144 cpSeparate2ContigByRow


Analysis:
This is a heap based buffer overflow that happens in the function "cpSeparate2ContigByRow"(line:1114) in tools/tiffcp.c.
The issue is that in the for loop at line 1143 in tiffcp.c, the varialbe 'imagewidth' can be larger than 'scanlinesizeout', which can lead to out of bound read.
Comment 4 Swamp Workflow Management 2017-01-12 23:00:29 UTC
bugbot adjusting priority
Comment 5 Swamp Workflow Management 2017-02-13 14:08:31 UTC
SUSE-SU-2017:0453-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1019611,1022103
CVE References: CVE-2017-5225
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    tiff-4.0.7-40.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.7-40.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tiff-4.0.7-40.1
SUSE Linux Enterprise Server 12-SP2 (src):    tiff-4.0.7-40.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.7-40.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    tiff-4.0.7-40.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.7-40.1
Comment 6 Swamp Workflow Management 2017-02-19 17:08:29 UTC
openSUSE-SU-2017:0512-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1019611,1022103
CVE References: CVE-2017-5225
Sources used:
openSUSE Leap 42.2 (src):    tiff-4.0.7-15.1
openSUSE Leap 42.1 (src):    tiff-4.0.7-15.1
Comment 7 Petr Gajdos 2018-06-04 09:35:12 UTC
BEFORE

12/tiff

$ valgrind -q tiffcp -p contig poc.tiff output.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 233 (0xe9) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 26996 (0x6974) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
poc.tiff: Error, can only handle BitsPerSample=8 in cpSeparate2ContigByRow.
$

$ valgrind -q tiffcp -p contig poc2.tiff output.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 233 (0xe9) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 26996 (0x6974) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
poc2.tiff: Error, can only handle BitsPerSample=8 in cpSeparate2ContigByRow.
$

11/tiff

$ valgrind -q tiffcp -p contig poc.tiff output.tiff
TIFFReadDirectory: Warning, poc.tiff: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 233 (0xe9) encountered.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, poc.tiff: wrong data type 59650 for "Orientation"; tag ignored.
TIFFReadDirectory: Warning, poc.tiff: wrong data type 3 for "Group3Options"; tag ignored.
TIFFReadDirectory: Warning, poc.tiff: wrong data type 261 for "XResolution"; tag ignored.
poc.tiff: Warning, incorrect count for field "XResolution" (4294045185, expecting 1); tag trimmed.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 26996 (0x6974) encountered.
poc.tiff: Error fetching data for field "DocumentName".
poc.tiff: No space to fetch tag value.
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x4027B3: tiffcp (tiffcp.c:579)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x402AB2: tiffcp (tiffcp.c:659)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x405139: pickCopyFunc (tiffcp.c:1659)
==25684==    by 0x402EEF: tiffcp (tiffcp.c:731)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x405140: pickCopyFunc (tiffcp.c:1659)
==25684==    by 0x402EEF: tiffcp (tiffcp.c:731)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x403A50: cpSeparate2ContigByRow (tiffcp.c:1023)
==25684==    by 0x402F19: tiffcp (tiffcp.c:732)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x4E480DA: find0span (tif_fax3.c:822)
==25684==    by 0x4E47E14: Fax3Encode1DRow (tif_fax3.c:934)
==25684==    by 0x4E48854: Fax3Encode (tif_fax3.c:1044)
==25684==    by 0x4E6FA4C: TIFFWriteScanline (tif_write.c:167)
==25684==    by 0x403A6A: cpSeparate2ContigByRow (tiffcp.c:1038)
==25684==    by 0x402F19: tiffcp (tiffcp.c:732)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Conditional jump or move depends on uninitialised value(s)
==25684==    at 0x4E480EF: find0span (tif_fax3.c:832)
==25684==    by 0x4E47E14: Fax3Encode1DRow (tif_fax3.c:934)
==25684==    by 0x4E48854: Fax3Encode (tif_fax3.c:1044)
==25684==    by 0x4E6FA4C: TIFFWriteScanline (tif_write.c:167)
==25684==    by 0x403A6A: cpSeparate2ContigByRow (tiffcp.c:1038)
==25684==    by 0x402F19: tiffcp (tiffcp.c:732)
==25684==    by 0x401DED: main (tiffcp.c:285)
==25684== 
==25684== Use of uninitialised value of size 8
==25684==    at 0x4E48143: find0span (tif_fax3.c:841)
==25684==    by 0x4E47E14: Fax3Encode1DRow (tif_fax3.c:934)
==25684==    by 0x4E48854: Fax3Encode (tif_fax3.c:1044)
==25684==    by 0x4E6FA4C: TIFFWriteScanline (tif_write.c:167)
==25684==    by 0x403A6A: cpSeparate2ContigByRow (tiffcp.c:1038)
==25684==    by 0x402F19: tiffcp (tiffcp.c:732)
==25684==    by 0x401DED: main (tiffcp.c:285)
TIFFReadDirectory: poc.tiff: Can not read TIFF directory count.
$

$ valgrind -q tiffcp -p contig poc2.tiff output.tiff
TIFFReadDirectory: Warning, poc2.tiff: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 233 (0xe9) encountered.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, poc2.tiff: wrong data type 59650 for "Orientation"; tag ignored.
TIFFReadDirectory: Warning, poc2.tiff: wrong data type 3 for "Group3Options"; tag ignored.
TIFFReadDirectory: Warning, poc2.tiff: wrong data type 261 for "XResolution"; tag ignored.
poc2.tiff: Warning, incorrect count for field "XResolution" (4294045185, expecting 1); tag trimmed.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 26996 (0x6974) encountered.
poc2.tiff: Error fetching data for field "DocumentName".
poc2.tiff: No space to fetch tag value.
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x4027B3: tiffcp (tiffcp.c:579)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x402AB2: tiffcp (tiffcp.c:659)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x405139: pickCopyFunc (tiffcp.c:1659)
==25688==    by 0x402EEF: tiffcp (tiffcp.c:731)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x405140: pickCopyFunc (tiffcp.c:1659)
==25688==    by 0x402EEF: tiffcp (tiffcp.c:731)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x403A50: cpSeparate2ContigByRow (tiffcp.c:1023)
==25688==    by 0x402F19: tiffcp (tiffcp.c:732)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x4E480DA: find0span (tif_fax3.c:822)
==25688==    by 0x4E47E14: Fax3Encode1DRow (tif_fax3.c:934)
==25688==    by 0x4E48854: Fax3Encode (tif_fax3.c:1044)
==25688==    by 0x4E6FA4C: TIFFWriteScanline (tif_write.c:167)
==25688==    by 0x403A6A: cpSeparate2ContigByRow (tiffcp.c:1038)
==25688==    by 0x402F19: tiffcp (tiffcp.c:732)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Conditional jump or move depends on uninitialised value(s)
==25688==    at 0x4E480EF: find0span (tif_fax3.c:832)
==25688==    by 0x4E47E14: Fax3Encode1DRow (tif_fax3.c:934)
==25688==    by 0x4E48854: Fax3Encode (tif_fax3.c:1044)
==25688==    by 0x4E6FA4C: TIFFWriteScanline (tif_write.c:167)
==25688==    by 0x403A6A: cpSeparate2ContigByRow (tiffcp.c:1038)
==25688==    by 0x402F19: tiffcp (tiffcp.c:732)
==25688==    by 0x401DED: main (tiffcp.c:285)
==25688== 
==25688== Use of uninitialised value of size 8
==25688==    at 0x4E48143: find0span (tif_fax3.c:841)
==25688==    by 0x4E47E14: Fax3Encode1DRow (tif_fax3.c:934)
==25688==    by 0x4E48854: Fax3Encode (tif_fax3.c:1044)
==25688==    by 0x4E6FA4C: TIFFWriteScanline (tif_write.c:167)
==25688==    by 0x403A6A: cpSeparate2ContigByRow (tiffcp.c:1038)
==25688==    by 0x402F19: tiffcp (tiffcp.c:732)
==25688==    by 0x401DED: main (tiffcp.c:285)
TIFFReadDirectory: poc2.tiff: Can not read TIFF directory count.
$

PATCH

see comment 0
12/tiff: has the change already in
10sp3,11/tiff: patch is required

AFTER

11/tiff

$ valgrind -q tiffcp -p contig poc.tiff output.tiff
TIFFReadDirectory: Warning, poc.tiff: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 233 (0xe9) encountered.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, poc.tiff: wrong data type 59650 for "Orientation"; tag ignored.
TIFFReadDirectory: Warning, poc.tiff: wrong data type 3 for "Group3Options"; tag ignored.
TIFFReadDirectory: Warning, poc.tiff: wrong data type 261 for "XResolution"; tag ignored.
poc.tiff: Warning, incorrect count for field "XResolution" (4294045185, expecting 1); tag trimmed.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, poc.tiff: unknown field with tag 26996 (0x6974) encountered.
poc.tiff: Error fetching data for field "DocumentName".
poc.tiff: No space to fetch tag value.
==17541== Conditional jump or move depends on uninitialised value(s)
==17541==    at 0x4027BF: tiffcp (tiffcp.c:579)
==17541==    by 0x401DED: main (tiffcp.c:285)
poc.tiff: Error, can only handle BitsPerSample=8 in cpSeparate2ContigByRow.
$

$ valgrind -q tiffcp -p contig poc2.tiff output.tiff
TIFFReadDirectory: Warning, poc2.tiff: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 233 (0xe9) encountered.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, poc2.tiff: wrong data type 59650 for "Orientation"; tag ignored.
TIFFReadDirectory: Warning, poc2.tiff: wrong data type 3 for "Group3Options"; tag ignored.
TIFFReadDirectory: Warning, poc2.tiff: wrong data type 261 for "XResolution"; tag ignored.
poc2.tiff: Warning, incorrect count for field "XResolution" (4294045185, expecting 1); tag trimmed.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, poc2.tiff: unknown field with tag 26996 (0x6974) encountered.
poc2.tiff: Error fetching data for field "DocumentName".
poc2.tiff: No space to fetch tag value.
==17546== Conditional jump or move depends on uninitialised value(s)
==17546==    at 0x4027BF: tiffcp (tiffcp.c:579)
==17546==    by 0x401DED: main (tiffcp.c:285)
poc2.tiff: Error, can only handle BitsPerSample=8 in cpSeparate2ContigByRow.
$
Comment 8 Petr Gajdos 2018-06-04 09:35:56 UTC
Will submit for 11/tiff and 10sp3/tiff.
Comment 9 Petr Gajdos 2018-06-04 10:42:27 UTC
Added also tiffcp.c's part of:
https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b
Comment 10 Petr Gajdos 2018-06-06 11:32:13 UTC
This bug should be fixed by current submission.
Comment 12 Swamp Workflow Management 2018-06-19 12:14:17 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-07-03.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64065
Comment 13 Swamp Workflow Management 2018-06-28 13:11:10 UTC
SUSE-SU-2018:1835-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007276,1011839,1011846,1017689,1017690,1019611,1031263,1082332,1082825,1086408,974621
CVE References: CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-10266,CVE-2016-3632,CVE-2016-5318,CVE-2016-8331,CVE-2016-9535,CVE-2016-9540,CVE-2017-11613,CVE-2017-5225,CVE-2018-7456,CVE-2018-8905
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.9.1
Comment 14 Marcus Meissner 2019-01-14 08:23:00 UTC
released